SINGAPORE – A top-secret report providing a thorough account of events that led to the cyber attack on SingHealth’s patient database has been submitted to Minister-in-charge of Cyber Security S. Iswaran.
The report sums up and assesses all the evidence collected over 22 days of hearings from 37 witnesses, and offers recommendations on ways to secure huge databases to avoid a similar incident, said the secretariat of a Committee of Inquiry (COI) looking into the incident.
In a letter to Mr Iswaran on Monday (Dec 31), the COI said: “This report contains sensitive information, and is hence classified ‘Top Secret’.”
Hence, its content has not been shared with the media for national security reasons. A redacted version will be released to the public on Jan 10, said a Ministry of Communications and Information spokesman in a media release.
Mr Iswaran and Health Minister Gan Kim Yong are expected to respond to the report in Parliament in January.
The high-level COI, chaired by retired senior judge Richard Magnus, was appointed on July 24 this year to shed light on what led to the cyber attack on public health cluster SingHealth, which was Singapore’s worst data breach.
In June this year, hackers stole the personal data of 1.5 million SingHealth patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.
In his closing remarks on the last day of the COI hearings on Nov 30, Mr Magnus said that organisations must assume they are already under cyber attack by proactively identifying and mitigating breaches.
Solicitor-General Kwek Mean Luck from the Attorney-General’s Chambers, which led the evidence for the COI, wrapped up by talking about the importance of organisational culture. He emphasised that cyber defence is everyone’s job and not just that of the IT department.
Mr Kwek also outlined 16 recommendations, including improving staff’s cyber-security awareness and performing enhanced checks.
Organisational culture became a key focus, as people are at the heart of all processes and systems. People click on links in e-mails, and people interpret data such as unusual traffic trying to access a database.
During the COI hearings, one issue that came under scrutiny was how staff at the Integrated Health Information Systems (IHiS), Singapore’s central IT agency for the healthcare sector, reacted to suspicious network activities.
The COI heard that hackers first intruded into SingHealth’s network in August 2017 after a user from the Singapore General Hospital fell prey to a phishing attack.
The COI also heard that a middle manager of cyber security at IHiS, Mr Ernest Tan, was alerted to suspicious network activities as early as June 13 by his subordinate, IHiS system engineer Benjamin Lee.
But Mr Tan did not report them to higher management even after Mr Lee repeatedly said that the network was under attack. Mr Tan said he did not realise the severity of the incidents though he was told that attempts had been made to access 100,000 patient records.
Intrusions into SingHealth’s electronic medical records system – billed as the crown jewels of its network – began on June 27 but were discovered only on July 4 and terminated that day by a junior staff member, IHiS database administrator Katherine Tan.
This article was first published in The Straits Times. Permission required for reproduction