SingHealth said it plans to introduce a series of measures for all 28,000 employees to deepen their understanding of cyber safety, after hackers used a phishing ploy to enter its network and mount Singapore's worst-ever data breach.
Singapore's largest public healthcare network will also roll out a new system to capture patients' contact details rigorously, drawing on lessons learnt from its unsuccessful attempts to contact 2.9 per cent of 2.16 million patients, most of whom were affected by June's cyber attack.
These moves were revealed yesterday by two senior executives at SingHealth who had testified before a high-level panel looking into the cyber attack, which compromised the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people.
Asked before the Committee of Inquiry (COI) yesterday what lessons were learnt from the incident, Professor Ivy Ng, SingHealth group chief executive, said it was the fact that it did not have the updated contact details of all patients.
"A significant number of people had undeliverable messages," said Prof Ng, pointing to wrong mobile phone numbers and residential addresses.
As such, SingHealth will roll out a new system next year to let patients update their own personal particulars, including contact numbers and addresses. Currently, it must be done over the counter.
Following the attack, the healthcare group has been using SMS to remind patients to provide it with updated contact details.
Professor Kenneth Kwek, SingHealth's deputy group chief executive (organisational transformation and informatics), who also took the stand, spoke about the need to deepen all employees' understanding of cyber safety.
PUBLIC OUTREACH EFFORTS
Patients with valid mobile numbers whom SingHealth contacted.
Letters sent to patients with no mobile numbers or wrong ones in SingHealth records.
Number of checks patients made on the HealthBuddy app and SingHealth website to determine whether they are affected by the data breach.
Number of calls made to SingHealth's hotlines and call centres.
Number of inquiries received about the incident at the assigned e-mail address.
Number of leaflets picked up by patients detailing how they are affected by the cyber attack.
Although the healthcare group said it currently has cyber-security training activities as part of the orientation programme for employees, and also regularly conducts phishing simulation exercises to train them to be more vigilant, more needs to be done.
Among other things, he said, more town halls will be held to provide information on new cyber-security and ransomware threats.
Since 2016, employees logging into the network have been greeted by a message on their computers reminding them of the importance of cyber hygiene.
However, the language of this message will now be "strengthened" and the message made more prominent.
SingHealth will also adopt a storytelling format in engaging its employees on cyber-security matters and explaining the impact of breaches, Prof Kwek said, noting that this format relates better to employees and patients alike.
"Staff already knew that data protection is an important part of patient clinical care... We want to deepen this understanding," he told the panel.
The healthcare group regularly conducts phishing simulation exercises to train its employees to be more vigilant. For instance, six phishing exercises were conducted between 2015 and September this year.
"Staff who responded to phishing e-mails twice or more are given additional attention. They are requested to attend IT security briefings to become more aware of the risks," he said.
In a recent exercise in February, employees who fell prey to phishing also received a formal letter, with a copy sent to their direct supervisor. The letter was signed by Prof Kwek and Mr Benedict Tan, the SingHealth cluster's group chief information officer.
Yesterday, both Prof Ng and Prof Kwek said they were "amazed" and "gratified" respectively by the willingness of SingHealth employees to step up in the aftermath of the cyber attack.
The senior executives noted that many employees pulled long hours and also accepted the loss of productivity that came with the sudden implementation of Internet surfing separation.