SINGAPORE – SingHealth said it plans to introduce a series of measures for all 28,000 employees to deepen their understanding of cyber safety, after hackers used a phishing ploy to enter its network and mount Singapore’s worst-ever data breach.
Singapore’s largest public healthcare network will also roll out new systems to capture patients’ contact details rigorously, drawing on lessons learnt from its unsuccessful attempts to contact some 2.9 per cent of 2.16 million patients most of whom were affected by June’s cyber attack.
These moves were revealed on Monday (Nov 5) by two senior executives at SingHealth who had testified before a high-level panel looking into the cyber attack that compromised the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people.
Asked before the Committee of Inquiry (COI) on Monday what lessons were learnt from the incident, SingHealth’s group chief executive Professor Ivy Ng said it was the fact that it did not have the updated contact details of all patients.
“A significant number of people had undeliverable messages,” she said, pointing to wrong mobile phone numbers and residential addresses.
As such, SingHealth will roll out a new system next year (2019) to let patients update their own personal particulars, including contact numbers and addresses. Currently, it must be done over the counter.
Following the attack, the healthcare group has been using SMS to remind patients to provide it with updated contact details.
Professor Kenneth Kwek, SingHealth’s deputy group chief executive (organisational transformation and informatics), who also took the stand on Monday, spoke about the need to deepen all employee’s understanding of cyber safety.
Although the healthcare group said it currently has cyber-security training activities as part of the orientation programme for employees, and also regularly conducts phishing simulation exercises to train them to be more vigilant, more needs to be done.
Among other things, he said more town halls will be held to provide information on new cyber-security and ransomware threats.
Since 2016, employees logging into the network have been greeted by a message on their computers reminding them of the importance of data protection. However, the language of this message will now be “strengthened” and the message made more prominent.
SingHealth will also adopt a storytelling format in engaging its employees on cyber-security matters and explaining the impact of breaches, Prof Kwek said, noting that this format relates better to employees and patients alike.
“Staff already knew that data protection is an important part of patient clinical care… we want to deepen this understanding,” he told the panel.
The healthcare group regularly conducts phishing simulation exercises to train its employees to be more vigilant. For instance, six phishing exercises were conducted between 2015 and September this year.
“Staff who responded to phishing emails twice or more are given additional attention. They are requested to attend IT security briefings to become more aware of the risks,” he said.
In the recent exercise in February 2018, employees who fell prey to phishing also received a formal letter, with a copy sent to their direct supervisor. The letter is signed by Prof Kwek and Mr Benedict Tan, the SingHealth cluster’s group chief information officer.
Both Prof Ng and Prof Kwek said they were “amazed” and “gratified” by the willingness of SingHealth employees to step up in the aftermath of the cyber attack.
The senior executives said many employees pulled long hours and also accepted the loss of productivity that came with the sudden implementation of Internet surfing separation.
Intrusions into SingHealth’s electronic medical records system began undetected on June 27 but were terminated on July 4.
The data breach compromised the personal data of 1.5 million patients and outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.