SingHealth Cyber-Attack: PDPC Fines SingHealth, IHiS Combined $1 million for Security Breach
In Singapore’s worst cyber-attack, the hackers infiltrated the database of SingHealth, Singapore's largest group of healthcare institutions.
The personal particulars of 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from May 1, 2015, to July 4, 2018, including outpatient prescriptions of Prime Minister Lee Hsien Loong and a few ministers were illegally accessed and stolen.
The Personal Data Protection Commission (PDPC) has slapped a fine on Integrated Health Information Systems (IHiS) and SingHealth Combined of $1 million for breaching their security and data protection obligations under the Personal Data Protection Act (PDPA), it is said in a statement on Tuesday (Jan 15).
The commission said that the financial penalties are the highest ever imposed by PDPC to date, and both organizations are to pay their fines within 30 days.
"PDPC’s investigations into the security breach arising from a cyber-attack on SingHealth’s patient database system, found that IHiS had failed to take adequate security measures to protect the personal data in its possession," said the statement.
"PDPC had found both SingHealth and its IT vendor Integrated Health Information Systems (IHiS) guilty of failing to secure patient data.
SingHealth had delegated its cybersecurity operations entirely to IHiS and, given the severity of the lapses, the PDPC imposed its largest-ever fine of $750,000 on the technology vendor.
However, as the owner of the patient data system, SingHealth also had responsibility for the breach and fined it $250,000 - its second-biggest fine to date.
"Even if organizations delegate work to vendors companies, organizations as data controllers must take responsibility for the individual data that they have collected from their customers," said the PDPC.
Further, PDPC stated that the SingHealth personnel handling security incidents was unfamiliar with the incident response process, overly dependent on IHiS, and failed to take further steps and could not even recognize the significance of the information provided by IHiS after it was surfaced.
These were among the common fundamental failings that opened the door to Singapore's worst data breach, according to the Committee of Inquiry (COI) report tasked to investigate last June's cyber-attack on SingHealth convened by Minister-in-charge of Cyber Security S. Iswaran.
Despite the hackers being sophisticated, the COI said: “a middle manager of cybersecurity at IHiS had misconceptions of what constitutes a cyber-security occurrence, and delayed reporting the system intrusions for fear that extra burden would be put on him and his team.”
Also, the technical information security officer showed lack of concern when it was clear that critical system data had been breached.
The committee also finds IT staff to be lacking in cybersecurity awareness and resources, and these lapses contributed to successful data exfiltration from SingHealth's electronic medical records system.
The cyber-attack had compromised the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong.
The attackers specifically targeted PM Lee's personal particulars and information on medicine that had been dispensed to him.
The data stolen included names, addresses, NRIC numbers, gender and race information, and dates of birth. Nearly 160,000 of these patients also had their outpatient prescriptions data stolen.
To Conclude
The cyber-attack was stealthy, even though the signs of the attack were observed by Integrated Health Information Systems (IHiS) staff. If immediate security measures were taken at the right time when an attack was ongoing, the security breach could have been stopped before it achieved its objectives.
This was not the first instances where Cyber-criminals targeted the private organizations, and it will not be the last.
Though, we need to comprehensively upgrade our cyber defense systems and processes to more effectively guard against cybersecurity risks, as well as to respond in a timely and robust manner to prevent any intrusion in the future.
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for Chrome, Mozilla, and IE
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool
