Saturday 21 July 2018

Cyber attack on Singapore health database from 27 June to 4 July 2018: Personal info of 1.5 million SingHealth patients stolen; Committee of Inquiry convened

Hackers specifically and repeatedly targeted data on Prime Minister Lee Hsien Loong in Singapore's worst cyber attack
By Jeremy Au Yong, Deputy News Editor and Irene Tham, Senior Tech Correspondent, The Straits Times, 21 Jul 2018

In the worst cyber attack in Singapore's history, hackers broke into the computers of SingHealth, the Republic's largest public healthcare group, and scooped up personal information on 1.5 million patients last month.

Of these, 160,000 people, including Prime Minister Lee Hsien Loong and a few ministers, had their outpatient prescription information stolen as well.

At a press conference yesterday, the authorities said that the attackers "specifically and repeatedly" targeted data on PM Lee.

Mr David Koh, chief executive of the Cyber Security Agency of Singapore, said: "The attack was a deliberate, targeted and well-planned cyber attack." He ruled out casual hackers and criminal gangs, but refused to be drawn on who might be behind the attacks.

Cyber-security experts contacted by The Straits Times said that given the nature of the attacks, these were likely to be state-organised or sponsored, with just a few key countries such as China, Russia and the United States having the capacity to mount such a sophisticated attack.

A Committee of Inquiry (COI) will be convened to establish the events that led to the breach and recommend measures to better secure public sector IT systems.

Database administrators of the Integrated Health Information Systems (IHiS) first detected unusual activity on July 4, and acted immediately to halt the activity. However, subsequent investigations established that hackers had breached the system a week earlier, on June 27.

In that time, the attackers took records of patients who visited nine SingHealth institutions from May 1, 2015, to July 4 this year. The institutions include Singapore General Hospital, Changi General Hospital and SingHealth's network of polyclinics.

What specific information the hackers were after was unclear, although experts said the damage could well have been worse.

For the bulk of the 1.5 million patients, the data taken includes personal details like names, identity card numbers and addresses, and demographic information like a patient's gender, race and date of birth. Credit card numbers and mobile phone numbers were unaffected.

And while the hackers copied information on medicine dispensed to 160,000 outpatients, they did not tamper with these records nor gain access to more detailed medical records like diagnosis, test results or doctors' notes.

"I don't know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me," PM Lee said in a Facebook post. "If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it."

Still, the aftermath of the breach will be far-reaching. For a start, all new Smart Nation projects will be paused as the Smart Nation and Digital Government Group (SNDGG) reviews the cyber-security measures of government systems and implements any necessary safeguards.

The introduction of a new law slated later this year - to make all healthcare institutions contribute data to the National Electronic Health Record - will be postponed.

Computers at all health clusters will also be cut off temporarily from the Internet, in much the same way Net access was cut off from computers of public servants last year. SingHealth cut access yesterday, and the other two clusters are expected to follow suit in the coming days.

At the press conference, Health Minister Gan Kim Yong apologised to the patients for the breach. "I am deeply sorry this has happened. The public healthcare family sees our role as not just providing good patient care, but also safeguarding the confidentiality of our patients' data," he said.

All affected patients will be notified over the next five days either through SMS or mail, if their phone numbers are not on record. Patients can also go to SingHealth's website or app to check if their data has been affected.

Despite the attack, the Government stressed that the incident did not mean it was abandoning its technological push. Communications and Information Minister S. Iswaran, who noted there have been numerous similar breaches in countries like the US and Britain, said: "This is an ongoing battle. But we must not allow this incident, or any others like it, to derail our plans for a smart nation. We must adapt ourselves to operate effectively and securely in the digital age."


SingHealth cyber attack: Affected patients to be notified via SMS or letter
By Adrian Lim, Transport Correspondent, The Straits Times, 21 Jul 2018

All patients who visited SingHealth's specialist outpatient clinics and polyclinics between May 1, 2015, and July 4 this year will be informed as to whether their data was stolen.

These notifications will be made through SMS or letters, SingHealth said yesterday following an announcement that its database had been the target of a major cyber attack.

The first SMSes were sent from 6pm yesterday, said SingHealth chief executive Ivy Ng. All affected patients should receive the messages within the next five days.

For the approximately 1.3 million patients whose personal particulars - including name, NRIC number, address, gender, race and date of birth - were illegally accessed and copied by hackers, an e-mail address will be provided to which they can write to raise any concerns.

As for the 160,000 outpatients who also had the records of their dispensed medicine stolen, a hotline number manned from 9am to 9pm will be provided for any assistance. The e-mail channel and hotline will be maintained for as long as necessary, said Professor Ng.

Patients whose phone numbers are not in the records will be informed via post within a week. The public can also check if they are affected on the Health Buddy app or at

Cyber Security Agency of Singapore chief executive David Koh said the authorities will monitor if the stolen records have been misused. "We are watching to see if anything appears on the Internet, both in the open and (on) less well-known websites," he said yesterday.

Method of attack showed high level of sophistication
Hackers did not just look for data to steal, but also planned ahead by probing for more entry points
By Irene Tham, Senior Tech Correspondent and Lester Hio, The Straits Times, 21 Jul 2018

Like thieves breaking into a house through a window, cyber attackers entered SingHealth's IT system through an Internet-facing workstation.

Their top goal: Prime Minister Lee Hsien Loong's medical details.

As they ransacked the system for data on PM Lee, the thieves also stole the personal data of some 1.5 million patients.

What aided the hackers' plans was that they did not just look for things to steal once they entered the system - they also planned ahead. In the week prior to being discovered on July 4, they had stolen log-in credentials, covered their tracks and probed for more entry points.

These entry points became windows through which other attackers could enter. These meant that when the initial attack was detected and halted, the threat did not stop.

Using the analogy of thieves breaking into a house, Cyber Security Agency of Singapore (CSA) chief executive David Koh said yesterday: "The first time they got in through the window of the storeroom, they managed to get their way upstairs and they managed to steal things.

"So, we threw them out and locked the window in the storeroom. Then the next moment, we found them in the kitchen. If you put this into perspective, this is the level of sophistication we are dealing with."

Mr Joseph Gan, president and co-founder of security solutions firm V-Key, said that this was the work of a dedicated cyber attacker.

"An Internet-facing computer is first breached, and then used as a launchpad to gain deeper access into the network," said Mr Gan.

Giving details about the breach at a press conference yesterday, the CSA said unusual activity was first detected on July 4. By then, the hackers had stolen log-in credentials, covered their tracks and probed for more entry points.

Upon detection, security measures such as the blocking of dubious connections and the changing of passwords were taken to thwart the hackers.

Even though the hackers continued to make repeated attacks on different fronts to gain access to the database, increased monitoring and stepped-up precautionary action resulted in no further data leak from July 4.

For instance, SingHealth reset its network servers and forced all employees to reset their passwords.

All patient records in Sing-Health's IT system remain intact, and there has been no disruption of healthcare services.

No record was tampered with and no other patient records such as diagnosis, test results and doctors' notes were breached.

On July 10, the Health Ministry, SingHealth and CSA were informed after forensic investigations confirmed that it was a cyber attack.

A police report was made on July 12, and investigations are ongoing.

Experts largely agree the attack was likely state-sponsored.

"Health records contain information that is valuable to governments, and they are often targeted by nation-state threat actors," said Mr Eric Hoh, cyber-security specialist FireEye's Asia-Pacific president.

"Nation-states increasingly collect intelligence through cyber espionage operations which exploit the very technology we rely upon in our daily lives," he added.

Mr Leonard Kleinman, cyber-security firm RSA's Asia-Pacific chief cyber security adviser, said that medical data contains a trove of information from personally identifiable data to financial details.

"They can be used to create a highly sought-after composite of an individual," he added.

In the wake of the breach, SingHealth yesterday started to impose a temporary Internet surfing separation on all of its 28,000 staff's work computers.

Other public healthcare institutions are expected to do the same at the weekend.

Hackers were likely trying to get sensitive info on Prime Minister Lee Hsien Loong: Experts
They point to possibility that state actors were behind attack, given level of sophistication and resources needed
By Tham Yuen-C, Senior Political Correspondent and Royston Sim, Deputy Political Editor, The Straits Times, 21 Jul 2018

Hackers who accessed the personal particulars and medication data of Prime Minister Lee Hsien Loong were likely trying to obtain what they hoped would be sensitive information to use against him, political and cyber-security experts said.

They added that state actors could well have been behind the attack, in which repeated attempts were specifically made to locate PM Lee's records.

The Prime Minister's information, along with that of 1.5 million other SingHealth patients, was copied and exported illegally in the worst-ever data breach in Singapore. This included their name, NRIC number, address, gender, race and date of birth.

For 160,000 of these individuals, including PM Lee, information about the medication they had been prescribed was also stolen.

Dr Shashi Jayakumar, head of the S. Rajaratnam School of International Studies' (RSIS) Centre of Excellence for National Security, said there was a strong possibility that the cyber attack was state sponsored, given that the Government said it was "targeted", "carefully planned" and "not the work of casual hackers or criminal gangs".

"Some states are certainly very capable in this regard," he said, adding that it could also be a "state actor working in concert with a criminal enterprise, both with their own aims in mind".

MP Cedric Foo, chair of the Government Parliamentary Committee for Communications and Information, including Smart Nation, said cyber attacks against Singapore were not uncommon.

Describing it as a new form of spying, he said the objective of such attacks was to get diplomatic advantage over another country.

On who the attackers could be, Mr Benjamin Ang of RSIS said it might be "any state who wishes ill of Singapore, or wants an advantage over Singapore, or just wants to collect sensitive information that could be useful one day".

A spokesman for Bitglass, which offers cloud computing services to protect sensitive corporate data, singled out China, Russia and the United States as being "more notorious for their creation of malware than others", though he did not say if he thought they were responsible for the SingHealth attack.

Mr Joseph Gan, president and co-founder of digital security firm V-Key, said the sophistication of the attacks points to a level of capability likely to have been attained through state funding, and noted: "The tools and techniques needed to stay so stealthily hidden would require a huge amount of resources."

When asked at a press conference yesterday, Cyber Security Agency chief executive David Koh said there was no evidence the stolen information "has been used in any other transactions". Nor has it been put on sale or made available on the Internet, he added.

Mr Ang, who leads the Cyber and Homeland Defence Programme at the Centre of Excellence for National Security, said personal information of high-ranking government officials would be interesting to other states and criminals who could sell it to other countries.

Some information could be sensitive or potentially embarrassing or harmful to confidence, he added. For instance, if attackers discover a previously unknown medical condition, they could use the information to blackmail the Prime Minister or reveal the information to dent Singaporeans' confidence in him, he said.

Blackmail and reputational damage aside, another use for the data could be to build a complete digital identity of PM Lee, said Mr Foo Siang-tse, managing director of Singapore-based cyber security services provider Quann. He added: "From an attacker's perspective, having a complete digital identity allows the attacker to impersonate individuals for access to other systems."

Mr Gan said: "Singapore is a well-connected digital hub, and we punch above our weight internationally. So, we should expect that a number of nation states would be interested to gather information on us."

Nothing alarming in my data, says PM Lee Hsien Loong
By Royston Sim, Deputy Political Editor, The Straits Times, 21 Jul 2018

Prime Minister Lee Hsien Loong yesterday assured Singaporeans there is nothing alarming in his outpatient medication data that was stolen by hackers.

He was among 160,000 patients who had information of their outpatient prescriptions pilfered from SingHealth's database, in the most serious data breach in Singapore's history. In all, the personal particulars of 1.5 million patients were compromised.

In a Facebook post, PM Lee noted that those behind the cyber attacks "specifically and repeatedly" targeted his medication data.

"I don't know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me," he wrote. "If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it."

PM Lee said SingHealth had asked him whether to computerise his personal records when digitising its medical records, or to keep them in hard copy for security reasons.

The Prime Minister said he asked to be included, as going digital would enable his doctors to treat him more effectively and in a timely manner.

"I was confident that SingHealth would do their best to protect my patient information, just as it did for all their other patients in the database," he said.

But PM Lee added that he also knew the database would be attacked, and that there was a risk it might be compromised one day. Unfortunately, that has now happened, he said.

He stressed that the security and confidentiality of patient information is a top priority, and said he has ordered the Cyber Security Agency of Singapore and the Smart Nation and Digital Government Group to work with the Ministry of Health to tighten cyber defences and processes across the board.

A high-level Committee of Inquiry will be convened to get to the bottom of the matter. It will be chaired by retired judge and Public Transport Council chairman Richard Magnus.

"This will be a ceaseless effort," PM Lee said. "Those trying to break into our data systems are extremely skilled and determined. They have huge resources, and never give up trying."

He noted that government systems come under attack thousands of times a day, and the goal must be to prevent every attack from succeeding.

"If we discover a breach, we must promptly put it right, improve our systems and inform the people affected," PM Lee said.

"This is what we are doing in this case. We cannot go back to paper records and files. We have to go forward, to build a secure and smart nation."

Committee of Inquiry to be convened, headed by retired judge Richard Magnus
High-level independent panel to probe attack
By Hariz Baharudin, The Straits Times, 21 Jul 2018

A high-level independent Committee of Inquiry (COI) will be set up to get to the bottom of the major cyber attack on SingHealth's database.

The incident, which compromised the personal particulars of about 1.5 million patients, including Prime Minister Lee Hsien Loong, has serious public health and safety implications, said the Ministry of Communications and Information (MCI) yesterday.

The COI will be convened by Minister-in-charge of Cyber Security and Minister for Communications and Information S. Iswaran.

It will be chaired by Mr Richard Magnus, and other COI members will be announced at a later date.

Mr Magnus is a former chief district judge and current member of the Public Service Commission.

He previously chaired the three-man COI that looked into the Nicoll Highway collapse at a Circle Line MRT work site on April 20, 2004. Four workers were killed in the incident.

Other incidents that have been investigated by such high-level committees include the Little India riots in December 2013 and the series of train disruptions on the North-South MRT Line in December 2011.

Mr Iswaran said yesterday that the latest COI's work would focus on what has occurred within the SingHealth system.

He added: "But certainly, in terms of its recommendations, we would want to see if there are lessons that can be adopted (not only) for the broader public sector, but also for the private sector and, in particular, the critical information infrastructure."

Among other things, the COI will establish what caused the breach and the response to the attack.

It will also recommend measures to better manage and protect the IT systems of SingHealth and other public sector agencies against similar attacks.

Smart Nation projects paused pending review of cyber security
Additional safeguards will be put in place if needed but projects will still be implemented progressively: Iswaran
By Irene Tham, Senior Tech Correspondent, The Straits Times, 21 Jul 2018

Singapore has hit the "pause" button on all its Smart Nation projects that have yet to be rolled out following the largest data breach in the country's history.

The 2023 deadline by which citizens would be able to complete between 90 per cent and 95 per cent of transactions with the Government digitally may also be pushed back, pending the outcome of a thorough cyber-security review across agencies.

Hackers stole the personal particulars of 1.5 million SingHealth patients, of whom 160,000 people, including Prime Minister Lee Hsien Loong and a few ministers, also had their outpatient medication information stolen.

Calling the data breach the "most serious" in Singapore, Minister for Communications and Information S. Iswaran said the Smart Nation and Digital Government Group (SNDGG) will "pause" the introduction of new infocomm technology systems.

This is to allow the SNDGG to review the cyber-security measures of government systems, and implement any additional safeguards if necessary.

However, while some deadlines may not be met depending on the outcome of the review, the business of the Government cannot come to a standstill, he said.

"What we want to do is to pause to take stock," he said, emphasising that Smart Nation projects will still be implemented progressively. "There are no specific projects that are materially at risk of cessation."

One of the key projects is a national digital identity (NDI) system. The NDI includes the soon-to-be-launched SingPass Mobile app, which would enable access to government services without the need for physical tokens or SMS passwords.

Mr Iswaran, who is also Minister-in-charge of Cyber Security, will convene a Committee of Inquiry to get to the bottom of what went wrong.

"We must not let this derail our Smart Nation services... it is the way of the future," he said.

PM Lee also said on his Facebook page that Singapore cannot go back to paper records and files. "We have to go forward, to build a secure and smart nation."

The ongoing National Electronic Health Record (NEHR) project - which enables the sharing of patients' treatment and medical data among hospitals here - is also being reviewed.

Specifically, mandatory contributions to the NEHR have been put on hold until further notice pending a cyber-security review of the system, Health Minister Gan Kim Yong said yesterday.

The system became available to all healthcare institutions in 2013.

Today, more than 760,000 patient searches are made each month by the 21,000 doctors, nurses and pharmacists who have linked up with and have access to the NEHR system. They will continue to have access to the NEHR.

Shock, anger and worry about stolen data being misused
By Lester Hio, The Straits Times, 21 Jul 2018

Victims of Singapore's largest data breach have expressed shock and anger, saying they are concerned that their personal information could be misused since it has fallen into wrong hands.

The personal data of 1.5 million patients of SingHealth was hacked last month with details such as names, IC numbers, addresses, gender, race and dates of birth compromised.

"It is very upsetting and the last thing anyone would want is for their personal information to be leaked out," said Nanyang Polytechnic adjunct lecturer Navin Nambiar, 37, whose 66-year-old mother had her personal and prescription information stolen. "You would think that our government databases would be secure... from such events."

The loss of IC numbers in particular worried a number of the affected users.

"These days, you can do much with your IC number. This creates a safety issue for the people affected," said pre-school teacher Koshala Devi, 26. "It is scary to know that my details are now potentially in the hands of strangers."

Cyber-security experts have warned that victims of the breach remain at risk even in the future, as the personal data which was compromised could be used in other targeted attacks later on.

"One of the biggest threats from a breach such as this is the possibility of targeted phishing attacks at a later date," said Mr Chris Boyd, lead intelligence analyst of security software firm Malwarebytes, referring to scams where users are tricked into revealing confidential data.

Cyber-security experts urged victims to keep an eye on financial transactions and bank statements, and to be wary of requests for other personal information that might come their way.

Personal healthcare information can be worth a lot more than financial data on the Dark Web or black market, said Ms Joanne Wong, senior regional director for Asia-Pacific and Japan at security intelligence company LogRhythm.

"It is not surprising that SingHealth would be targeted as they are the largest healthcare network in the country," she said.

"Information obtained can also be used to create fake identities to buy medical equipment or drugs. Espionage is also another possible motive, as hackers could use the data to interfere in international politics or affairs."

Among the victims were 160,000 outpatients whose prescription and medication information was breached in the attack.

"This information can be sold in the black market, but there are also other possibilities," said Mr Ondrej Kubovic, a security awareness specialist from cyber-security company ESET. "For example, high-profile records might be cherry-picked and sold or misused to extort or defame public figures."

Prime Minister Lee Hsien Loong's personal particulars were especially targeted in what Cyber Security Agency chief executive David Koh described as a deliberate, targeted and well-planned cyber attack.

Additional reporting by Deepanraj Ganesan

Internet access to be delinked by next week
By Poon Chian Hui, Mind & Body Editor, The Straits Times, 21 Jul 2018

Staff at all public healthcare clusters will have their Internet access temporarily delinked by next week, as part of efforts to tighten security following the nation's most serious cyber attack.

SingHealth, which runs four hospitals, five national speciality centres and eight polyclinics, was the first to pull the plug, imposing Internet surfing separation at midnight on Thursday.

The largest healthcare cluster in Singapore was the target of hackers, who obtained the personal particulars of more than 1.5 million of its patients, including Prime Minister Lee Hsien Loong.

The other two public healthcare groups, National Healthcare Group and National University Health System, will follow suit by early next week. This means staff will not be able to access the Internet from their work computers.

Health Minister Gan Kim Yong said at a multi-ministry press conference yesterday that delinking internal networks from the Internet is "not a trivial matter", as it has implications for both patients and healthcare professionals.

For example, it may lead to slower online payments, he said. Nevertheless, this step had to be taken in the interest of patient safety. Said Mr Gan: "The uppermost consideration is to ensure that the clinical care for our patients is not compromised."

However, the cyber attack was unrelated to the NEHR system, said the Integrated Health Information Systems (IHiS), which runs the IT systems of public health institutions.

All public health institutions are linked to the National Electronic Health Record (NEHR) system, which compiles patient records from different providers for seamless care. "However, security monitoring and vigilance of other public healthcare systems such as the NEHR have been stepped up," said a spokesman for the Ministry of Health (MOH).

The ministry had earlier announced plans to make NEHR mandatory for all health providers under a new legislation slated to be tabled in Parliament this year. But MOH and IHiS will now "take a pause" as an added precaution, said the spokesman. "We will do a thorough review of the robustness of its cyber safeguards, before proceeding to broader implementation of mandatory NEHR contribution."

Except for this, the NEHR will continue running normally. More than 1,200 institutions, from hospitals to general practices and nursing homes, currently have access to the system which contains more than seven million unique patient records.

Health providers either upgrade their own information systems or buy software to synchronise them with the NEHR.

Mr Phua Tien Beng, chief executive officer of Parkway Pantai's Singapore operations division, said the private healthcare group has taken its own precautions in the light of the incident. "We have suspended Internet access from our internal network and will be putting in place separate devices that will be physically segregated from our company networks for those who need Internet access for work," said Mr Phua.

Mr Tseng Ching-Tse, founder of medical information technology company Vault Dragon, said a review would be timely. "This incident has raised concerns among healthcare providers and digital health solution providers over the security of patient data that will be shared under the NEHR programme," he said.

Additional reporting by Linette Lai

SingHealth cyber breach: Dealing with the hidden hand behind the attack
By Elgin Toh, Deputy Political Editor, The Straits Times, 21 Jul 2018

The largest cyber attack to be inflicted on Singapore - one that has affected 1.5 million public healthcare patients here, including Prime Minister Lee Hsien Loong - warrants a proportional response.

Internally, this response should start with a proper analysis of how the attack happened and what has to be done to prevent a similar occurrence in the future.

Convening a Committee of Inquiry is a promising start. The move ensures that no knee-jerk reaction with permanent implications is taken in the heat of the moment. The committee must now be given the time and space to do its work. To be credible, it should be prepared to ask any question necessary to help it get to the bottom of what happened.

But as with any security breach - cyber or otherwise - there is a danger of an over-reaction. Security measures mean additional costs, whether in terms of the money needed to implement them or a reduction in organisational efficiency. Furthermore, each new measure faces diminishing returns as to how much additional safety it can bring.

Ultimately, no amount of safeguards can make a system foolproof. As one government official said yesterday: "The only safe computer is the one that is still in the box." New measures therefore do need to be evaluated in a hard-headed and rational way.

Beyond this, the authorities have to work to uphold public confidence in Singapore's Smart Nation project. This is vital given how little intuition people have about how computer systems work.

When you harden the defence of, say, a house or a building, non-experts can simply look at the new locks on gates, the iron grilles on windows and so on, to get a tangible sense of the extent to which security has been enhanced. With computers, the lack of understanding means faith is harder to nurture. Singaporeans need time to process what just happened and to gradually grow the trust they have in the system's ability to safeguard their personal information.

This cannot be rushed. A prolonged period with no major incident would be helpful.

In the meantime, the decision to put a pause on some Smart Nation initiatives is sensible. In the end, to make the nation truly "smart" requires more than simply improving its infrastructure. People have to be willing to engage with technology and accept vulnerabilities that come with being more interconnected.

The external response to the data breach is much more dicey and difficult to calibrate.

The intrusion was not initiated from a computer in Singapore. It was also not carried out by "casual hackers and criminal gangs", as the authorities took pains to repeat yesterday. Who did it, then?

That is the first complication of any response. If one cannot be reasonably sure of the identity of the perpetrator, then there is no one to respond to.

Security experts told The Straits Times that given the sophistication of this attack, there is a high likelihood that it was a state-sponsored one. There are very few states capable of carrying out such an operation - among them, China, the United States and Russia.

In fact, the experts have a fairly good idea which country was behind these cyber incursions.

If it is true that a state tried to obtain the medical records of the Prime Minister, it should be viewed as a highly sinister act. There are only so many ways a state could use such information. At best, it could be trying to assess if health may be a factor in the length of that leader's tenure. In the worst-case scenario, if there was something in those records not known to the public, the perpetrating state could embarrass him by releasing the information at a tactical moment - or, worse, it could try to blackmail the leader.

That would be a very disgraceful act, indeed - and one that Singaporeans would have every right to find unacceptable and to feel indignant over.

The attack should also help educate Singaporeans about the need for a realist understanding of the quite baleful intentions certain countries do harbour against Singapore. Staying alert, vigilant and even suspicious of these countries is itself an important weapon against possible manipulation, as retired diplomat Bilahari Kausikan recently advised. His caution deserves to be amplified and repeated, given this latest development.

Emotions aside, a smart response by the Singapore Government would be a proportional one. This could be effected via diplomatic channels, and does not have to happen in public view. Proportionality dictates that the response should correspond to the level of harm caused in this particular case.

But a response is in order. If this state finds it cost-free to carry out an aggressive cyber attack, then it is likely to keep on trying. As no system is foolproof, it is a matter of time before another attempt succeeds. If, however, there is a response from Singapore, various agencies and leaders within the bureaucracy of that country - foreign affairs and intelligence, among others - will be prompted to start conversations with one another and to do their sums to assess if continuing such operations is really worth their while. Through the response, they must be made to understand that the benefits of an attack do not exceed the costs that include, among other things, frayed relations.

Singaporeans must stay strong. An incident like this can be turned into a positive if it unites the country and generates the energy needed to help Singapore overcome its internal and external adversities.

SingHealth cyberattack: Did authorities respond fast enough to Singapore’s worst personal data breach?
By Kevin Kwang, Channel NewsAsia, 23 Jul 2018

As the dust settles on the “most serious breach of personal data” in Singapore’s history - which compromised the records of 1.5 million SingHealth patients, including Prime Minister Lee Hsien Loong - questions have surfaced on whether the authorities responded in a timely enough manner once the threat of a cyberattack was detected.

Database administrators from the Integrated Health Information System (IHIS) detected unusual activity on SingHealth’s IT systems on Jul 4 and put a stop to the data breach activities. It was later that they found out data had been illegally copied and stolen beginning from Jun 27 – eight days before the cyberattack was detected.

From Jul 4 to Jul 9, the administrators continued to monitor the network traffic closely before ascertaining it was a cyberattack and alerted their superiors. On Jul 10, MOH, SingHealth and the Cybersecurity Agency of Singapore (CSA) were informed and forensic investigations carried out.

Mr Jonathan Phua, the co-founder of startup InsiderSecurity, which specialises in early breach detection, told Channel NewsAsia that if an attacker was able to hide in an IT system long enough to steal 1.5 million patients’ records, then the time taken to detect and respond to the threat was “too long”.

But, Mr Phua said it is not easy to detect a sophisticated attacker hiding inside the system, especially if it is state-sponsored – something that other industry experts have stated was a likelihood.

The former DSO National Laboratories researcher pointed to the 2017 Equifax breach, when the personal data of around 150 million US consumers was lost, which was discovered only three months later. Another incident involving the US Office of Personnel Management saw around 20 million employee records stolen in 2015, and that was discovered a year later, he added.


Darktrace Asia Pacific managing director Sanjay Aurora said last Friday when news of the hack came to light that for SingHealth to have detected, investigated and reported the incident within a month was a “comparative success”.

“How many other countries around the world are capable of even detecting this attack within a month, let alone be able to conduct a full investigation in this short time period?" Mr Aurora said.

Mr Jeff Hurmuses, managing director of Asia Pacific at US-based cybersecurity firm Malwarebytes, also concluded that the IHIS database administrators acted "promptly" to stem the data leak.

"They actually responded to the breach and disclosed it to potentially affected users very quickly," he said.

FireEye’s Asia Pacific president Eric Hoh lauded the Singapore Government’s decision to notify the public of the SingHealth hack.

“CSA and the Singapore Government have done a good job detecting (the cyberattack) in a timely manner and publicly disclosing the incident – which is a very noble thing to do,” Mr Hoh told Channel NewsAsia, adding that the tendency is there for victims to “sweep the matter under the rug”.

Mr Bill Chang, Singtel's CEO for Group Enterprise, which includes cybersecurity company Trustwave, also said the fact that Government agencies managed to detect, confirm, isolate and mitigate the threat "within just a few days is a robust response".

He added that for advance persistent threat (APT) attacks, the median for companies to detect sophisticated breaches is more than 100 days and they can take up to 60 days to respond and mitigate the breach.

Mr Rajesh Sreenivasan, head of Technology, Media and Telecommunications at Rajah & Tann, said in a phone interview that it is “near impossible” to judge if the Singapore authorities had responded to the detection of the breach in a timely manner without knowing the specifics.

“The reality is that (the) breach notification could be done in stages,” Mr Sreenivasan said.

He added: “Sometimes, the cyberattacks could be part of a larger series of attacks, and notifying the public too early could compromise investigations.”

The lawyer also responded to questions over whether IHIS failed to comply with the Cybersecurity Act, which requires owners of critical information infrastructure in 11 key sectors – of which healthcare is part of – to notify Singapore’s cybersecurity commissioner of “a prescribed cybersecurity incident”, among others. It does not state a timeframe for reporting incidents.

Mr Sreenivasan pointed out that IHIS did not fall foul of the law because the legislation is not yet in force.

Mr Bryan Tan, partner at Pinsent Masons, agreed, adding that the timeframe for notification has not been set.

He did point out that, on a general level, it is a “fair question” why the regulators and affected people were not informed of the data breach earlier. He also questioned why the Personal Data Protection Commission (PDPC), which has been investigating data breaches here, does not appear to be involved in this particular case.


Another issue that was raised after the SingHealth hack was how consumers have no clear recourse when a data breach or violation involves a government entity, since the public sector is not included under the country’s Personal Data Protection Act (PDPA). Mr Sreenivasan said it is also unclear which entity is regulated under the law and which is not.

The cyberattack on SingHealth was just one of several that had targeted public sector agencies. In April this year, four Singapore universities were victims of online attacks, with at least 52 online accounts breached to obtain research articles without authorisation.

In April 2017, National University of Singapore and Nanyang Technological University were hit by IT network breaches, while that same year, the Ministry of Defence revealed its I-net system was attacked and the personal data of 850 national servicemen and employees was stolen.

Mr Tan said: “The impression given is that the biggest data breaches seem to involve government agencies (schools, MINDEF) and with the lack of details provided, one can only wonder whether the internal data protection standards adopted are sufficient given the higher risk profile.”

DPM Teo Chee Hean: Delinking PCs from Net would have disrupted cyber attack
Privacy watchdog looking into possible security lapses; COI members named
By Irene Tham, Senior Tech Correspondent, The Straits Times, 25 Jul 2018

Cutting off Internet access on public healthcare computers could have disrupted the cyber attack that led to the most serious data breach in Singapore's history, Deputy Prime Minister Teo Chee Hean said yesterday.

"We could and should have implemented Internet surfing separation on public healthcare systems just as we have done on our public sector systems," said DPM Teo, who was the minister-in-charge of the civil service when the computers were delinked from the Internet.

"This would have disrupted the cyber kill-chain for the hacker and reduced the surface area exposed to the attack. This has now been done," he said at the Public Service Engineering Conference 2018.

He disclosed that the attackers had gained entry into the SingHealth system through one of the front-end computers connected to the Internet used by "thousands of users in the medical and academic community".

The incident had exposed weaknesses in the end-user workstations of the public health sector, he added.

The attack, which led to the data leak involving 1.5 million SingHealth patients, including Prime Minister Lee Hsien Loong, took place between June 27 and July 4. It was made public last Friday.

Yesterday, more details of widening investigations into the breach came to light.

The privacy watchdog, the Personal Data Protection Commission (PDPC), is looking into whether there were security lapses in healthcare group SingHealth and the Integrated Health Information Systems (IHiS), the technology outsourcing arm of public hospitals.

The PDPC will assess if SingHealth and IHiS had properly secured patients' personal data and whether they are liable for a fine of up to $1 million under the Personal Data Protection Act.

The commission will take into account the report of the Committee of Inquiry (COI), which will be headed by former chief district judge and current Public Service Commission member Richard Magnus.

In convening the COI, whose members were named yesterday, Minister-in-charge of Cyber Security and Minister for Communications and Information S. Iswaran said: "It is an important step in getting to the bottom of the incident and keeping Singaporeans' trust in our systems."

The committee will recommend ways to better protect IT systems in the public sector and submit its report to Mr Iswaran by year-end.

"It is crucial that we do not allow this incident, or any others like it, to derail our plans for a Smart Nation," said Mr Iswaran.

Meanwhile, the Monetary Authority of Singapore (MAS) has asked financial institutions here to immediately tighten their customer verification processes to make sure they are not vulnerable to similar attacks.

Financial institutions should conduct customer verification using tools like one-time passwords instead of relying on data such as NRIC number, address and date of birth, which might already have been stolen, MAS said.

Don't let cyber attack derail Smart Nation drive: DPM Teo Chee Hean
Incident exposed weaknesses in sector's end-user workstations
By Ng Jun Sen, Political Correspondent, The Straits Times, 25 Jul 2018

Even as Singapore takes steps to prevent another cyber attack like the one which compromised the data of around 1.5 million SingHealth patients, the incident should not be allowed to derail the country's push towards becoming a Smart Nation.

Deputy Prime Minister Teo Chee Hean made this clear while speaking at the Public Service Engineering Conference 2018 at Resorts World Sentosa yesterday.

"We should not allow this incident to hold us back in building a Smart Nation and a digital government. We need to persist with our efforts to harness the potential of the digital age while building deeper expertise in our cyber security... to do so confidently," said Mr Teo, who is also Coordinating Minister for National Security.

Commenting on the lessons learnt so far, he added that the incident had exposed weaknesses in the end-user workstations of the public health sector.

Internet surfing separation could and should have been implemented for computers in the public healthcare sector, just as it had been done for the public sector. This would have gone some way in preventing the massive data breach revealed last week, he added.

Mr Teo disclosed that the attackers had gained entry into the SingHealth system through one of the front-end computers connected to the Internet used by "thousands of users in the medical and academic community".

The hackers eventually made off with the personal information of around 1.5 million patients in the worst cyber attack here.

Of these, 160,000 people, including Prime Minister Lee Hsien Loong and a few ministers, had their outpatient prescription information stolen as well.

The computers in the public healthcare clusters have since been delinked from the Internet, a move which Mr Teo said would have disrupted the cyber attack.

The Health Ministry, announcing the temporary delinking on Monday, did not say when it would end. Such a move has been in place for public servants since last year, when all official computers used by government agencies, ministries and statutory boards were delinked from the Internet for security reasons.

Besides front-end computers, the sophisticated and persistent intruder had also circumvented security barriers at the intermediate layer that manages and screens requests to SingHealth's database, said Mr Teo.

He added that solutions are being implemented to address these issues.

The case has cast a spotlight on the prompt reporting of such incidents to the cyber security authorities so that investigations can be carried out, said Mr Teo.

He noted that SingHealth's IT operators were able to discover the intrusion attempt and report it.

In other jurisdictions, he pointed out, there had been instances in which systems intrusions and the loss of large amounts of data were discovered only after the data was published online or offered for sale on the Dark Web.

But Mr Teo said: "Of course, we are studying to see how this could have been detected and reported more quickly, preventing such a large data loss."

A Committee of Inquiry has been appointed to look thoroughly into all aspects of the cyber attack.

Pointing to this, Mr Teo said that addressing the issue of the cyber attack goes beyond implementing technical solutions, and also involves "addressing public concerns and confidence, communicating and explaining to the public and our own users as transparently as possible".

4-member Committee of Inquiry convened to investigate SingHealth cyber attack
COI members bring variety of expertise, experience to table
By Irene Tham, Senior Tech Correspondent, The Straits Times, 25 Jul 2018

The four-member Committee of Inquiry (COI) which has been set up to look into Singapore's biggest data breach will include technologists as well as a union representative who will provide the patients' perspective during the course of the investigation.

Yesterday, Minister for Communications and Information S. Iswaran, who is also Minister-in-charge of Cyber Security, convened the committee and named its members. It will be headed by former chief district judge Richard Magnus, who is now a member of the Public Service Commission.

The COI will examine the chain of events and factors that led to the leak of 1.5 million patients' personal data, and suggest ways to prevent a similar occurrence in the healthcare sector. It will also look at how the attack was mitigated to draw lessons on ways to better protect public-sector IT systems which contain large databases.

The SingHealth attack also led to the leakage of outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and a few ministers.

Mr Magnus previously chaired the three-man COI that looked into the Nicoll Highway collapse at a Circle Line MRT worksite on April 20, 2004. Four workers were killed. In 1992, he led another COI to investigate a fire at Sembawang Shipyard.

In a statement, Mr Magnus said: "This is a responsibility that I take seriously. I will work with the COI members to ensure that we fully deliver on this important task which has been entrusted on us."

The other members of the new COI are: Mr Lee Fook Sun, executive chairman of cyber-security solutions firm Quann World; Mr T.K. Udairam, group chief operating officer of healthcare technology firm Sheares Healthcare Management; and Ms Cham Hui Fong, assistant secretary-general of the National Trades Union Congress.

Mr Lee held several management positions at ST Engineering Group for 17 years before he retired last year. He is expected to bring his technical expertise to the table.

Mr Udairam has more than 40 years of healthcare experience in Singapore, including in the operations and management of hospitals. He was chief executive officer of Changi General Hospital from February 2000 to May 2012.

Ms Cham is expected to provide a community and end-user perspective in the COI, having served on many tripartite committees addressing issues like wage restructuring and hiring of mature workers.

The committee will submit a report of its proceedings, findings and recommendations to Mr Iswaran by Dec 31.

Mr Cedric Foo, chairman of the Government Parliamentary Committee for Communications and Information, said Mr Magnus is well respected and can be relied on to get to the root of the problem.

"The other three members bring with them domain knowledge in healthcare technology, cyber security and the people sector," he noted, adding that the committee should also seek more input from other experts as its task is complex.

Cyber expert praises handling of SingHealth attack
By Walter Sim, Japan Correspondent In Tokyo, The Straits Times, 26 Jul 2018

A former British MI5 intelligence officer has praised Singapore's response to the recent cyber attack that led to a data leak involving 1.5 million SingHealth patients.

He cited the speed at which the authorities alerted Singaporeans to the breach, saying that the time taken was one-10th the norm worldwide.

Mr Dave Palmer, 39, who is now director of technology at cyber-security firm Darktrace, told The Straits Times that it would typically have taken months elsewhere.

But in Singapore's case, it took fewer than 20 days between the attack, which took place from June 27 to July 4, to when the public was informed last Friday.

Darktrace, which has offices in 33 cities worldwide, including Singapore, taps artificial intelligence to detect unusual and atypical activity, and then works to block unauthorised attempts to gain a foothold in networks.

London's Gatwick Airport and the Hong Kong University of Science and Technology are among the 7,000 networks it helps to protect. Darktrace also has clients in Singapore across multiple industries.

Mr Palmer, who was in Tokyo to attend a security and risk management summit, cited other positives in the SingHealth incident.

He pointed to the fact that clinical treatment and operations were not disrupted, even in the aftermath of the attack, which was traced to a computer connected to the Internet that was used by thousands in the medical and academic community.

Furthermore, the system deployed by SingHealth - which Mr Palmer described as "defence in depth" with increasingly secure layers of protection - had ensured that confidential personal medical records were not breached.

He also noted that the authorities had been transparent when informing the public and had toned down the jargon by communicating the impact in an easily understandable manner.

"I feel very strongly the kind of victim-blaming that can often occur when we talk about these issues is inappropriate in this case," he said.

"Yes, there was an incident, and incidents are a reality for all organisations. This is not a crisis, it is an attack that has been - for the large part - unsuccessful in getting access to private information and has not interrupted treatment outcomes of patients, though there is some sort of slight 'brand damage'."

Mr Palmer added that countries and companies must realise that cyber attacks are increasingly inevitable and that "a very small number of those attacks might start to be successful".

* Parliament, 6 August 2018: Minister for Health Gan Kim Yong on MOH's response to SingHealth cyberattack

Internet surfing separation may be permanent in some parts of public healthcare
Study on permanent PC delink in parts of healthcare system
Inconveniences from such a move prompt MOH to also look at alternative approaches
By Irene Tham, Senior Tech Correspondent, The Straits Times, 7 Aug 2018

Studies are under way to keep Internet surfing separation (ISS) a permanent measure in some parts of the public healthcare system following Singapore's worst breach involving the personal data of 1.5 million SingHealth patients, Parliament heard yesterday.

Health Minister Gan Kim Yong and Minister for Communications and Information S. Iswaran took turns to address 19 questions filed by MPs.

Mr Gan said: "We will study the impact of ISS on the ground, and determine whether we can keep it as a permanent measure, at least for some parts of our healthcare system."

After the cyber attack was discovered last month, the Ministry of Health (MOH) implemented ISS - where confidential data systems are separated from the Internet - across all the public healthcare clusters for a limited period.

"We will need to develop longer-term mitigation solutions to overcome the operational issues if ISS is to stay," he added.

Asked by MPs which systems will be affected, Mr Gan said: "Some areas such as emergency departments are more likely to be given certain rights for Internet access."

The reading of diagnostic reports from laboratories, video consultations and assessments of suspected stroke patients at the emergency department were affected after ISS was implemented across the board.

"Waiting times for consultation may also be longer as doctors may need to access references on the Internet through a separate computer," he said, responding to MPs' questions on operational delays at public hospitals and polyclinics.

Other unresolved efficiency issues include referrals to private sector partners, and submission and retrieval of results from screening systems, said Mr Gan.

As such, many healthcare systems in other places - such as Hong Kong's Hospital Authority and US-based managed care group Kaiser Permanente - have not implemented ISS fully across their operations.

The inconveniences also prompted MOH to look at alternative approaches, such as the use of virtual browsers on quarantined servers to access the Internet safely.

MOH is piloting a virtual browser system, scheduled to be completed by the end of next month. Virtual browsers will be deployed together with advanced threat protection technologies to better fend off advanced cyber attacks.

MPs also asked whether malicious malware still lingers in the system, and if more could be done for those whose details were stolen.

While noting that there is no such thing as a foolproof system, Mr Iswaran assured the House that every effort has been made to eliminate any risks.

Mr Iswaran also said that this is a good time to review the use of NRIC numbers as usernames to access e-government and e-banking transactions.

The incident also called into question the security of the National Electronic Health Record (NEHR) system, although it is a separate system that was not affected by the cyber attack on SingHealth.

Mandatory contributions to the NEHR, which enables the sharing of patients' treatment and medical data among hospitals here, have been put on hold pending a cyber-security review by the Cyber Security Agency and professional services firm PwC Singapore.

"We must assure ourselves, users and patients that the necessary safeguards are in place before we proceed with wider implementation of the NEHR," said Mr Gan. "However, we should not reverse our direction in the use of technology in healthcare... We cannot return to the days of paper and pencil."

Health Minister Gan Kim Yong and Minister for Communications and Information S. Iswaran responded to concerns raised by MPs
By Hariz Baharudin, The Straits Times, 7 Aug 2018


Answer: "We have done everything in our means to secure the system, to detect any residual risk and eliminate it," said Mr Iswaran.

But there is no guarantee all risks have been wiped out.

Up to the day before the breach was made public, there were still malware activities in the data system. This led the Government to require all public healthcare clusters to remove Internet surfing from their systems on July 20.


Answer: During the 10 days, there were multiple streams of work to ensure SingHealth's systems were protected against data theft or being further compromised, said Mr Gan.

The Government had to trace the source of the breach, investigate how it started and identify whose information had been stolen.

SingHealth also needed time to get things ready to inform the affected patients. "All these require time to prepare, and therefore it is important for us to ensure that our information given to the public is accurate as far as we are able to ascertain," Mr Gan said.


Answer: The two-factor authentication (2FA), already a requirement for online transactions involving financial institutions and the Government, is an extra security layer against the fraudulent use of stolen data, said Mr Iswaran.

This means both a password and a one-time password (OTP) are needed to access such services. But security can be compromised should a person use his or her NRIC number as the password to access online services. Singaporeans should reset such a password.

Mr Iswaran added that this may also be an opportunity for the Government to review the use of NRIC numbers as the ID for certain online transactions.


Answer: The Committee of Inquiry's (COI) investigations will look into the causes to draw lessons that can be applied to other systems and databases in the public sector, said Mr Iswaran.

"In that process, I imagine that they would be looking at... what should have been done and then make their recommendations accordingly," he said. The focus should be on ensuring that SingHealth is secure and patient data is protected, not "allocating blame at this stage".


Answer: When there is a suspicion of a crime being committed, a police report is lodged, said Mr Iswaran. The police's investigations will take reference from the COI's deliberations.

A report was also made to Singapore's data watchdog, the Personal Data Protection Commission, which is also conducting its own investigations, and will take reference from the COI.

Parliament: SingHealth attack due to APT group, typically linked to foreign governments, says Minister for Communications and Information S. Iswaran
By Irene Tham, Senior Tech Correspondent, The Straits Times, 7 Aug 2018

The cyber attack in Singapore that led to the leak of 1.5 million SingHealth patients' personal data was the work of an "advanced persistent threat" group that is typically state-linked, Parliament heard yesterday.

Advanced persistent threats (APTs) are stealthy and continuous computer hacking processes to gain intelligence or steal in-formation.

"This refers to a class of sophisticated cyber attackers, typically state-linked, who conduct extended, carefully planned cyber campaigns to steal information or disrupt operations," said Minister for Communications and Information S. Iswaran, responding to 19 questions filed by MPs.

"The APT group that attacked SingHealth was persistent in its efforts to penetrate and anchor itself in the network, bypass the security measures, and illegally access and exfiltrate data," said Mr Iswaran, who is also Minister-in-charge of Cyber Security.

He noted that the attack fits the profile of certain known APT groups. For national security reasons, he did not identify the attacker or speculate on the motives even when asked by Dr Chia Shi-Lu (Tanjong Pagar GRC).

"We have done everything in our means to secure the system to detect any residual risk and eliminate it," said Mr Iswaran.

He has already convened a Committee of Inquiry to get to the bottom of what went wrong. Lessons will be drawn from the incident to strengthen the safeguards of Singapore's critical information infrastructure (CII), including those in aviation, healthcare, land transport, maritime and media.

Last Friday, the 11 critical service sectors in Singapore were told to strengthen the security around their network connectivity gateways to prevent data leakage, even as the Government lifted the pause on new Smart Nation projects that was imposed after the recent data breach at SingHealth.

The Cyber Security Agency's (CSA) forensic investigations team has extracted the pieces of forensic data used to identify the malicious activities and has instructed CII owners to scan for them.

APT attacks are not new to Singapore. For instance, the attacks on the National University of Singapore and Nanyang Technological University, discovered in April last year, were also performed by APT groups aimed at stealing government and research data.

Parliament: Cyber Security Agency to give directions to critical sectors on how to bolster cyber defence
By Hariz Baharudin, The Straits Times, 7 Aug 2018

To better protect essential services like government, healthcare or water against cyber attacks, the Cyber Security Agency (CSA) will give directions to organisations providing critical services on the security measures they have to adopt.

The agency will also give advice to owners of critical information infrastructure (CII) - computer systems involved in delivering essential services - on what they can do to further beef up their defence.

Minister for Communications and Information S. Iswaran gave this update in Parliament yesterday when answering questions about government measures to strengthen cyber security in the wake of the worst data breach in Singapore.

Last month, it was announced that hackers had infiltrated the computers at healthcare group SingHealth and stolen the personal data of 1.5 million of its patients, along with the outpatient prescriptions of 160,000 of these patients.

In Parliament, Mr Iswaran noted that SingHealth's patient database is part of Singapore's CII.

"A cyber attack on any CII can disrupt essential services and affect public welfare and confidence," he said.

Mr Iswaran, who is also Minister-in-charge of Cyber Security, said: "CSA will direct CII owners on the essential security measures they must adopt to meet a required standard. Beyond this, CSA will also render its professional advice on what CII system owners could do to further strengthen their defences."

Mr Iswaran's comments came after the CSA announced last Friday that 11 critical service sectors have been asked to review connections to untrusted external networks or ensure better protection if they could justify the need for these connections. These sectors are: government, infocomm, energy, aviation, maritime, land transport, healthcare, banking and finance, water, security and emergency, and media.

The minister noted that the Cybersecurity Act passed in February gives the Government "additional levers to strengthen the protection of CII against cyber attacks". The CSA is currently implementing the provisions of the Act and would decide which organisations are in the CII sectors by the end of this year.

Last Friday, CSA also announced that it had lifted the pause on Smart Nation projects imposed after the SingHealth data breach.

Mr Iswaran said the Government had taken added precaution despite there being no evidence that the Government's information and communication technology systems had been compromised.

"The Smart Nation and Digital Government Group (SNDGG) was directed to review the cyber security measures of all existing and upcoming government systems," he said. "SNDGG has completed its review and will implement additional security safeguards where necessary."

COI on SingHealth cyber attack - 21 September to 5 October 2018

How hackers got away with SingHealth's crown jewels
An inquiry in the past two weeks into the SingHealth cyber attack has uncovered new details about the data breach and also identified weaknesses and lapses in the public healthcare group and its IT vendor. Based on testimonies of witnesses, Senior Tech Correspondent Irene Tham and Hariz Baharudin piece together an account of how Singapore's biggest cyber attack unfolded.
By Irene Tham, Senior Tech Correspondent and Hariz Baharudin, The Straits Times, 8 Oct 2018

Some time in August last year, somewhere in the Singapore General Hospital, a computer workstation became infected with malware, likely after a user fell prey to a phishing attack.

It is a common trap that ensnares many Internet users. And it did not help that the computer was running an outdated version of Microsoft Outlook, making it defenceless against new viruses. But this time, the incident possibly led to Singapore's worst data breach.

Through the phishing attack, the cyber hackers gained a foothold in public healthcare group SingHealth's vast store that houses the medical and personal data of five million patients.

Right after the entry, the attackers called back overseas to say: "We're in."

Instead of rampaging through the store for patient records - specifically for that of Prime Minister Lee Hsien Loong - the attackers laid low for four months before moving around the network slowly to gather more user accounts to execute their next moves.

The conventional safeguards of Integrated Health Information Systems (IHiS) - an agency that runs the IT systems of public healthcare institutions - were no match for the hackers' advanced techniques.

For instance, malware created for the attack escaped detection by even the world's top anti-virus software makers.


Details of the attack - as well as an account of what went right and wrong - were revealed when a high-level Committee of Inquiry (COI) into the cyber attack held a series of hearings in the past two weeks, which ended last Friday.

What went right: Some IHiS staff took action to investigate and even to end the attack despite the lack of instruction from their superiors.

What went wrong included how a server exploited by the hackers had not received the necessary security software updates for over a year, and how IHiS lacked a framework spelling out timely responses to cyber-security risks.

On July 20, Singaporeans first learnt of the country's worst data breach, which took place undetected from June 27 to July 4. It saw the attackers stealing the personal data of 1.5 million SingHealth patients, and the medical prescriptions of 160,000 people, including PM Lee.

To steal the data, the attackers had to first obtain user account passwords to access SingHealth's electronic medical records (EMR) system. They targeted inactive administrator accounts - of which one had an easily cracked password: P@ssw0rd.

Between May and June this year, hackers used these accounts to remotely log in to a server that had an open connection to the EMR.

The open link, which had been set up temporarily for database migration to a new cloud-based system, was scheduled to be disconnected last month, according to evidence shared with the COI.

COI chairman Richard Magnus said last Friday: "It would appear to the COI, even at this stage, that the attacker had one and only one malicious intent - that of exfiltrating data from the crown jewels of the network, which is the EMR."

Though the attackers had a direct route to the EMR, they were unable to access it. They made multiple failed attempts to log in, using either non-existent user accounts or those that were not granted access.


Their attempts went unnoticed for about three weeks until June 11 when Ms Katherine Tan, a database administrator at IHiS, spotted the unusual network activity.

In a way the first sleuth to arrive at the crime scene, Ms Tan informed her colleagues via e-mail - including a more senior staff member, Mr Lum Yuan Woh, IHiS' assistant director (infra services - systems management) - about the access attempts.

Ms Tan found it odd that administrator accounts with no access rights to the EMR database were being used to enter it. One of these accounts belonged to a colleague, whom she verified had not tried to enter the EMR system.

Over the next two days, she compiled more error logs of attempts to reach the EMR database and became more convinced that someone was repeatedly trying to break into it.

She sent more e-mails alerting colleagues and Mr Lum, thinking that IHiS was dealing with "what could be classified a security incident".

Ms Tan did not think it was necessary to report the incidents to more people, as she thought Mr Lum would know what to do.

But Mr Lum, too, did not report the incident to higher-ups; it did not occur to him that the breached administrator accounts could do any harm.


One of the e-mails landed in the inbox of IHiS system engineer Benjamin Lee. He took the initiative to study the suspicious activities forensically and alert two key cyber-security executives at IHiS - Mr Ernest Tan Choon Kiat, senior manager (infra services - security management), and Mr Wee Jia Huo, cluster information security officer.

Mr Lee also set up a chat group using an internal secure chat system on June 13 with some colleagues, including both Mr Tan and Mr Wee, to discuss the unauthorised attempts to access the EMR system. Though these chat groups were rarely formed, both Mr Tan and Mr Wee did not realise the severity of the incidents. Neither did they follow up on the e-mails they were copied on.

Tasked by the Attorney-General to lead evidence in the COI, Solicitor-General Kwek Mean Luck said in his Sept 21 opening statement that IHiS staff "did not fully appreciate that multiple cyber-security incidents, culminating in a breach of the database, were occurring".

The fact that several different username-password combinations had been used in attempts to connect to the database did not ring any "alarm bells" for Mr Tan, he said when giving his account of the incidents to the COI.

Mr Wee did not create a framework spelling out timely responses to cyber-security risks, though he was the one in charge of assessing and reporting risks.

He said he relied on Mr Tan to initiate any alerts on cyber threats and recommend if they should be reported. But Mr Tan said it was not his job to report to higher-ups even if a cyber-security incident had occurred. It was Mr Wee's job.


The COI also heard about management inaction and misjudgment on the part of IHiS in 2014.

A staff member was found to have reported an alleged flaw in the EMR system, which was supplied by vendor Allscripts Healthcare Solutions. But no action was taken to investigate the supposed loophole.

Mr Zhao Hainan, who was then an IHiS systems analyst, had written an e-mail on Sept 17, 2014, to flag the alleged "loophole" to Allscripts' rival, Epic Systems.

In the e-mail, which Allscripts obtained from Epic and sent to IHiS, Mr Zhao alleged that the supposed coding flaw could allow hackers to "gain admin control of the whole database easily". Even medical students, nurses and pharmacists could have such access, he wrote.

COI members quizzed former IHiS chief executive officer Chong Yoke Sin and other IHiS staff during the Sept 28 hearing on why they did not take action on the supposed "loophole" found.

Dr Chong said she had considered Mr Zhao's action to be "primarily a disciplinary issue, and not an IT security issue". Her impression was that his motive was to seek personal gain from Epic.

Asked why he did not check on the alleged flaw, Mr Clarence Kua, an IHiS employee assigned to SingHealth as deputy director (chief information officer's office), said his focus was to confirm that Mr Zhao had sent the e-mail to Epic.

His stance prompted Mr Magnus to say: "You can focus on two things at the same time."


On June 26, the attackers successfully obtained access to the EMR system and began stealing the data the next day.

The stolen records involved 1.5 million patients who had visited SingHealth's specialist outpatient clinics and polyclinics from May 1, 2015, to July 4 this year. Their non-medical personal data that was illegally accessed and copied included names, NRIC numbers, addresses, gender, race and dates of birth.

The Government called it a deliberate, targeted and well-planned cyber attack that was "not the work of casual hackers or criminal gangs".

By July 4, Mr Wee and Mr Tan had not reported the incident to management despite knowing of attempts to access 100,000 EMR records, as they viewed it only as a "potential breach" and not a "confirmed" one.

The data breach was halted on July 4 when Ms Tan terminated the unauthorised EMR database queries - though she had not been told to do so.

Though the data thieves had run away with the "crown jewels", no one in IHiS had a clue, for almost a week. Some dismissed the unusual database queries as a surprise audit.

There was general consensus that the terminated queries were a "security incident", but the Cyber Security Agency (CSA) was not informed.

A staff member told his superior - Mr Henry Arianto, IHiS deputy director of product management and delivery in the clinical care department - that the hacker did not steal any data. And this erroneous message spread. Mr Arianto reported the incorrect finding to senior IHiS staff on July 9.

Any sighs of relief, however, were short-lived.

On July 10, Mr Arianto decided to "double-check" by simulating one of the attempts of the hackers. What he found left him "shocked", said Mr Arianto. His employee was wrong. Data had indeed been stolen.


The crisis mode in IHiS kicked into high gear following this discovery. To determine the extent of the breach, IHiS senior management immediately set up a "war room" in the Connection One building in Bukit Merah.

On the same day, CSA was informed of the attack, as were the Health Ministry and SingHealth.

Database queries from June 27 to July 4 were recreated to determine the extent of the breach.

On July 11, it was discovered that PM Lee's data had been stolen using his NRIC number, along with that of two others, who were non-VIPs. A police report was made the next day.

But the attackers did not give up. Using other footholds in SingHealth's network, they tried to execute commands from yet another server on July 19 - amid investigations of their earlier breach.

IHiS responded by taking remediation measures to deal with these attempts that day.

The COI, which has to submit a report on its findings and recommendations by the year end, privately held its first hearing on Aug 28.

A second tranche of hearings, both public and private, started on Sept 21 and ended last Friday. More hearings will continue at the end of this month.

Mr Kwek said last Friday that the next tranche would highlight the need for organisations to have adequate and updated cyber defences.

"The nature of the attack, in particular the skill and sophistication used in the SingHealth attack, highlights the challenges cyber defenders face," he said. "There is a need for cyber defenders and defences to evolve and keep pace with the changing threat landscape."

# # Top-secret report on SingHealth attack submitted to Minister-in-charge of Cyber Security on 31 Dec 2018
By Irene Tham, Senior Tech Correspondent, The Straits Times, 1 Jan 2019

An exhaustive report that details the events leading up to the cyber attack on SingHealth's patient database - the most serious data breach in Singapore's history - has been submitted to Minister-in-charge of Cybersecurity S. Iswaran.

The report sums up and assesses the evidence collected over 22 days of mostly public hearings from 37 witnesses. It also makes recommendations on ways to secure huge databases in order to avoid a similar incident.

In a letter to Mr Iswaran yesterday, the four-member Committee of Inquiry (COI) that looked into the incident said: "This report contains sensitive information and is hence classified 'Top Secret'."

"The contents of the report are the unanimous view of all members of the committee," it added.

The full report on the attack, which is believed to be state-sponsored and the act of sophisticated hackers, is not being published for reasons involving national security.

However, the COI will release a public version of the report, including all its recommendations, by Jan 10, said a Ministry of Communications and Information spokesman. It will be accessible at

Mr Iswaran, who is Minister for Communications and Information, and Minister for Health Gan Kim Yong, are expected to respond to the report in Parliament when the House sits this month.

In a letter thanking the COI for its report, Mr Iswaran said the panel has closely examined the responses to the incident and submitted a comprehensive set of recommendations to better manage and secure the IT systems of SingHealth, as well as those of other public healthcare clusters and the public sector, against similar attacks.

"The COI report is the result of an extensive fact-finding process and a rigorous inquiry over the past five months," he said.

"The Government takes cyber security with utmost seriousness," Mr Iswaran added. "We will learn from this incident and take measures to further strengthen our public sector IT systems and uphold the trust of Singaporeans."

The high-level COI - chaired by retired senior judge Richard Magnus and with Mr Lee Fook Sun, executive chairman of security firm Ensign InfoSecurity, Mr T. K. Udairam, group chief operating officer of Sheares Healthcare Management, and Ms Cham Hui Fong, assistant secretary-general of the National Trades Union Congress, as other members - was appointed on July 24 to investigate Singapore's worst data breach.

In June last year, hackers stole the personal data of 1.5 million SingHealth patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.

In his closing remarks on Nov 30, Mr Magnus said that organisations must assume that they are already under cyber attack by proactively identifying and mitigating breaches.

Solicitor-General Kwek Mean Luck from the Attorney-General's Chambers, which led the evidence for the COI, spoke about the importance of organisational culture as cyber defence is everyone's job, and not just that of the IT department.

Mr Kwek also outlined 16 recommendations, including improving staff's cyber security awareness and performing enhanced checks.

Organisational culture became a key focus as the COI felt that people are at the heart of all processes and systems.

One issue that came under scrutiny was how certain staff at the Integrated Health Information Systems (IHiS), Singapore's central IT agency for the healthcare sector, failed to act appropriately to report suspicious network activities.

The lack of situational awareness and training among staff contributed to the breach which took place from June 27 to July 4.

SingHealth's IT System Target of Cyberattack -20 Jul 2018

Minister-In-Charge of Cybersecurity Convenes Committee Of Inquiry To Look Into Cybersecurity Attack on SingHealth -20 Jul 2018

Appointment Of A Committee Of Inquiry Into The SingHealth CyberSecurity Attack On Or Around 27 June 2018

Government is lifting the pause on new ICT systems which it announced on 20 July, following the attacks on SingHealth’s system -3 Aug 2018

MOH Parliamentary QA: Cyberattack on SingHealth's IT System -6 Aug 2018

Statement by Mr S Iswaran, Minister-in-Charge of Cybersecurity, on the cyber-attack on SingHealth’s IT system, during Parliamentary Sitting on 6 August 2018

Committee of Inquiry on SingHealth cyber attack public report

Public Report of the Committee of Inquiry (COI) into the cyber attack on Singapore Health Services Private Limited Patient Database -10 Jan 2019

No comments:

Post a Comment