Top-secret report on SingHealth attack submitted to Minister-in-charge of Cyber Security

The high-level COI was appointed on July 24 to shed light on what led to the cyber attack on public health cluster SingHealth.
The high-level COI was appointed on July 24 to shed light on what led to the cyber attack on public health cluster SingHealth.PHOTO: ST FILE

SINGAPORE - A report providing a thorough account of events that led to the cyber attack on SingHealth's patient database has been submitted to Minister-in-charge of Cyber Security S. Iswaran.

The report, which is classified top secret, sums up and assesses the evidence collected over 22 days of mostly public hearings from 37 witnesses, and offers recommendations on ways to secure huge databases to avoid a similar incident.

In a letter to Mr Iswaran on Monday (Dec 31), the four-member Committee of Inquiry (COI) appointed to look into the incident said: "This report contains sensitive information, and is hence classified 'Top Secret'."

"The contents of the report are the unanimous view of all members of the Committee," it added.

The full report on the attack, which is believed to be state-sponsored and the act of sophisticated hackers, is not being published for national security reasons.

However, the COI will release a public version of the report, including all its recommendations, by Jan 10, said a Ministry of Communications and Information spokesman. It will be accessible at http://mci.gov.sg/coireport.

Mr Iswaran, who is Minister for Communications and Information, and Minister for Health Gan Kim Yong, are expected to respond to the report in Parliament when the House sits in January.

 
 
 

In a letter thanking the COI for its report, Mr Iswaran said the panel has examined in great detail the responses to the incident and submitted a comprehensive set of recommendations to better manage and secure the IT systems of SingHealth, as well as those of other public healthcare clusters and the public sector, against similar attacks.

"The COI report is the result of an extensive fact-finding process and a rigorous inquiry over the past five months... Many more weeks were spent deliberating and finalising the report," he said.

"The Government takes cyber security with utmost seriousness," Mr Iswaran added.

"We will learn from this incident and take measures to further strengthen our public sector IT systems and uphold the trust of Singaporeans."

The high-level COI, chaired by retired senior judge Richard Magnus and comprising Mr Lee Fook Sun, Mr T. K. Udairam and Ms Cham Hui Fong, was appointed on July 24 this year to shed light on what led to the cyber attack on public health cluster SingHealth, which was Singapore's worst data breach.

In June, hackers stole the personal data of 1.5 million SingHealth patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.

In his closing remarks on the last day of the COI hearings on Nov 30, Mr Magnus said that organisations must assume that they are already under cyber attack by proactively identifying and mitigating breaches.

Solicitor-General Kwek Mean Luck from the Attorney-General's Chambers, which led the evidence for the COI, had also spoken about the importance of organisational culture. He emphasised that cyber defence is everyone's job and not just that of the IT department. Mr Kwek also outlined 16 recommendations, including improving staff's cyber security awareness and performing enhanced checks.

Organisational culture became a key focus, as people are at the heart of all processes and systems. People click on links in e-mails, and people interpret data such as unusual traffic trying to access a database.

During the COI hearings, one issue that came under scrutiny was how staff at the Integrated Health Information Systems (IHiS), Singapore's central IT agency for the healthcare sector, reacted to suspicious network activities.

The COI heard that hackers first intruded into SingHealth's network in August 2017 after a user from the Singapore General Hospital fell prey to a phishing attack. The COI also heard that a middle manager of cyber security at IHiS, Mr Ernest Tan, was alerted to suspicious network activities as early as June 13 by his subordinate, system engineer Benjamin Lee.

But Mr Tan did not report them to higher management even after Mr Lee repeatedly said that the network was under attack. Mr Tan said he did not realise the severity of the incidents though he was told that attempts had been made to access 100,000 patient records.

Intrusions into SingHealth's electronic medical records system - billed as the crown jewels of its network - began on June 27 but were discovered only on July 4 and terminated that day by a junior staff member, IHiS database administrator Katherine Tan.