SingHealth COI: Communication problems hampered data breach response, says expert witness

Hackers stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people during the cyber attack in June 2018. PHOTO: ST FILE

SINGAPORE - To bolster their cyber defences, organisations should put in place a centralised incident management and tracking system that logs all incidents during a breach.

This was the recommendation made to a high-level Committee of Inquiry (COI) looking into June's SingHealth data breach. It found that disorganised communication contributed to a delay in mitigating actions during Singapore's worst cyber attack.

The use of different platforms like WhatsApp, Tigerconnect and e-mail to communicate also meant that valuable details about the attack were lost, a cyber-security expert told the panel.

Mr Vivek Chudgar, senior director of Mandiant Consulting, a unit of cyber-security company FireEye Inc, said on Tuesday (Nov 13): "It is because that communication was ad hoc that several details were missed, and several dots were not connected."

Hackers stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong, during the attack.

The lack of a centralised communication platform meant that staff communicated in different ways.

In previous hearings, the COI heard from witnesses who said that in addition to instant messaging platforms and e-mail, staff also communicated important information pertaining to the attack in person and via phone calls.

Mr Chudgar said: "Such an ad hoc approach leads to the loss of certain details that might not have been captured."

He added that communication problems also meant that important action items were not tracked and followed up on.

The COI has heard that several staff of Integrated Health Information Systems (IHiS), Singapore's central IT agency for the healthcare sector, discovered signs of a breach occurring in June, though no action was taken until later in July.

Organising the updates from staff would have gone "a long way" in helping with the response, said Mr Chudgar. He added that an organisation the size of SingHealth needs to have a way to capture and reference this information easily as it would help with investigations and prevent similar incidents.

But Mr Chudgar, who was involved in the investigations of several cyber attacks - including 2016's Bangladesh Bank robbery where hackers fraudulently withdrew close to US$1 billion (S$1.4 billion) - commended the activity logs that IHiS had already put in place.

"Frequently, when we investigate, such logs are missing," he said.

Join ST's Telegram channel and get the latest breaking news delivered to you.