Singapore health authority hit by massive cyber attack

By on 26/07/2018
Hackers have stolen the personal data of around a quarter of the population of Singapore from government computers (Image courtesy: Mike Schmid/Flickr).

Security has been stepped up on government IT systems following a major cyber attack on Singapore’s Ministry of Health which compromised the data security of around 1.5 million patients, including the prime minister.

Singaporeans who visited outpatient clinics between 1 May 2015 and 4 July 2018 have had their personal details taken, including name, identity card number, address, gender, and data of birth. Details of the medicines prescribed to around 160,000 patients were also taken.

No records were amended or deleted, and diagnosis, test results and doctors’ notes were not touched, according to a joint statement from the Ministry of Health (MoH) and the Ministry of Communications and Information.

The attack specifically targeted prime minister Lee Hsien Loong’s personal details and outpatient dispensed medicines, the statement added.

“Deliberate and well-planned”

The Cyber Security Agency of Singapore and the Integrated Health information System (IHiS) have investigated the data breach, which took place between 27 June and 4 July 2018. They concluded that the attack was deliberate and well-planned, and not the work of casual hackers or criminal gangs.

The data was accessed through a particular workstation, after hackers obtained account credentials to access the database.

Steps have since been taken to tighten security of the department’s IT systems, including temporarily banning staff from accessing the internet. Restrictions have been put in place on workstations and servers, while employees’ accounts have been reset and extra monitoring controls installed. Similar measures are being rolled out to the wider public healthcare sector.

MoH has directed IHiS to conduct a thorough review of the public healthcare system to strengthen its protection against cyber attacks. Cybersecurity policies, threat management processes, IT system controls and organisational and staff capabilities will all be assessed. Advice has been sent to all healthcare institutions on precautions to take against cyber attack.

A police investigation is underway, and the minister of cyber security will establish an independent inquiry into the incident.

The MoH is contacting all patients who visited its clinics from 1 May 2015 to 4 July 2018 to notify them if their data had been illegally accessed.

“There has been no disruption of healthcare services during the period of the cyberattack, and patient care has not been compromised,” it said in its statement.

Anonymous threat

The government of Singapore has previously expressed concerns over cyber security, according to the BBC. A cyber attack last year targeted the defence ministry but only got basic information on military conscripts, it said.

In 2013, the prime minister’s official website was targeted by people claiming to be members of the hacking group Anonymous. The group had earlier threatened to target infrastructure in Singapore in a protest against licensing regulations on news websites, the BBC said.

In February, Singapore introduced legislation to require owners of computer systems involved in providing public services to meet a set of standards on cyber security. A cyber security tsar was appointed with wide-ranging powers to seize confidential information and impose penalties.

Singapore is widely regarded as a world leader on digitising government, and the data breach will raise concerns worldwide around governments’ ability to securely hold digital information on service users.

About Catherine Early

Catherine Early is a journalist and editor specialising in government policy and regulation. She writes predominantly about environmental issues and has worked for the Environmentalist, the ENDS Report, Planning magazine and Windpower Monthly, and also written for the Guardian, the Ecologist and China Dialogue.

Leave a Reply

Your email address will not be published. Required fields are marked *

*