Mr Speaker Sir,
1. Thank you for allowing me to make this statement on the Committee of Inquiry (COI) into the cyber-attack on SingHealth’s IT system.
Our Responsibilities to Our Patients
2. The healthcare system’s foremost priority is our patient’s well-being. This encompasses not just safe and effective care, but also the protection of their personal data. We, the healthcare family, have a responsibility to our patients to ensure both these aspects.
3. The cyber-attack on SingHealth’s IT system has resulted in the data of a large number of patients being illegally accessed. Once again, I apologise to our patients on behalf of our healthcare family. We are deeply sorry.
Our Responses Following the Incident
4. Minister Iswaran has provided a summary of the COI’s findings and recommendations. I would like to thank the Committee of Inquiry for its comprehensive work and detailed findings on the incident.
5. I agree with the COI that we were lacking in several areas.
- Some of our IT personnel did not have sufficient levels of cybersecurity awareness, training and resources to respond to the attack. Certain staff with key roles in IT security incident response failed to take essential actions, resulting in missed opportunities to prevent the attack or minimise its impact.
- There were vulnerabilities in our IT system that were exploited by the attacker. Examples include servers that were not adequately secured against unauthorised access, and weak passwords and administrator account controls.
- There were gaps in the management of IT assets, compliance with security policies, as well as inadequate remediation of known system vulnerabilities.
6. The public healthcare family needs to do much better. I welcome the COI’s wide-ranging recommendations. These have been touched on by Minister Iswaran. So I will not go through in detail.
7. I will instead focus on healthcare family’s responses and follow-up actions. The COI findings and recommendations will play an important role in guiding our actions, and our cybersecurity direction going forward.
Measures Taken Following Cyber-Attack
8. Following the discovery of the cyber-attack, IHiS implemented several measures to tighten cybersecurity. These included:
- Creating firewall rules to block further malicious callbacks to the suspected command and control servers.
- Reloading servers with clean images to eliminate any remaining presence of the attacker.
- Disabling the tool used by the attacker to enter the network.
- Implementing temporary Internet Surfing Separation (ISS) for the public healthcare sector.
- Accelerating the deployment of Client Advanced Threat Protection (ATP) to public healthcare servers and endpoint devices. ATP identifies threats based on the techniques used by more advanced threat actors, and is better able to detect customised hacking tools designed to bypass conventional defences.
- IHiS has also improved its incident response processes and SOPs, with clearer channels of reporting and escalation criteria.
9. Subsequently, in November 2018, IHiS announced further measures, which are being implemented progressively across public healthcare agencies. Let me highlight a few key ones.
- Database Activity Monitoring (DAM) has been implemented for the SingHealth electronic medical record database. DAM provides more comprehensive alerts and blocks database queries from unauthorised sources. DAM will be extended to the electronic medical record databases of all the other healthcare clusters by mid-2019.
- IHiS has strengthened the security of domain controllers, by limiting login access and requiring two-factor authentication for administrative access. This has been fully implemented.
10. In assessing and developing these measures, IHiS had benefited from the inputs and advice of the Cyber Security Agency (CSA). I would like to record our thanks for CSA’s support.
11. Parallel measures were also taken by SingHealth in patient engagement. SingHealth took steps to contact more than 2 million patients, and successfully reached around 97% of them. These include all patients who visited SingHealth Specialist Outpatient Clinics and polyclinics from the start of 2015 to the attack, including those whose data were not accessed, in order to reassure them.
12. SingHealth has since also taken steps to improve the accuracy of patients’ contact information for better patient engagement. For example, it has identified patients without valid contact details so that staff can update the patients’ contact details at their next visit. Since November 2018, SingHealth has been sending SMSes to all patients on the day of their outpatient appointments, to remind them to approach counter staff to update contact details if there are any changes.
13. SingHealth will be sharing their learning points with the other clusters, and we will be making similar improvements across public healthcare institutions.
Commissioning of Independent Reviews
14. On our part, MOH has initiated independent security reviews on key public healthcare IT systems to identify vulnerabilities and recommend measures to address them.
15. At a broader systemic level, MOH has appointed a Cybersecurity Advisory Committee to conduct a horizontal review of the cybersecurity governance structures and processes across the public healthcare clusters and IHiS.
16. The Committee is chaired by Prof Tan Chorh Chuan and comprises industry experts. It is supported by independent consultants from KPMG. The Committee has just submitted an interim update to me on the findings and recommendations. We will be studying these closely, and will start pursuing key interim proposals even as the Committee continues its work.
Further Plans In Response to COI Recommendations
17. Beyond our own plans and efforts, the COI report has provided us valuable inputs and useful recommendations. We will follow up on them, but I will highlight our thinking and plans in response to some of the key recommendations.
Enhancements to Governance and Organisational Structures
18. First, enhancing governance and organisational structures. The COI has recommended that we enhance our security structure and readiness across IHiS and the public healthcare institutions.
19. We need to better organise and govern our cybersecurity oversight and efforts, and give cybersecurity considerations more weight in decision making. It is an important area that is also being reviewed by the Cybersecurity Advisory Committee (CAC) I mentioned earlier.
20. The CAC has highlighted the need for clearer cybersecurity risk ownership and accountability between IHiS and the public healthcare clusters, underpinned by a strong relationship to avoid fragmenting our healthcare IT strategy. It also highlighted the need to elevate cybersecurity roles and functions to strengthen management oversight over cybersecurity, supported with the appropriate resources and expertise.
21. MOH agrees and we will implement the following organisational changes in line with these guiding principles:
- At the Ministry, the MOH Chief Information Security Officer (CISO) is currently also the Director of Cyber Security Governance at IHiS. We will separate these roles. The MOH CISO will be supported by a dedicated office in MOH and report to the Permanent Secretary. The MOH CISO office will be the cybersecurity sector lead for the healthcare sector. It will coordinate efforts to protect Critical Information Infrastructure in the healthcare sector, and ensure that the sector fulfils its regulatory obligations under the Cybersecurity Act. For its part, IHiS will have its own separate Director of Cyber Security Governance.
- At the clusters, the cluster Group CIO office will now be made fully accountable to the respective cluster management and Boards. The GCIO office will be adequately resourced to carry out its roles. The position of the Cluster Information Security Officer will be elevated to report directly to cluster management, and be accountable to the IT and Risk Management Committees of the cluster Boards.
22. Together, these moves will strengthen oversight and minimise potential conflicts of interest between cybersecurity and operational demands.
Cybersecurity Defence Model with Better Checks and Balances
23. Second, we will put in place a cybersecurity model with multiple lines of defence. The COI has recommended that the public healthcare sector review our cyber stack for adequacy in defending and responding to advanced threats, and subject the systems to tighter control and monitoring. The CAC too has highlighted the need for a more robust “Three Lines of Defence” model.
24. We agree and we will establish a more robust ‘Three Lines of Defence’ structure within the public healthcare.
- The first line comprises units and personnel who develop, deliver and operate the IT systems.This is the Delivery Group. We will strengthen the IT delivery group to better integrate cybersecurity into IT delivery initiatives, improve the management of network security, and increase emphasis on security architecture and monitoring.
- The second line of defence comprises units and personnel who have the specific responsibility to oversee security strategy, risk management and compliance. We will strengthen and elevate this second line of defence by establishing a dedicated Cyber Defence Group in IHiS headed by a senior leader at or equivalent to the Deputy Chief Executive level. The strengthened group will have independent oversight of cybersecurity implementation, compliance and risk management, and will oversee incident reporting and management. This will ensure that cybersecurity is managed at the senior management level, and an appropriate balance is struck between service delivery and cybersecurity considerations.
- The third line of defence comprises checks and assurances independent of IHiS and our healthcare clusters, and independent of the first two lines of defence. MOH Holdings Group Internal Audit will continue to play this role. We also intend to commission and tap on independent third parties where appropriate.
25. These changes will make our public healthcare system more resilient and robust against emerging and evolving cyber threats.
Improving Staff Awareness and Capacity
26. Third, we will improve our staff’s cybersecurity awareness and capacity. The COI has made several recommendations in this area. We agree that the ‘people’ element is foundational and critical to our cyber defences. Every user needs to be trained and equipped to understand the important role that they play in cyber defence.
27. For example, to raise the competence of our security incident response personnel, IHiS will engage specialist providers to conduct realistic hands-on “Cyber Range” simulation training starting this year. This will augment the classroom discussion style table-top exercises currently conducted for security incident response personnel.
28. We will also tap on the expertise of the wider cybersecurity community to test our systems. IHiS intends to learn from GovTech’s bug bounty and vulnerability disclosure programmes and start similar efforts. This will be a further step to ensure that our systems are tested, our people are ready to deal with new challenges, and our processes are robust.
Piloting Tiered Model of Internet Access
29. Next, we will pilot a tiered model of Internet access. In its report, the COI has recommended that an internet access strategy which minimises exposure to external threats should be implemented.
30. Following the cyber-attack, temporary Internet Surfing Separation (ISS) was implemented across our public healthcare sector. This was a necessary precaution as suspicious activity continued to be observed on the SingHealth systems, even after initial containment actions were taken. I had mentioned in my previous statement in this House that we would study the impact of ISS, determine whether ISS can be kept as a permanent measure, and if long term mitigation solutions can be developed to overcome the operational challenges arising from ISS.
31. While the implementation of ISS was necessary, it has indeed posed challenges in the provision of patient care in some areas such as emergency care, decision-support for prescriptions and treatments, access to patient education resources, and booking of clinical appointments. ISS also caused delays to frontline patient management and backend administrative tasks. Research and education initiatives in the public healthcare institutions have also been impacted by ISS.
32. Let me give you an example. ISS impacted the functionality of Internet-based video conferencing software used to conduct tele-consultation with the National Neuroscience Institute for suspected stroke patients. This software was used by some of our hospitals which do not have in-house specialist neurology capabilities as timely diagnosis is critical for stroke cases. A dedicated leased line to support high resolution video conferencing had to be provided to overcome this challenge.
33. Where possible, we have put in place fixes and workarounds like this to reduce the impact to patients and healthcare staff. I thank them for their cooperation and understanding during this period of time.
34. While we can continue to operate on this current model of ISS, we have been looking for longer term solutions that are more efficient and sustainable. We also need a solution that will allow us to implement new models of care in the future, such as telemedicine, that leverage on the Internet to improve patient care and services in the community.
35. This is why we have been experimenting with a “Virtual Browser” solution, even before the cyber-attack. A “Virtual Browser” allows access to the Internet through strictly controlled and monitored client servers. Let me explain what a “Virtual Browser” means. If we imagine loading a webpage or downloading a file from the Internet to be like receiving a letter, the client server is like a decontamination room where the letter is opened and only a picture is taken and sent to the recipient. The recipient reads the letter only via the picture that was taken, and does not touch the letter itself. This process makes things safer for the recipient as malicious material or hidden messages are left behind in the decontamination room. Although such a solution does not fully eliminate cybersecurity risks, it reduces the attack surface significantly, while minimising impact on service efficiency and patient care.
36. Our earlier trial conducted at the healthcare clusters has shown that a “Virtual Browser” is technically feasible. Our next step will be to run a pilot in an operational environment across different settings and healthcare roles, so as to assess its effectiveness in meeting both operational and cyber security needs.
37. If the Virtual Browser is found to be effective, we envisage putting in place a tiered model of Internet access among our healthcare staff in the longer term.
- For some job roles, Internet access would not be required. For example, administrative staff handling certain backend tasks, may not need internet access for their routine work and these staff will not be provided Internet access.
- For a number of job roles, Internet access is required, but can be managed through the use of separate Internet and non-Internet facing devices. This would likely be the case for the majority. ISS will remain for this group and they will have access to the Internet via a separate device. We will further improve our current arrangements so as to make it more convenient for this group of users.
- For some, access to the Internet and intranet systems on the same device is essential. This group could include clinicians who need to access the Internet for information from clinical reference databases and match them urgently against patients’ electronic medical records, such as information on new and complex drugs or obscure toxins. The Virtual Browser may be the best solution for this group.
38. The pilot will begin in this quarter at the National University Health System (NUHS). “Virtual Browsers” will be deployed in selected job functions at selected departments and clinics. Some of the job roles participating in the pilot include frontline pharmacists, and emergency department clinicians.
39. Apart from this small group of pilot Virtual Browser users, all other public healthcare staff will remain on ISS for now.
40. The conduct and evaluation of the pilot is expected to take about six months. We will work closely with CSA to assess the cybersecurity adequacy of the solution. We will also evaluate the effectiveness of the Virtual Browser. This will enable us to make a more considered decision on our Internet access model in public healthcare.
Continued Deferment of Mandatory Contributions to the NEHR
41. Earlier, I mentioned that we have also started independent security reviews of other key public healthcare IT systems. One such system being reviewed is the National Electronic Health Record (NEHR) system.
42. Over the past few months, the NEHR has been undergoing a series of cybersecurity assessments conducted by CSA, GovTech, and independent firm PWC. These cover technical architecture design and existing cybersecurity measures. In addition, we are completing a series of penetration tests to uncover any security vulnerabilities against cyber-attacks.
43. The NEHR system will be subject to further testing and reviews, including exercises to test its defences against targeted attacks, as well as business continuity and disaster recovery plans.
44. I had informed this House in August that we would be deferring plans for mandatory contribution of patient medical data to the NEHR. As the NEHR is an important large-scale national system, we want to be fully assured that all the necessary safeguards are in place to handle the evolving cybersecurity threat landscape. We will therefore proceed with the introduction of the Healthcare Services Bill first, and continue to defer the NEHR mandatory contributions until we have completed these reviews.
45. Even as we conduct the reviews, IHiS will implement further enhancements to strengthen cybersecurity of the NEHR system. These include software and application upgrades, additional preventive and detection measures, and enhanced process and technical controls.
Ensuring Accountability
46. Mr Speaker Sir, the COI has identified inadequacies in specific individuals employed by IHiS in preventing and responding to the cyber-attack.
47. The IHiS Board has appointed an independent HR Panel to examine the roles, responsibilities and actions of specific individuals involved, and recommend the appropriate actions to be taken. The Panel was chaired by an IHiS Board member, and comprised two other members from the public and private sectors, with relevant HR and IT expertise.
48. In assessing the appropriate HR actions, the Panel considered whether the officers had acted in accordance with their job responsibilities. It also considered whether the officers’ action or inaction had contributed directly or indirectly to the outcome.
Disciplinary Actions and Penalties
49. The panel has submitted its recommendations to the IHiS Board, and the Board released its decision on this matter yesterday.
50. To recap, two IHiS staff – the Team Lead of the Citrix Team and the Security Incident Response Manager – were found to be negligent and non-compliant of orders.
- While the Citrix Team Lead had the necessary technical competencies, his attitude and approach to management of the servers introduced unnecessary and significant risks to the system. He could have mitigated the impact of the attack if he had enforced proper compliance and exercised effective management of the servers.
- The Security Incident Response Manager persistently held a mistaken understanding of what constituted a ‘security incident’, and when a security incident should be reported. His passiveness even after repeated alerts by his staff resulted in missed opportunities which could have averted or mitigated the impact of the cyber-attack.
51. Their behaviour had significant security implications and contributed to the unprecedented scale of the incident. The employment of the Citrix Team Lead and the Security Incident Response Manager have been terminated.
52. Financial penalties were imposed on the two middle management supervisors, who are accountable as supervisors of the staff that were terminated.
53. A Cluster Information Security Officer was found to have a wrong understanding of what constituted a ‘security incident’ and failed to comply with IHiS’ incident reporting procedures. The Board decided to demote the Cluster Information Security Officer and reassign him to another role.
54. Let me now come to the IHiS senior management team. As the senior management team, they hold collective leadership responsibility over the organisation and the incident.
55. They know this. IHiS CEO wrote a letter to me in December. In his letter, he expressed disappointment that he and his IHiS colleagues were not able to prevent or respond better to the cyber-attack. He apologised for the incident. He and members of his senior management team acknowledged their collective responsibility. The CEO expressed that he would accept whatever the IHiS Board may decide for him.
56. The IHiS Board has decided to impose a financial penalty, higher than that imposed on the middle management supervisors, on the CEO and four other members of the IHiS senior management team. They have all accepted the penalty.
57. I have emphasised to the IHIS CEO and his senior management team to learn from this episode and lead the organisation and its staff through the recovery and rebuilding. I expect them to do their utmost to remedy the shortcomings and help the public healthcare family emerge stronger, so as to win back public trust. MOH and the rest of the public healthcare family will render them our full support.
58. The COI did not identify lapses in specific individuals that are employed by SingHealth. However, SingHealth recognises its duty to its patients and its responsibility as the owner of the database system. The SingHealth senior leadership, including the Group CEO, has volunteered for a financial penalty which the Board has accepted.
PDPC Penalties
59. Beyond these disciplinary actions and penalties on specific individuals, penalties have also been imposed at the organisational level. Earlier, Minister Iswaran had shared that the Personal Data Protection Commission (PDPC) has completed its investigations into the incident. PDPC has decided to impose financial penalties on IHiS and SingHealth, which comes to $1 million in total. This is the highest penalty meted out by the PDPC to date.
60. IHiS and SingHealth have accepted PDPC’s decision and penalties. This is the right response.
Recognition and Acknowledgement
61. Mr Speaker Sir, in the COI report, several IHiS officers were commended for their diligence in handling the incident beyond their job scope and responsibilities. They were proactive and demonstrated resourcefulness in managing the cyber-attack.
62. The IHiS Board has presented Letters of Commendation to three IHiS staff from the Database Management Team, SCM Production Support Team, and Security Management Team respectively. Each of them showed commitment to serve, and had the persistence to get to the bottom of things. I am glad that their contributions have been recognised. I would also like to acknowledge members of our public healthcare family who have worked hard together to ensure patient care is not compromised by this incident.
63. At the same time, I thank Singaporeans for their patience and understanding on the inconveniences they may have encountered at our public healthcare institutions arising from the implementation of tighter cybersecurity measures.
Ensuring Timely Implementation of Recommendations
64. Mr Speaker Sir, I have sketched out the responses of the public healthcare family to the SingHealth data breach and the COI report. The public healthcare family will ensure that priority and attention is given to the implementation of the COI’s recommendations as well as the cybersecurity initiatives that the public healthcare system has embarked on.
65. We are organising our efforts into 6 key workstreams spanning technical measures, cybersecurity policy, organisational structures, governance enhancements, management of Critical Information Infrastructure (CII) and patient engagement.
66. Senior management and key personnel from MOH, IHiS and healthcare clusters will lead these efforts. They will report their progress regularly to the Healthcare IT Steering Committee chaired by my Permanent Secretary. The Steering Committee will oversee the implementation and closely monitor its progress. It will also tap on independent auditors to verify the completion of the follow up actions.
IT Remains a Key Enabler
67. Mr Speaker Sir, this cyber-attack has been a regrettable and painful incident for us, and for the affected patients. We must learn from it. But we must not allow it to hold back our push towards using technology to provide better care for our patients.
68. IT systems have improved the safety and effectiveness of patient care. It remains a key enabler we cannot do without for better delivery of healthcare to benefit Singaporeans.
69. Yet, we recognise that the cybersecurity landscape has shifted and the threat level has risen. So the cybersecurity posture of the healthcare sector needs to be correspondingly raised. This will not be a one-off exercise as new and evolving threats will continue to target our systems. We must continually fortify our defences, and we need a strong team working together to achieve this.
Closing
70. Mr Speaker Sir, to conclude, I would like to thank the COI once again for its work and the comprehensive findings and recommendations. We in the public healthcare family will take guidance from the COI report and strengthen our systems and capabilities.
71. We must and we will emerge with stronger cyber defences. This will be the most fitting way to fulfil our responsibilities to our patients.