SingHealth cyber breach

Internet access to be delinked by next week

Staff will not be able to access the Internet from their work computers once Internet access is delinked at all public healthcare clusters.
Staff will not be able to access the Internet from their work computers once Internet access is delinked at all public healthcare clusters. ST PHOTO: SEAH KWANG PENG

Staff at all public healthcare clusters will have their Internet access temporarily delinked by next week, as part of efforts to tighten security following the nation's most serious cyber attack.

SingHealth, which runs four hospitals, five national speciality centres and eight polyclinics, was the first to pull the plug, imposing Internet surfing separation at midnight on Thursday.

The largest healthcare cluster in Singapore was the target of hackers, who obtained the personal particulars of more than 1.5 million of its patients, including Prime Minister Lee Hsien Loong.

The other two public healthcare groups, National Healthcare Group and National University Health System, will follow suit by early next week. This means staff will not be able to access the Internet from their work computers.

Health Minister Gan Kim Yong said at a multi-ministry press conference yesterday that delinking internal networks from the Internet is "not a trivial matter", as it has implications for both patients and healthcare professionals.

For example, it may lead to slower online payments, he said. Nevertheless, this step had to be taken in the interest of patient safety. Said Mr Gan: "The uppermost consideration is to ensure that the clinical care for our patients is not compromised."

However, the cyber attack was unrelated to the NEHR system, said the Integrated Health Information Systems (IHiS), which runs the IT systems of public health institutions.

All public health institutions are linked to the National Electronic Health Record (NEHR) system, which compiles patient records from different providers for seamless care. "However, security monitoring and vigilance of other public healthcare systems such as the NEHR have been stepped up," said a spokesman for the Ministry of Health (MOH).

The ministry had earlier announced plans to make NEHR mandatory for all health providers under a new legislation slated to be tabled in Parliament this year. But MOH and IHiS will now "take a pause" as an added precaution, said the spokesman. "We will do a thorough review of the robustness of its cyber safeguards, before proceeding to broader implementation of mandatory NEHR contribution."

Except for this, the NEHR will continue running normally. More than 1,200 institutions, from hospitals to general practices and nursing homes, currently have access to the system which contains more than seven million unique patient records.

Health providers either upgrade their own information systems or buy software to synchronise them with the NEHR.

Mr Phua Tien Beng, chief executive officer of Parkway Pantai's Singapore operations division, said the private healthcare group has taken its own precautions in the light of the incident. "We have suspended Internet access from our internal network and will be putting in place separate devices that will be physically segregated from our company networks for those who need Internet access for work," said Mr Phua.

Mr Tseng Ching-Tse, founder of medical information technology company Vault Dragon, said a review would be timely. "This incident has raised concerns among healthcare providers and digital health solution providers over the security of patient data that will be shared under the NEHR programme," he said.

• Additional reporting by Linette Lai

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on July 21, 2018, with the headline Internet access to be delinked by next week. Subscribe