SingHealth cyber attack hearings resume Sept 21; inquiry committee seeks recommendations from the public

SINGAPORE — The Committee of Inquiry (COI) set up to look into the events and factors that led to Singapore’s worst cyber attack on public healthcare cluster SingHealth will resume hearings on Sept 21.

A mix of private and public hearings will be conducted at Court 5A of the Supreme Court until Oct 5, and information on which hearings will be open to the public will be released at a later date, said the COI secretariat in a statement on Tuesday (Sept 11).

The first hearing was held on Aug 28 behind closed doors at an undisclosed location in the interest of national security.

At the same time, the four-member COI — chaired by retired judge Richard Magnus — is inviting members of the public to submit recommendations to better protect SingHealth’s patient database system and public-sector IT systems against similar cyber attacks. The public may also recommend measures to enhance the response plans for similar incidents.

Why it matters: Between June 27 and July 4, sophisticated hackers stole the personal data of 1.5 million SingHealth patients including their national identity card numbers, addresses, names and dates of birth. Of the patients affected, 160,000 of them, including Prime Minister Lee Hsien Loong, also had information on their outpatient medication stolen. The Government announced the news of Singapore’s worst cyber attack on July 20.

The attack was the work of an advanced persistent threat group that could be state-linked, said Minister for Communications and Information S Iswaran in Parliament last month.

The hackers used advanced tools including customised malware that was able to evade SingHealth’s anti-virus software and security tools, he added.

For national security reasons, the Government will not name the party it believes is behind the attack.

Who’s on the COI: Convened on July 24, its three other members besides Mr Magnus are Mr Lee Fook Sun, executive chairman of cyber-security solutions provider Quann World; Mr T K Udairam, group chief operating officer of healthcare technology firm Sheares Healthcare Management; and Ms Cham Hui Fong, assistant secretary-general of the National Trades Union Congress.

Solicitor-General Kwek Mean Luck will lead evidence in the inquiry into the data breach.

How to submit recommendations: Written representations should be sent by 5pm on Oct 31 to the COI’s secretary, Mr Thng E-Shen, or co-secretary Melanie Huang. Members of the public may email coi_secretariat [at] mci.gov.sg or mail submissions to the Ministry of Communications and Information at #5-00 Old Hill Street Police Station, 140 Hill Street, Singapore 179369. Written representations should include:

1. The author’s name, occupation, address, contact number and email address

2. A brief description of the organisation (if any) that the author is representing

3. Any financial or other interest the author (and the organisation that he or she represents) has in the COI’s terms of reference

4. Whether the author is willing to appear before the COI to give evidence if required

What to expect afterwards: Individuals who submit recommendations may be called upon to give evidence at a hearing.

The COI may also seek to clarify the authors’ representations and later publish some of the submissions.