Thousands of SingHealth computers linked to Internet provided large 'attack surface' for hackers: DPM Teo

SINGAPORE — The thousands of SingHealth front-end computers connected to the Internet provided a large number of openings that hackers successfully exploited for their recent cyberattack on the healthcare group, Deputy Prime Minister Teo Chee Hean said on Tuesday (July 24).

While those computers had anti-intrusion systems that were able to fend off run-of-the-mill attacks, they were insufficient in the face of the "sophisticated and persistent" intruders.

"The front-end computers continued to be connected to the Internet. This provided intruders with an attack surface of many thousands of users in the medical and academic community," Mr Teo told a conference attended by some 1,500 engineers serving in the public sector.

"The attacker found a way into this path."

Recounting some of the preliminary lessons learnt from the unprecedented attack, he noted that if measures to delink workplace computers from the Internet had been in place, SingHealth could have reduced the number of vulnerable openings in its systems.

"We could and should have implemented Internet surfing separation on public healthcare systems just as we have done on our public sector systems," said Mr Teo, who is also the coordinating minister for national security.

"This would have disrupted the cyber kill-chain for the hacker and reduced the surface area exposed to attack. This has now been done."

The Ministry of Health announced on Monday that all three public healthcare clusters have implemented temporary Internet surfing separation measures in light of the cyberattack. SingHealth completed its Internet separation last Friday, and the two other public healthcare clusters – National Healthcare Group (NHG), which serves the northern parts of the island, and National University Health System (NUHS), which serves the west – have followed suit.

At the press conference last Friday where the Government made public the cyberattack, Health Minister Gan Kim Yong said the authorities did consider implementing Internet-surfing separation at public healthcare institutions, but they took a “very cautious approach”. 

Citing the authorities' dilemma, Mr Gan stressed that Internet-surfing separation is “not a trivial matter”, especially from a healthcare standpoint, because it has implications for the convenience of patients and healthcare professionals. He added that following the cyberattack, he made the decision to impose the separation temporarily. While patients, doctors and nurses may encounter some inconvenience, the key consideration is ensuring patient safety is not compromised in the process, he reiterated. 

For instance, patients may not be able to make online payments for now, and may have to do so at a later time, Mr Gan said. Internet bookings for appointments may be “more challenging”, as the system could be slower to respond to users.

Hackers stole the data of 1.5 million SingHealth patients and records of the outpatient medication given to Prime Minister Lee Hsien Loong during the cyber attack from June 27 to July 4.

On Tuesday, Mr Teo said the stolen data was "exfiltrated to external servers outside Singapore". He did not elaborate, and the authorities have not identified the suspects.

A second lesson from the attack, he told his audience, was the importance of prompt reporting of such intrusions.

While SingHealth's IT operators were able to detect and report the recent intrusion, Mr Teo said the Government was looking into whether this could have been done more quickly so as to prevent the loss of a large amount of data.

In some countries, IT operators were unaware that their systems had been compromised until their data was published or had been put up for sale.

Mr Teo added: "This case reinforces the importance of reporting any intrusion promptly to the Cyber Security Agency of Singapore (CSA); and system logs such as those in the IT system which allowed investigations and diagnoses to promptly contain the intrusion, identify the mode of intrusion, the attack vector, and scope out the extent of damage."

Meanwhile, the authorities are "cleaning up the system" and beefing it up with new security measures to deal with weaknesses exposed by the recent cyberattack, he noted.

Mr Teo also urged the engineers to take cybersecurity "very seriously" amid the rapid pace at which digital systems are being connected — and attacked — around the world.

For instance, the Government had detected an almost 10-fold increase in phishing attacks in Singapore since 2016, he pointed out.

"We need to design our systems and operate them to keep out an attack; detect any intrusions which may have slipped through; respond and deal quickly with such intrusions," said Mr Teo, who stressed that the attack on SingHealth should not deter Singapore from its ambitions to build a Smart Nation.

He acknowledged, however, that technical solutions were not enough in dealing with the recent breach, and that the Government would have to explain the incident to the public and address their concerns "as transparently as possible".

"That is why we are taking the matter very seriously, and have appointed a Committee of Inquiry to look thoroughly into all these aspects, and how we can do better," said Mr Teo.