31 January, 2019
The body behind the operation of several hospitals and other health institutions in Singapore and the city state's central national IT agency for the public healthcare sector have been fined a total of SIN$1 million ($739,000) over data security failings that enabled a hacker to access the personal data of nearly 1.5m people.
The Personal Data Protection Commission (PDPC) of Singapore imposed separate fines on SingHealth and Integrated Health information Systems (IHiS) in a case the watchdog described as "the worst breach of personal data in Singapore’s history".
The PDPC said (52-page / 710KB PDF) both SingHealth and IHiS were responsible for failing to make reasonable security arrangements to protect personal data of individuals, in breach of their obligations under Singapore's Personal Data Protection Act. It fined SingHealth SIN$250,000 ($185,000) and IHIS SIN$750,000 ($554,000) in relation to the failings.
The PDPC's decision to issue fines was published after a committee set up to investigate the causes of the data breach and what lessons could be learned for the future concluded its inquiry.
"These are record fines and reflect the magnitude of the breach and more importantly the findings of the inquiry committee," said technology law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture between MPillay and Pinsent Masons, the law firm behind Out-Law.com. "Organisations should note that the penalty imposed also reflects the trend that we are seeing of increasing fines as any honeymoon period for compliance is clearly over."
Details of the "deliberate, targeted and well-planned cyber attack", as it was labelled at the time by the Singapore government, were made public in July 2018.
The attack compromised the personal data of 1,495,364 people and led to outpatient prescription information for nearly 160,000 people being "exfiltrated".
The attackers carried out the cyber attack by infecting workstations with malware and moving laterally in the SingHealth network between December 2017 and May 2018, and escaped detection by using techniques typical of a "skilled and sophisticated threat actor", according to the PDPC's report.
Once inside the network the attackers exploited inactive administrator accounts to remotely log in to a server that contained a link to another system containing SingHealth's electronic medical records (EMR) database. Multiple attempts were made to access the data in the EMR system via that link between 27 June and 4 July last year.
These unusual activities were finally detected on 4 July and terminated by a database administrator at IHiS. Immediate security measures were also taken by the IHiS staff to limit the spread of the attack, including changing the passwords of all administrators and shutting down the server with the unwanted link to the EMR database.
However, the PDPC's report identified failings in how both IHiS and SingHealth responded to the incident, with neither the chief executive of IHiS nor group chief information officer at SingHealth alerted to the breach until the night of 9 July 2018.
The PDPC reserved particular criticism for SingHealth's cluster information security officer (CISO) who had been aware of the activities of the attackers prior to then.
"Even though the SingHealth CISO was informed of suspicious activities showing multiple failed attempts to log in to the … database using invalid credentials, or accounts that had insufficient privileges in mid-June 2018, and the attack and remediation efforts on 4 July 2018, the SingHealth CISO did not escalate these security events," the PDPC said. "
"Rather, he wholly deferred to the [security incident response manager's (SIRM's)] assessment as to whether an incident was reportable (who operated erroneously under the misapprehension that a cyber security incident should only be escalated when it is 'confirmed') when he should have exercised independent judgement to escalate the incident to the SingHealth GCIO," the watchdog said.
The PDPC said SingHealth's CISO had not complied with incident response policy and that it appeared they "failed to understand the significance of the information provided to him or to grasp the gravity of the events that were happening".
Both SingHealth and IHiS apologised to patients over the data breach and said they accepted the PDPC's decision.
Professor Ivy Ng, group chief executive of SingHealth, said, "Our primary obligation is to our patients and we take our responsibility to protect their data very seriously. We are making changes to enhance our cybersecurity governance structures and improve management oversight of our critical systems. We are also working with IHiS to comprehensively upgrade our cyber defence systems and processes to more effectively guard against cybersecurity risks, as well as to respond in a timely and robust manner to any intrusion."
"We are fully committed to learning and improving from this incident. We will embed cybersecurity consciousness into our daily operations and ensure that stringent measures are in place to safeguard our patients’ data," Ng said.
Bruce Liang, IHiS chief executive, said: "We have learnt a lot about advanced cyber attack operation, as well as about our own weaknesses. We are determined to improve as an organisation. We are also resolute in partnering the healthcare family to transform our cyber defence capabilities in order to protect the well-being of our patients."
For further information please contact:
Bryan Tan, Partner, Pinsent Masons MPillay
bryan.tan@pinsentmasons.com