SINGAPORE (Aug 13): Parliament resumed sitting on Aug 6 and, unsurprisingly, members were brimming with queries about last month’s SingHealth data breach. Nineteen questions from both sides of the bench were tabled to the ministers of health, and communications and information, Gan Kim Yong and S Iswaran, respectively. The ministers provided lengthy, prepared oral responses but gave scant details on some important questions.

MPs wanted to know whether the SingHealth breach was an isolated incident and who the perpetrators were; what the Ministry of Health (MOH) was going to do to prevent future attacks; the impact on the Smart Nation and Digital Government initiatives; and how the government planned to restore public confidence in the initiatives after the most recent cyberattack.

One opposition MP asked if the government was going to bear responsibility for any stolen identity crime committed as a result of the breach. Another asked Gan to elaborate why there was a significant delay in informing the public of the attack after it was discovered.

The Integrated Health Information Systems, the agency responsible for digitising, connecting and analysing Singapore’s heath ecosystem, had first detected unusual activity in SingHealth’s database on July 4. Six days later, IHIS investigations confirmed a cyberattack had taken place and informed the MOH, SingHealth and the Cyber Security Agency (CSA) of Singapore. IHIS said that between June 27 and July 4, data had already been stolen.

SingHealth made a police report on July 12. The theft of 1.5 million people’s personal data — names, dates of birth, addresses, NRIC numbers, gender and race — was only revealed to them in a public announcement more than a week later, on July 20.

In response, Gan said that after the breach was discovered, there was a significant amount of work that went on behind the scenes among the five agencies. He also revealed that there was malicious activity on the network up to July 19. The public was informed only after the situation had been assessed as stabilised. “Our priority at that time was that our system was protected and our data was not subject to further losses,” said Gan.

Apart from the five agencies involved, were the other major government bodies kept in the loop as well? Could the delay have wider repercussions elsewhere? For one, it was only on July 24 that the Monetary Authority of Singapore issued a circular to financial institutions to tighten their customer verification process. MAS did not respond to The Edge Singapore’s question on when it was informed of the data breach.

In Parliament, Iswaran took pains to elaborate that financial institutions do not rely solely on personal information such as the data stolen from SingHealth to verify customers’ identities. This echoes a statement made by CSA CEO David Koh, that the data stolen was “basic demographic data”.

But, it is clear to everyone who has ever done their banking online or even on the phone, that the data accessed by the hackers is used in various banking procedures, including identity verification. And, as The Edge Singapore had reported earlier (Issue 841, “SingHealth hack spotlights Smart Nation push; higher cybersecurity bar for public agencies”), healthcare records can be worth four times as much as financial data, in underground markets. Crucially, while we can cancel credit cards or close bank accounts that have been compromised, we cannot really change names, dates of birth and NRIC numbers.

Further, the theft of the healthcare data, including details of medication that had been prescribed and dispensed, came at a time when the government was pressing ahead with a National Electronic Health Record (NEHR) system. It is essentially a central repository of all healthcare records that every healthcare service provider — from the neighbourhood family doctor to specialists and hospitals — will have to contribute to by 2020. The system comes under the new Healthcare Services Bill, to be enacted in 2H2019.

“I think all [doctors] will be cautious of this and are unlikely to support [NEHR] in light of the breach,” says Dr Beng Teck Liang, CEO of healthcare specialist network Singapore Medical Group. “Patient confidentiality is upmost on our minds, and next would be who would pick up the cost of implementation.”

The government has set up a Committee of Inquiry to look into the incident. Hearings will begin on Aug 28 and held in public unless they could affect national security or patient confidentiality — though for some reason, the first session will be held behind closed doors. The COI will look into the events and contributing factors leading to the breach, and expert witnesses will be called to give evidence on cybersecurity measures. The COI is expected to release its findings at year-end.

For now, people will have to contend with information that has been released so far. For instance, that the attack was carried out by an advanced persistent threat or sophisticated and continuous hacking attempts commonly linked to state actors. “The attack fits the profile of certain known APT groups, but for national security reasons, we will not be making any specific public attribution,” said Iswaran. “If in the process of the COI’s deliberations, specific attribution can be made where action can be subsequently taken up in the court of law, we will certainly take up that course of action,” he added.

Pursuing the perpetrators of a cyberattack and taking them to task are definitely courses of action to take. But what’s also needed is a higher standard of protection for national identity records that are irrevocably tied to individuals, and a reassessment of just how long breaches should be under wraps, for the safety of the wider system.