Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied.
[4] Having ascertained that a cyberattack occurred, administrators notified the ministries and brought in the Cyber Security Agency (CSA) on 10 July to carry out forensic investigations.
[4] On 6 August 2018 in Parliament, S. Iswaran, Minister for Communications and Information, attributed the attack to sophisticated state-linked actors who wrote customized malware to circumvent SingHealth's antivirus and security tools.
Eventually, the cyberattacker successfully gained entry through a coding vulnerability on 26 June, and hence sent SQL queries until 4 July when it was stopped by an administrator.
[14][15][16] At the next hearing on 24 September, it was revealed that Prime Minister Lee Hsien Loong's personal data and outpatient records along with two other unnamed people were searched by hackers who infiltrated into the servers using NRIC numbers.
An assistant lead analyst who detected unusual activity investigated further even through that was not his scope, and sent alerts to different divisions to find the staff who can make sense of those queries.
[17][18] On the third day, a cybersecurity employee at IHiS, who was on holiday when the incident happened, did not follow up after having read the emails as it was thought to have been collection of data from workstations for investigation.
For instance, meetings with the security management department were not conducted regularly, and no framework was created to set out appropriate responses to cybersecurity risks or to appoint covering officers if any staff go on leave.
[20][21][22] It was also revealed on the fifth day that a server exploited by hackers did not receive security updates in more than a year since May 2017 due to the WannaCry ransomware attacks, compared to the normal duration where patches were done several times a month.
Another pointed out that annual cybersecurity exercises are mandated for critical information infrastructure (CII) operators, so staff should be able to identify advanced persistent threats (APTs).
[33] As pointed out the next day that even if the weaknesses were found, they may not be fixed as quickly as expected as public healthcare institutions operate around the clock resulting in little downtime.
[34] Later in the hearings, SingHealth executives said that they will enhance cyber safety awareness for all employees, as well as roll out new systems to capture patients' data rigorously.
More townhalls will be held to update employees about the latest cyber threats, with log-in messages strengthened to hone the importance of data protection.
[35][36] More cyber security exercises simulating data breaches were called for in a subsequent hearing, with these allowing professionals to be more familiar with what to do in case a similar incident happens again.
[37] Towards the final hearings, a former National Security Agency director suggested having the Government and industry partners work together and share information to learn and update each other about new threats that pop up.
In the same hearing, the Ministry of Health's chief data advisor pointed out that Internet separation resulted in longer wait times for patients, declined productivity, increased staff fatigue and new cyber risks, especially when anti-virus software updates are done only on some computers instead of all within the network.
Lastly, even if measures were put in place to slow down cyberattacks, it is important to note that the attack was done via an advanced persistent threat (APT).
[49] They are: On 15 January 2019, S. Iswaran, Minister for Communications and Information announced in Parliament that the Government accepted the recommendations of the report and will fully adopt them.
[50] Separately, Gan Kim Yong, Minister for Health announced that changes to enhance governance and operations in Singapore's healthcare institutions and IHiS will be made.
All public healthcare staff will remain on Internet Surfing Separation, which was implemented immediately after the cyberattack, and the mandatory contribution of patient medical data to the National Electronic Health Record (NEHR) system will continue to be deferred.
[52] The attack led to a two-week pause in Singapore's Smart Nation initiatives and a review of the public sector's cyber-security policies during that time.
Plans to pass laws in late 2018 making it compulsory for healthcare providers to submit data regarding patient visits and diagnoses to the National Electronic Health Record system were postponed.
18 other measures are also put in place, including two-factor authentication for all administrators, proactive threat hunting and intelligence, allowing only computers with latest security updates on hospital networks, and a new database activity monitoring.
Studies are done to keep Internet Separation Scheme (ISS) permanent in some parts of the healthcare system with a virtual browser being piloted as an alternative.