SingHealth top executive hopes for new solutions to Internet separation, which has caused ‘multiple inconveniences’

SINGAPORE — Cutting the work computers of SingHealth employees from the Internet has caused “multiple difficulties and inconveniences” and led to “some loss of productivity”, its group chief executive officer Ivy Ng said.

While employees “have been very understanding” of the situation, Professor Ng hopes that the situation could be reviewed at some point, and new solutions be considered. Testifying on Monday (Nov 5) at the Committee of Inquiry (COI) hearing on the SingHealth cyber attack, Prof Ng was asked by the committee’s chairman Richard Magnus, a retired judge, about the public healthcare cluster’s Internet separation experience.

SingHealth disconnected work computers from the Internet on July 20 following an unprecedented cyber breach, where hackers stole about 1.5 million patients’ personal information as well as the outpatient medical records of 160,000 of them, including that of Prime Minister Lee Hsien Loong.

Prof Ng, who became SingHealth’s group chief executive in 2012, said that there have been inconveniences. SingHealth has distributed around 1,600 Internet-enabled laptops but, even then, many departments share one laptop due to the size of the organisation.

As a result, productivity has been affected, with people “working longer and harder”.

“People are using their mobile phones and devices to do the work they need to do,” Prof Ng said.

However, employees have made “relatively little noise” of the situation. She added: “I would say the number of complaints, anger, frustration that has arisen from it has been relatively low and that staff members have been patient.”

“They have taken it (in) their stride because the horror of patients’ data being breached is an unacceptable risk for us, to even consider opening up to the Internet again.”

She hopes that SingHealth and the Ministry of Health will review the policy, and that other solutions such as a browser isolation platform can come into play in the future.

UPDATING PATIENTS’ PARTICULARS

At Monday’s hearing, Prof Ng also revealed that 2.9 per cent (or 62,640) of 2.16 million patients — who had visited its specialist outpatient clinics and polyclinics from January 2015 to July 4 this year, the day the cyber attack ended — could not be reached to inform them of the data breach.

Their mobile numbers were either not updated, or wrongly keyed into the system, she said. Some patients did not update their home address, too.

Prof Ng said that SingHealth now has 10 temporary staff members to key into a database the details of the patients who could not be reached. When these patients visit any of SingHealth’s outlets, they will be prompted to have their particulars updated, she said.

Patients who have not updated their contact information can approach employees at the counters during their next clinic visit.

Prof Ng said that SingHealth is looking to ensure its inpatient and outpatient systems are in sync with each other. This means that when the particulars of a patient is updated in the inpatient system, this will also be reflected in the outpatient system.

The updating of patients’ particulars will be one of SingHealth’s key performance indicators and will be tracked every quarter, she said

WHY PUBLIC WAS INFORMED LATER

Earlier during the day's hearing, another top SingHealth official explained why the public was told of the cyber attack only on July 20 when it had taken place from June 27 to July 4.

Professor Kenneth Kwek, the deputy group chief executive of organisational transformation and informatics, told the COI that both he and Prof Ng felt the “immediate obligation” to inform affected patients in the shortest time after they themselves were informed of it on July 10.

However, details such as whether patients’ records were altered were scant at the time. “We also did not know at that time whether there had been data exfiltration,” he added.

Prof Kwek, who helmed the plans, said it was only three days later that SingHealth started to come up with communication and outreach plans after it obtained more details.

Three “serious considerations” had to be taken into account. An early announcement might affect ongoing forensic investigations into the cyber attack. There was also the need to ensure the attack had been properly contained.

Detailed planning of communication and outreach plans were made on July 15.

Given the speed needed and scale of the outreach, SingHealth decided to adopt SMS as the primary mode of communication. It then enlisted Singtel as the third-party vendor to disseminate the text messages.

More than 1,000 employees including doctors and nurses from SingHealth and the Integrated Health Information Systems (IHiS) were mobilised to address patients’ concerns. IHiS is the organisation tasked to run the IT systems of all public healthcare institutions

Asked by Solicitor-General Kwek Mean Luck what SingHealth is doing to beef up cyber-security awareness among its employees, Prof Kwek said that from next year, every employee is required to acknowledge a cyber-security reminder when they log into the human resource portal. All town-hall meetings will feature a discussion on the topic.

Since July this year, there have been more leadership memos on cyber security. The organisation regularly conducts phishing simulation exercises to train employees to be vigilant.

“Our aim is to engender within our staff a deep culture (of cyber security). They already feel and know data confidentiality is an essential part of maintaining safety of patients and delivering good clinical care,” Prof Kwek said.