IHiS, SingHealth fined $1m; new cyber security steps taken

Healthcare sector looking at tiered Net access to minimise risks in the wake of data breach

The cyber attack on SingHealth in June 2018 compromised the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong. PHOTO: ST FILE

The fallout from the SingHealth data breach continues to reverberate across the healthcare sector, with Singapore's privacy watchdog dishing out hefty fines totalling $1 million against those responsible for the lapse and a slew of cyber security measures being rolled out to safeguard critical systems.

Updating Parliament yesterday on the heels of a detailed report by the high-level Committee of Inquiry (COI) that investigated last June's cyber attack on SingHealth, Singapore's largest healthcare cluster, two ministers acknowledged the shortcomings that had been identified and detailed the steps being taken to rectify them.

Minister-in-charge of Cyber Security S. Iswaran and Minister for Health Gan Kim Yong both said they had fully accepted the report issued last week by the COI.

They also told Parliament that the Personal Data Protection Commission (PDPC) had found both SingHealth and its IT vendor Integrated Health Information Systems (IHiS) guilty of failing to secure patient data. The cyber attack had compromised the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong.

The COI had noted that SingHealth had delegated its cyber security operations entirely to IHiS and, given the severity of the lapses, the PDPC imposed its largest-ever fine of $750,000 on the technology vendor.

But it stressed that, as the owner of the patient data system, SingHealth also had a responsibility for the breach, and fined it $250,000 - its second-biggest fine to date.

"Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers," said the PDPC.

IHiS had disclosed earlier that it had fired two of its employees who were found to be negligent and imposed financial penalties on five members of its senior management team, including its chief executive.

Yesterday, Mr Gan said that even though the COI had not identified lapses among specific individuals within SingHealth, the healthcare cluster accepted its responsibility for the breach. "The SingHealth senior leadership has accepted a financial penalty," he said.

Mr Iswaran said that the measures recommended by the COI would help Singapore guard against malicious cyber activities, including from international attackers.

"A cyber attack of the scale and sophistication that was launched against SingHealth could also be mounted on any of our major IT systems, threatening the safety and security of Singapore and Singaporeans," he said.

To guard against it, there will be increased automation of the roll-out of software patches, and audits and drills will be intensified. Internet surfing separation and the use of a virtual browser are also in the works for the healthcare sector.

Elaborating on this, Mr Gan said that while temporary Internet surfing separation had been implemented across the public healthcare sector in the wake of the attack, it had posed challenges in areas such as emergency care and tele-consultations.

MOH was now looking at more long-term solutions. It was studying a tiered model of Internet access, in which some job roles might not need it, while for others, it could be managed through the use of separate devices with and without Internet surfing abilities.

In cases where staff like clinicians need access to the Internet and intranet on the same device, MOH is experimenting with using virtual browsers, which allow access to the Internet through strictly controlled client servers.

"This was not the first instances where we were targeted, and it will not be the last," said Mr Iswaran.

He added: "We cannot let incidents like this derail our Smart Nation initiatives that can enhance our economic competitiveness and deliver better public services."

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Straits Times on January 16, 2019, with the headline IHiS, SingHealth fined $1m; new cyber security steps taken. Subscribe