Online payments, booking of appointments could be affected as Govt beefs up security after cyberattack: Gan

SINGAPORE — Patients could face difficulties making online payments and bookings for medical appointments, as a temporary Internet-surfing separation policy ripples across Singapore’s three healthcare clusters in the wake of an unprecedented cyberattack.

Just last month, SingHealth — Singapore’s largest healthcare group — was hit by hackers who stole the data of 1.5 million patients and outpatient medication records of several government leaders, including Prime Minister Lee Hsien Loong.

Following the breach, SingHealth separated its work systems from the Internet at midnight on Friday (July 20), Health Minister Gan Kim Yong said at a press conference later in the day.

The National University Health System and the National Healthcare Group — the other two healthcare clusters — have also begun the process of separating their systems, and will follow suit by early next week, said Mr Gan.

The Government had put in place an Internet separation policy last year, which meant public servants would no longer be able to access the Internet from their work computers. They would have to use Internet-enabled devices such as government-issued tablets or other computers, for instance, to go online.

Mr Gan said the Government had been assessing Internet-surfing separation for public healthcare institutions for some time. It was in the midst of deciding whether to proceed with the idea, or go with “alternative forms of segregation” that would ensure patient data was kept safe yet still allowing staff members access to the Internet.

Internet-surfing separation is “not a trivial matter”, especially from a healthcare standpoint, because it has implications for the convenience of patients and healthcare professionals, said Mr Gan.

“Therefore, we took a very cautious approach in assessing the Internet-surfing separation idea… But given the current situation, and the threat is imminent, I have made the decision to impose Internet-surfing separation temporarily,” he said.

While patients, doctors and nurses may encounter some inconvenience, Mr Gan stressed that the key consideration is ensuring patient safety is not compromised in the process.

For instance, patients may not be able to make online payments for now, and may have to do so at a later time, he said. Internet bookings for appointments may be “more challenging”, as the system could be slower to respond to users.

As doctors may need to look up information on the Internet, this could be added inconvenience to them.

Mr Gan said: “I am deeply sorry that this has happened. I would like to appeal for understanding from everyone, our patients and our healthcare professionals alike, as we put these measures in place.”

SingHealth Group CEO Ivy Ng said on Saturday that so far, its patients have not reported any issues with services such as appointment booking or payment. Nevertheless, it is monitoring the situation.

Professor Ng said the organisation recognises that there will be inconveniences for its staff, "but in view of the recent cyberattack, this is a necessary move to safeguard our patients’ data".

Patient care and safety will not be compromised, Prof Ng stressed. She added that plans are underway to provide interim alternatives to departments that require Internet access for work. This would include providing standalone personal computers or laptops that would be connected to the Internet but "do not sit within SingHealth’s networks".

In the wake of the cyberattack, other measures have also been put in place to beef up the security of SingHealth’s IT systems.

These include the resetting of user and system accounts — including changing passwords — additional system-monitoring controls, tighter controls on workstations and servers. Measures were also implemented to break the communication links used by malwares, and there was also increased monitoring across all public healthcare IT systems.

The Ministry of Health has also directed the Integrated Health Information Systems — the technology agency that runs the IT systems of public healthcare institutions — to carry out a thorough review of the public healthcare system to beef up cyber threat prevention, detection and response with the help of third-party experts.

The technology agency has also sent advisories to all public and private healthcare institutions on cyber security precautions and measures.

Key upcoming IT projects in the public healthcare industry and the broader public sector will also take a “pause” to review cyber security safeguards before they go ahead with initiatives.

A Committee of Inquiry, chaired by retired Senior District Judge Richard Magnus, will also be convened to look into the latest breach, and to recommend measures to better secure public sector IT systems against similar attacks.