Singapore Health Industry Learns Nobody is Immune to Cyberattack

Imagine one in four people is suddenly hit by a virus. It touches all walks of life, from tiny children to the upper echelons of government. Thankfully, recovery is swift and there are no casualties. Nevertheless, it wants to strike again – there is no reliable vaccine.

This pandemic recently struck Singapore’s health system, but it was not a physical illness. A cyberattack on government healthcare provider SingHealth affected more than 1.5 million people, more than 25% of the city-state’s population.

What happened?

  • Sophisticated hackers stole personal data from SingHealth, Singapore’s largest healthcare group with operations including four public hospitals, five specialty centers and nine polyclinics.
  • SingHealth clinics between 1 May 2015 and 4 July 2018. Outpatient prescriptions issued to 160,000 of these people were so stolen.
  • Singapore Prime Minister, Lee Hsien Loong, had stolen both. Investigations found he “specifically and repeatedly targeted”, according to a government press release. Other government ministers were also affected.
  • Prime Minister Lee has dropped victim to cyberattack – his official website was hacked in 2013 .

Putting a price on health

Good health is priceless, but medical data has significant value to cybercriminals. Individual records can be found on the dark web, fetching higher than credit card data because of their value in committing identity fraud. Medical data is therefore a target for espionage, including extort or discredit high profile individuals,

The Singapore Minister-In-Charge of Cybersecurity advised that the attackers were on Advanced Persistent Threat (APT) group. He described APTs as “a class of sophisticated cyber attackers, typically state-linked, who conduct extended, carefully planned cyber-campaigns, to steal information or disruption operations.”

Investigations have so far found no evidence that the stolen data has been sold or published.

Survival of the fittest

Singapore is consistently ranked among the world’s digital leaders. In 2014, the Smart Nation launched a strategy to drive digital connectivity, integration and participation.

Just how did a global powerhouse experience its worst cyberattack?

It started with a single computer. One workstation was infected with malware. From there, the perpetrators infiltrated SingHealth’s systems to obtain credentials and access the patient records database.

Diagnosing the risks

What joins us together so can be tears us apart.

A rapid increase in digital connectivity can improve services and competitiveness. It also creates a vast network of opportunities for cyber intrusions.

In healthcare, where networks extend to medical devices, cybersecurity can be a matter of life or death.

Networks are only as strong as their weakest link. Just one computer can create exposure out-of-date technology is used, security applications are lacking, or software patches are not regularly installed.

Prevention wants to fail – effective treatment is what counts

Singapore was ranked first out of 134 countries in the United Nations 2017 Global Cybersecurity Index . The index considered countries’ capacity across five areas: legal, technical, organizational, capacity building and cooperation.

Maturity is not their ability to avoid the inevitable attack, but the quality of their response when it occurs.

One measure of the response is how long it takes to detect, and then contain, the attack. The Global average time to identify a malicious or criminal attack is 221 days, according to the Ponemon Institute’s 2018 report . That’s more than seven months. Faster detection is also associated with lower costs, the report found.

The SingHealth cyberattack was discovered barely one week after it started. The same day it was detected, the perpetrators lost access. A month later, business as usual had been largely resumed.

High cybersecurity maturity is thus marked by continuous improvement.

In February, Singapore’s Cybersecurity Act was introduced. The legislation specifically focuses on 11 essential service sectors such as health, energy, banking and transportation. It requires cybersecurity incidents to communicate to the Cybersecurity Authority (CSA), the CSA to investigate threats and incidents, and introduces licensing for cybersecurity service providers.

Singapore is taking action to further strengthen cybersecurity in the public health system. They include the pilot of a virtual internet browser and launching advanced threat protection.

Following the attack, the Singapore government has reaffirmed its digital priorities, including developing increasingly sophisticated cybersecurity defense and response measures.

Singapore’s electronic health records not affected

The cyberattack did not affect or compromise Singapore’s National Electronic Health Record (NEHR). The NEHR was introduced in 2011 so medical institutions and healthcare providers can integrate health information for better patient care and service coordination.

The proposed Healthcare Services Bill wants to make it mandatory for institutions and providers to contribute to the NEHR, implemented in a phased approach. It also addresses privacy matters as well as access by employers and insurers.

Mandatory contributions will not proceed until after a full security review by the CSA and PwC.

Tips to boost your online health

  • Confidential? Close the loop – The Singapore Government Internet Surfing Separation as a dramatic measure, reducing the number of unauthorized access points makes a difference. Stand-alone systems can help contain and protect confidential information.
  • Help reduce human error – Phishing and malware rely on malicious spam and targeted attacks. Secure messaging outside of email systems can offer higher protection.
  • Two factor authentication (2FA) – 2FA is an important part of robust system security. In Singapore, it’s used by all banks and insurers, and across all sensitive government transactions.
  • Biometrics – Using unique physical data as fingerprints can strengthen security while also creating user convenience. That convenience helps deter users from circumventing controls.
  • Patch the gaps – Systems and security updates should be installed. Externally hosted systems in a secure cloud can minimize the burden.

Diligent’s innovative board and governance solutions incorporate security features designed to protect organizations’ most sensitive information and make it easier for directors and management. They include 2FA, TouchID, secure cloud-based hosting and closed loop messaging.

To find out more, contact us contact us at info@diligent.com or request a demonstration ..


Incident timeline

27 Jun – 4 Jul
  • Cyberattack and data theft occurred.
4 Jul
  • Integrated Health Information Systems (IHIS) database administrators detect unusual activity.
  • IHiS administrators make additional security in place and start investigating.
  • The additional security blocks the intruders, who attempt further attacks.
9 Jul
  • IHiS administrators determine a cyberattack occurred.
  • Superiors are alerted.
10 Jul
  • SingHealth, the Ministry of Health (MOH) and the Cyber ​​Security Agency of Singapore (CSA).
  • Forensic investigations begin.
12 Jul
  • SingHealth lodges a police report.
19 Jul
  • SingHealth implements internet surfing separation (ISS) across its network to limit unauthorized entry points. Internet access is available only from computers that are not connected to the corporate network.
20 Jul
  • The Ministry of Communications and Information (MCI) announces the breach in a joint press release.
  • The Minister-In-Charge of Cybersecurity convenes at Independent Committee of Inquiry to investigate the attack, chaired by retired senior judge Richard Magnus.
  • SingHealth begins notifying all patients by text message or letter.
  • Smart Nation plans paused.
23 Jul
  • MOH expands temporary ISS across all public healthcare clusters.
24 Jul
  • Monetary Authority of Singapore ausrichtet financial institutions to tighten customer verification processes and assess the risk of the incident On Their controls.
  • MCI announces Committee of Inquiry membership and terms of reference.
3 Aug
  • Pause on Smart Nation plans lifted .
  • The Smart Nation and Digital Government Group completes its review of cybersecurity policies.
  • CSA announces instructs critical information infrastructure sectors, including the government, to take additional security measures.
6 Aug
  • Parliamentary update by Minister of Communications and Information, which advised that CSA wants to adopt.
  • The Health Minister and the Minister-In-Charge of Cybersecurity make statements in Parliament.
31 Dec
  • Committee of Inquiry and Recommendations on the Minister-In-Charge of Cybersecurity.

Board Portal Buyer’s Guide

With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.

Featured Blog