Cutting off Internet access on public healthcare computers could have disrupted the cyber attack that led to the most serious data breach in Singapore's history, Deputy Prime Minister Teo Chee Hean said yesterday.
"We could and should have implemented Internet surfing separation on public healthcare systems just as we have done on our public sector systems," said DPM Teo, who was the minister-in-charge of the civil service when the computers were delinked from the Internet.
"This would have disrupted the cyber kill-chain for the hacker and reduced the surface area exposed to the attack. This has now been done," he said at the Public Service Engineering Conference 2018.
He disclosed that the attackers had gained entry into the SingHealth system through one of the front-end computers connected to the Internet used by "thousands of users in the medical and academic community".
The incident had exposed weaknesses in the end-user workstations of the public health sector, he added.
The attack, which led to the data leak involving 1.5 million SingHealth patients, including Prime Minister Lee Hsien Loong, took place between June 27 and July 4. It was made public last Friday.
Yesterday, more details of widening investigations into the breach came to light.
The privacy watchdog, the Personal Data Protection Commission (PDPC), is looking into whether there were security lapses in healthcare group SingHealth and the Integrated Health Information Systems (IHiS), the technology outsourcing arm of public hospitals.
The PDPC will assess if SingHealth and IHiS had properly secured patients' personal data and whether they are liable for a fine of up to $1 million under the Personal Data Protection Act.
The commission will take into account the report of the Com-mittee of Inquiry (COI), which will be headed by former chief district judge and current Public Service Commission member Richard Magnus.
In convening the COI, whose members were named yesterday, Minister-in-charge of Cyber Security and Minister for Communications and Information S. Iswaran said: "It is an important step in getting to the bottom of the incident and keeping Singaporeans' trust in our systems."
The committee will recommend ways to better protect IT systems in the public sector and submit its report to Mr Iswaran by year-end.
"It is crucial that we do not allow this incident, or any others like it, to derail our plans for a Smart Nation," said Mr Iswaran.
Meanwhile, the Monetary Authority of Singapore (MAS) has asked financial institutions here to immediately tighten their customer verification processes to make sure they are not vulnerable to similar attacks.
Financial institutions should conduct customer verification using tools like one-time passwords instead of relying on data such as NRIC number, address and date of birth, which might already have been stolen, MAS said.
SEE TOP OF THE NEWS