SingHealth COI: Management concerned early announcement of breach would affect investigations

SingHealth COI: Management concerned early announcement of breach would affect investigations

A SingHealth polyclinic signage is pictured in Singapore
SingHealth was the target of a major cyber attack where hackers are reported to have stolen the personal particulars of more than a million patients. (Photo: Reuters/Edgar Su)

SINGAPORE: SingHealth held back on informing the public about the cyberattack on its database due to concerns that making an early announcement might jeopardise investigations, a Committee of Inquiry (COI) looking into the data breach heard on Monday (Nov 5).

There was also a need to get more information and ensure the breach was contained, Professor Kenneth Kwek, SingHealth deputy group chief executive officer (Organisational Transformation and Informatics), told the four-member COI.

The public was informed of the cyberattack - which saw around 1.5 million SingHealth patients’ records accessed and copied - on Jul 20.

About 160,000 of them also had their outpatient medication data extracted in what was described as the "most serious breach of personal data” in Singapore’s history.

Among those affected was Prime Minister Lee Hsien Loong, with the attackers targeting his personal particulars and information about his medicines.

Database administrators from the Integrated Health Information Systems (IHiS) - the central IT agency for the healthcare sector - discovered the breach on Jul 4.

Since September, a COI has been holding public hearings as it investigates what happened during the data breach.

MORE INFORMATION REQUIRED

The COI heard that Prof Kwek had first received a call from Mr Benedict Tan, SingHealth group chief information officer, on Jul 9, informing him that the IHiS team had detected some “suspicious activities on one of the SingHealth databases”.

READ: SingHealth COI: Possible conflicts of interest raised as IHiS leaders had roles in Health Ministry

A day later, Mr Tan sent an email informing Prof Kwek of “unauthorised accesses” to the SCM (Sunrise Clinical Manager) production database on Jul 4.

The email was also sent to SingHealth group chief executive officer Professor Ivy Ng and SingHealth group chief operating officer Tan Jack Thian.

“Ivy and I recognised that SingHealth had an immediate obligation to inform, in the shortest time reasonably possible, all the patients who may have been affected by the data breach,” said Prof Kwek. “However, before we could do that or even devise a proper communications plan, we needed to ensure the data were intact and secure.

“We also needed more information about the cyberattack so that we could communicate meaningfully with our patients.”

According to Prof Kwek, IHiS then confirmed at a meeting on Jul 13 that data was exfiltrated and that they were able to ascertain what data was affected.

“At this meeting, the issue of public communications and the timing of the public announcement was also discussed,” he said. “It was agreed that the public announcement must not compromise the ongoing forensic investigations.”

READ: SingHealth COI: IHiS officer’s reluctance to report suspicious IT incidents shown up in court

After several discussions with stakeholders, three possible dates were mooted for the announcement, said Prof Kwek. Jul 20 was eventually selected as the date for the announcement, as there was “sufficient time for proper containment” of the cyberattack.

“The consideration weighing in favour of an earlier public announcement was that the public would appreciate being informed early,” added Prof Kwek. “On the other hand, we had to balance that against three serious considerations.”

These considerations include concerns over whether an early announcement might affect or impede the ongoing forensic investigations into the cyberattack if the attackers were still in the network, as well as ensuring the cyberattack was contained before the announcement.

“More information about the cyberattack was needed in order to build confidence via the public announcement,” Mr Kwek added. “There was a concern that if we made a public announcement without having the necessary information, the public might be more anxious.”

“EXTENSIVE WORK” DONE BY SINGHEALTH

Monday’s COI session also focused on the patient outreach and communication efforts undertaken by SingHealth following the cyberattack.

This showed the “extensive work” done by SingHealth staff to allay concerns of the public, said Solicitor-General Kwek Mean Luck.

In view of the “need for speed and scale of outreach”, the primary mode of communication which SingHealth decided to use was sending SMSes to all patients, said Prof Kwek.

These SMSes aimed to reassure those whose data was not affected and inform those whose data was affected as to what data had been accessed.

Within four days from the date of the public announcement, about 2 million SMSes were sent, of which 15 per cent failed to be delivered, said Prof Kwek.

Letters were then sent to this group of patients and to those without valid mobile phone numbers in SingHealth’s records. A total of around 434,000 letters were sent.

READ: SingHealth cyberattack: IHiS announces measures to protect healthcare sector against online threats

SingHealth also set up hotlines for affected patients to call in and created a dedicated email account for public queries. The public could self-check if their data was accessed via the SingHealth website and Health Buddy Mobile App.

The day’s second witness, SingHealth group chief executive officer Professor Ivy Ng, commended the work of her staff in their outreach efforts.

Responding to a question from Solicitor-General Kwek, Prof Ng called the outreach effort “unprecedented” and one beyond what SingHealth would normally do.

“Quite a few people asked if we outsourced this massive endeavour,” she told the COI. “However, it was quite clear that we wanted to undertake this ourselves.”

MORE TO BE DONE FOR CYBER-AWARENESS

While Dr Kwek said that SingHealth has been “proactive” in “building awareness and educating staff on cyber-security risks”, he added that more will be done in the future.

IHiS has been conducting “phishing exercises” on SingHealth staff, with six carried out between 2015 and September 2018.

“Staff who responded to phishing emails twice or more are also given additional attention. They are requested to attend IT security briefings to become more aware of the risks,” said Prof Kwek.

READ: 'Customised, uniquely tailored' malware not seen elsewhere used in SingHealth cyberattack

During the recent exercise in February this year, such staff received a formal letter, with a copy to their supervisor, signed off by both Prof Kwek and Mr Tan, to “strongly remind them on the need for vigilance”.

Since 2016, SingHealth employees would have received a reminder on cybersecurity and data protection when logging in and the language of this message will be strengthened, added Dr Kwek.

There will also be more leadership memos sent out on cybersecurity, and stepping up of cybersecurity related topics during town halls. Currently, six to 12 of these memos are being sent out each year.

This will “engender” within staff a “culture” that data confidentiality is an essential part of ensuring safety and providing good clinical care, said Dr Kwek.

The COI hearings are expected to continue on Friday.

Source: CNA/ec(ra)

Bookmark