The cyber attack on SingHealth's network in June has prompted a slew of new security measures at its IT vendor, including a requirement to report suspicious IT incidents within 24 hours.
In a statement yesterday, Integrated Health Information Systems (IHiS) - which runs the IT systems of all public healthcare operators here - said the new procedure, along with 18 other new technical measures, will "reduce the risks and impact of human errors".
Its statement comes amid an ongoing Committee of Inquiry (COI) into the cyber attack that led to the biggest data breach here.
Testifying before the COI panel yesterday, IHiS chief executive Bruce Liang said it needs to promote a culture that accepts the reporting of suspicious activities even if they may be a false alarm.
"It is okay to report things you are not sure about," he said when Solicitor-General Kwek Mean Luck asked what steps he would take to avoid delays in reporting suspicious incidents in future.
A lack of awareness about the seriousness of the attack and tardy response by IHiS staff are some of the issues that have been highlighted during the COI since it began on Aug 28. For instance, suspicious network activities were detected as early as June 11, but senior staff failed to alert higher management until July 10.
From June 27 to July 4, hackers made away with SingHealth's "crown jewels": The personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.
Since the attack, IHiS - which is owned by MOH Holdings, that is in turn owned by the Government via the Ministry of Finance - has stepped up its defences. As of late last month, it has rolled out more sophisticated malware blocking that identifies threats by their techniques across all 6,000 servers and 60,000 endpoint devices in all public healthcare institutions.
More new measures are afoot.
For one thing, two-factor authentication will be set up for all administrators who manage some 60,000 endpoint devices, such as workstations and laptops in public hospitals, to thwart sophisticated hackers.
This means administrators will need to enter a one-time password generated either by a security token or delivered by SMS to log in to systems to reset passwords or install software, among other administrative tasks.
IHiS' security operation centre will also have advanced features including proactive threat hunting and intelligence to catch malicious activities that might have evaded detection. These defence mechanisms are aimed at thwarting state-sponsored advanced persistent threat actors, believed to be behind the SingHealth attack.
Access control will also be enhanced to allow only computers that have the latest security updates to plug in to hospital networks. Machines that are not adequately protected will need the necessary security patches before they can rejoin the network.
The COI heard previously that a server exploited by hackers to reach SingHealth's critical system had not received the necessary security software updates for more than a year.
A database activity monitoring system will also be rolled out to detect suspicious bulk queries to patient databases. IHiS does not have such automation at present, even though it handles an average of 42,000 queries per second.
Temporary Internet surfing separation (ISS) was implemented across all public healthcare institutions following June's attack. Studies are under way to keep ISS a permanent measure in some parts of the public healthcare system.
An alternative approach is to use virtual browsers that allow users to access the Internet safely via quarantined servers to limit the number of potential attack points.
The Health Ministry is piloting a virtual browser system, scheduled to be completed by the middle of next year, said IHiS.
SEE TOP OF THE NEWS