SingHealth cyber attack: Ministers respond to questions regarding safeguarding measures

The temporary implementation of Internet Surfing Separation (ISS) has become one of the primary measures taken by the Government to increase cybersecurity in the aftermath of a cyberattack that affected the personal information and medical data of 1.5 million SingHealth patients, including that of Prime Minister Lee Hsien Loong, just last month.

Minister of Health Mr Gan Kim Yong said in Parliament on Monday that the temporary implementation of ISS for SingHealth “will limit avenues for attackers to enter and exit the healthcare clusters’ IT systems”.

He acknowledged, however, that “ISS has created some inconveniences and operational challenges for healthcare workers and patients”, and that the Ministry of Health (MOH) in conjunction with Integrated Health Information Systems (IHiS), the technology organisation that administers the IT systems for the public healthcare sector, have deliberated on the efficacy of ISS:

Could we have initiated ISS earlier? ISS is not a decision to be taken lightly.  In fact, even before the incident, IHiS had been working with our clusters to study and assess the feasibility of ISS and the ways to mitigate the impact on patients and healthcare professionals.  […]

We were also learning from the experiences of other countries’ healthcare IT systems and exploring alternative approaches to achieve similar protection as ISS, while minimising the impact on operations and patients.

Many healthcare systems in other countries have found it difficult to implement ISS for practical and operational considerations. Healthcare systems, such as Hong Kong’s Hospital Authority and Kaiser Permanante have not adopted full ISS.

ISS was put in place for SingHealth starting 19 July, and NUHS and NHG have followed suit starting 23 July.

He said that MOH is looking into longer-term solutions and preventative measures, one of which is the use of a “virtual browser” that will “enable users to access the Internet safely via a set of quarantined servers”, thereby minimising “the number of potential attack points”.

Mr Gan added that “the virtual browser solution will be complemented by the deployment of Advanced Threat Protection (ATP)”, which will be used to buttress ISS and will “provide additional defence against advanced cyberattacks”.

He added that prior to the SingHealth cybersecurity breach, which he dubbed as an “unprecedented attack”, operations for ATP had been put into place, and is expected to be completed by the end of this month.

Elaborating on the virtual browser, Mr Gan noted that MOH’s “ongoing pilot on virtual browser was scheduled to be completed by September this year”.

He also highlighted that “our engineers worked overnight and through the weekend to put in place temporary work-around solutions”.

Mr Gan said, in spite of the temporary measures put in place, “some issues are not yet fully resolved, such as referrals to private sector partners, and submission and retrieval of results from screening systems”, adding that while such issues “do not compromise patient care and safety”, they might “affect the efficiency of our healthcare system”.

Consequently, some patients may experience a longer wait for consultations and in receiving their test results, as well as in terms of checking their MediSave accounts or making their claims, noted the Health Minister.

The Health Minister had also touched on the National Electronic Health Record (NEHR) system, reassuring the House that “NEHR is a separate system that was not affected by this cyberattack” as “the NEHR is designed differently from the systems that were infiltrated”.

However, he said, the NEHR will be placed through “a rigorous independent external review before we proceed with mandatory contribution of electronic health records”.

He added that MOH has “engaged CSA and PwC Singapore as independent third parties to help identify any vulnerabilities and recommend measures to address them”.

Mr Gan also outlined the current and future cybersecurity systems that are, and will most likely be, in place for SingHealth as well as other public healthcare clusters in Singapore:

We face a constant challenge of striking the right balance between having stronger cybersecurity safeguards, while ensuring effective and safe patient care. To achieve this, we adopted a multi-layered approach to cybersecurity:

First, prevention. Our systems are designed with defensive measures against illegal access. For example, there are multi-layer security defences in place both at the perimeter guarding against threats on the internet, as well as within the perimeter to protect against unauthorised access. Vulnerability scans and tests are conducted regularly. Independent IT security audits are also carried out, with the last such audit on the affected system performed in the second half of 2017.

Second, detection.  We have monitoring tools and services to detect breaches. Our systems are also designed to provide extensive detailed activity logs for internal and external round-the-clock monitoring.

Beyond setting up a resilient system, we also need a culture of vigilance and cybersecurity awareness. This applies to our healthcare staff, as well as our IT staff. We should always adopt safe cyber practices, watch for suspicious emails and messages, and report them to our IT departments as soon as possible.

Third, response. We have established operating and technical procedures and measures to contain the impact and neutralise the threat once a breach is discovered. In the event of a breach, we will also notify and work with CSA to contain and investigate the breach. Exercises are conducted regularly to ensure staff are familiar with the procedures.

He concluded his response by suggesting that the usefulness of technology is not to be disregarded completely over this one incident, and not to throw the baby out with the bathwater:

However, we should not reverse our direction in the use of technology in healthcare. Digitalisation, technology and use of data in healthcare have brought many benefits to patients. We cannot return to the days of paper and pencil.

IT systems have allowed us to greatly improve the safety and effectiveness of patient care. During an emergency where a patient is unconscious, access to his medical history in the NEHR helps doctors prescribe more effective medication and treatment in a timely manner.

Data analytics helps us to better understand disease patterns and plan ahead to meet our needs in the future. Automation improves productivity, reduces human errors and enables patients to receive better care.

When patients receive care beyond the hospital, integration of IT systems allows easier referrals across settings and enables better team-based care and more effective emergency response.

These have to be matched with efforts to continually improve our ability to secure patients’ data, and the increasing robustness of the systems to deal with a constantly evolving cyber security threat.

In his Ministerial Statement, Mr Gan consolidated answers to the questions posed by several Members of Parliament (MPs) regarding the SingHealth cybersecurity fiasco.

Tanjong Pagar GRC MP, Dr Chia Shi-Lu, queried Mr Gan as to how the Ministry plans to assess whether the data have not been tampered with, and whether or not subversive latent programmes have infiltrated SingHealth’s network. He also raised the question as to whether or not the security breach has opened the pathway to unauthorised access through SingHealth’s system. 

Tanjong Pagar GRC MP, Ms Joan Pereira, asked Mr Gan regarding the steps that will be taken to ensure that the data on the National Electronic Health Record (NEHR) system is protected from cyberattacks, as well as what systems are put in place to determine whether medical records are tampered with. She also made an enquiry regarding the measures that will be taken to safeguard the interests of patients whose data are contained in the records, in the event of a data leak or any unauthorised alteration of personal information or medical records.

MP for Holland-Bukit Timah GRC, Mr Christopher de Souza, posed a question to Mr Gan regarding MOH’s discoveries in the investigations to date, and the Ministry’s plan in preventing similar occurrences in the future.

MP for Aljunied GRC, Ms Sylvia Lim, probed Mr Gan on the significant delay in alerting the public to the cyberattack affecting SingHealth’s database from the time the breach was discovered.

Non-Constituency MP, Assoc Prof Daniel Goh Pei Siong, made an enquiry to Mr Gan as to whether the security measures implemented after the cyberattack on the SingHealth system have affected waiting time and consultation time at public hospitals and polyclinics.