The Singapore government has appointed a four-member Committee of Inquiry (COI) to investigate the reported cyber attack on SingHealth’s patient database system, which is turning out to be arguably the most serious breach of personal data in the country’s history.
The Committee of Inquiry will be headed by Richard Magnus, retired chief district judge and present current member of the Public Service Commission.
Other members of the Committee include Lee Fook Sun, chairman of Quann World, T K Udairam, group chief operating officer of Sheares Healthcare Management and Cham Hui Fong, assistant secretary-general of the National Trades Union Congress (NTUC).
“The committee is tasked with looking into the events and contributing factors leading to the cyberattack on SingHealth’s patient database system, as well as recommend measures to reduce the risk of such attacks in future,” said Ministry of Communications and Information (MCI) of Singapore through a press release issued today.
The COI would work in the following aspects of the SingHealth’s cyberattack
- Establish the events and contributing factors leading to the cybersecurity attack on SingHealth’s patient database system on or around 27 June 2018, and the subsequent exfiltration of patient data therefrom
- Establish how the Integrated Health Information Systems Private Limited (IHiS) and SingHealth responded to the cybersecurity attack
- Recommend measures to enhance the incident response plans for similar incidents
- Recommend measures to better protect SingHealth’s patient database system against similar cybersecurity attacks
- Recommend measures to reduce the risk of such cybersecurity attacks on public sector IT systems which contain large databases of personal data, including in the other public healthcare clusters
- Conduct itself in accordance with the provisions of the Inquiries Act, with the discretion to determine which, if any, part(s) of the inquiry shall be held in public, and consider the evidence put before the COI as led by the Attorney General or his designates
- Make and submit a report of its proceedings, findings and recommendations to S Iswaran, Minister for Communications and Information and also the Minister-in-Charge of Cybersecurity S Iswaran by December 31, 2018.
Commenting on the role of the committee, Richard Magnus, said, “This is a responsibility that I take seriously. I will work with the COI members to ensure that we fully deliver on this important task which has been entrusted on us.”
The SingHealth cyber attack allegedly compromised the personal particulars of about 1.5 million patients, including Prime Minister Lee Hsien Loong’s personal data and outpatient prescriptions.
Patients’ records were accessed and copied while 160,000 had their outpatients dispensed medicines’ records taken.
Meanwhile, SingHealth is progressively contacting about 2 million patients who had visited its specialist outpatient clinics and polyclinics between May 1, 2015 and July 4, this year, during which 1.5 million of them-had their personal data accessed and copied by hackers.
Till Monday, SingHealth has sent SMS notifications to more than 1.8 million patients to notify them if their data were stolen in the cyberattack.
Meanwhile, S Iswaran, Minister-in-Charge of Cybersecurity, said, “SingHealth cyberattack is an example of incidents that threaten to erode the precious trust in the institutions in Singapore, which has been painstaking built up.”
He was speaking at the ministry’s annual workplan seminar today.
“This incident was a deliberate and sophisticated attack that caused the most serious breach of personal data in Singapore’s history. But we were also fortunate because it could have been worse. We were fortunate that there was early detection in the exfiltration of data,” said Iswaran.
He added that the Government will do everything it can to strengthen its systems.
The Minister reiterated that the incident, or any others like it, should not be allowed to derail Singapore’s Smart Nation plans.
“Digital is the way of the future. We must adapt ourselves to operate effectively and securely in the digital world, to deliver better public services, enhance our economic competitiveness and create opportunities for our enterprises and our people.”