[ad_1]
SINGAPORE: SingHealth refrained from informing the public of the cyberattack in its database, fearing to make an early announcement likely to compromise the investigations, a commission of inquiry (IOC) investigating the data breach heard Monday November 5th.
Professor Kenneth Kwek, Deputy CEO of the SingHealth Group (Organizational Transformation and IT), told the IOC, consisting of four members, that it was also necessary to obtain more information. and to make sure that the fault was contained.
The public was informed of the cyberattack – which saw about 1.5 million records of SingHealth patients consulted and copied – on July 20th.
About 160,000 of them also obtained data extracted from their outpatient medications, which has been described as "the most serious violation of personal data" in Singapore's history.
Prime Minister Lee Hsien Loong was among those affected, with his attackers targeting his personal information and information about his medications.
The administrators of Integrated Health Information Systems (IHiS) databases – the central IT agency of the health sector – discovered the offense on July 4.
Since September, a CDI has held public hearings to investigate what happened during the data breach.
MORE INFORMATION REQUIRED
The IOC learned that Professor Kwek received a call on July 9 from Mr. Benedict Tan, SingHealth Group Information Officer, informing him that the IHiS team had detected "suspicious activity" in one of the SingHealth databases.
READ: IOC SingHealth: Potential Conflicts of Interest Raised When IHiS Leaders Played Role in Ministry of Health
A day later, Mr. Tan sent an e-mail on July 4 to Prof. Dr. Kwek informing him of "unauthorized access" to the SCM production database (Sunrise Clinical Manager).
The email was also sent to Professor Ivy Ng, General Manager of the SingHealth Group, and Tan Jack Thian, Chief Operating Officer of the SingHealth Group.
"Ivy and I acknowledged that SingHealth had an immediate obligation to inform, as soon as possible, all patients who may have been affected by the data breach," said Professor Kwek. . "However, before we could do that or even develop an appropriate communication plan, we had to make sure that the data was intact and secure.
"We also needed more information about the cyber attack to be able to communicate meaningfully with our patients."
According to Professor Kwek, IHiS then confirmed at a meeting on July 13 that the data was leaked and that they were able to determine what data was being affected.
"At this meeting, the issue of public communications and the timing of the public announcement were also discussed," he said. "It was agreed that the public announcement should not jeopardize ongoing judicial investigations."
READ: SingHealth IOC: Reluctance of IHiS Officer to Report Suspected Computer Incidents Reported to Court
After several discussions with stakeholders, three possible dates were proposed for the announcement, Professor Kwek said. July 20 was finally chosen as the date of the announcement, as there was "enough time to contain" the cyber attack.
"What has weighed in favor of an earlier public announcement is that the public would appreciate being informed quickly," added Professor Kwek. "On the other hand, we had to put that in balance with three serious considerations."
These considerations include whether an early announcement could affect or prevent ongoing forensic investigations into the cyber attack if the attackers were still on the network, as well as ensure that the cyber attack was under control before the announcement.
"More information about the cyberattack was needed to build trust through the public announcement," Kwek added. "It was feared that if we made a public announcement without having the necessary information, the public could be more worried."
"EXTENSIVE WORK" MADE BY SINGHEALTH
Monday's conflict of interest session also focused on SingHealth's outreach and communications efforts following the cyberattack.
This shows the "considerable work" done by SingHealth staff to ease the public's concerns, said Solicitor General Kwek Mean Luck.
Given the "need for speed and breadth of reach," the main mode of communication that SingHealth has decided to use is to send SMS messages to all patients, Prof Kwek said.
These SMSs were intended to reassure those whose data were not affected and to inform those to whom the data were assigned as to which data had been accessed.
In the four days following the date of the public announcement, about 2 million text messages were sent, 15% of which were not delivered, said Professor Kwek.
Letters were then sent to this group of patients and to those who did not have a valid mobile phone number in SingHealth's records. In total, approximately 434,000 letters were sent.
READ: SingHealth Cyber Attack: IHiS Announces Measures to Protect the Health Sector from Online Threats
SingHealth has also set up hotlines for affected patients and created an email account dedicated to public queries. The public could check for themselves whether their data was accessible via the SingHealth website and the Health Buddy mobile app.
The second witness of the day, Professor Ivy Ng, Executive Director of the SingHealth Group, praised the work done by his collaborators in their outreach efforts.
Responding to a question from Solicitor General Kwek, Professor Ng described the "unpublished" outreach operation and went beyond what SingHealth would normally do.
"Many people asked if we outsourced this large-scale enterprise," she told IOC. "However, it was clear that we wanted to do it ourselves."
MORE TO DO FOR CYBERAVEILLANCE SENSITIZATION
While Dr. Kwek said SingHealth had been "proactive" in "educating and informing staff about cybersecurity risks," he added that more will be done in the future.
IHiS conducted "phishing exercises" on SingHealth staff, six of them taking place between 2015 and September 2018.
"Staff who responded to phishing emails twice or more is also subject to extra attention. They are invited to attend information meetings on computer security to raise awareness of the risks, "said Professor Kwek.
READ: Custom Specially Engineered Malware Never Used in the SingHealth Attack
In the recent exercise last February, the staff received an official letter, with a copy to their supervisor, signed by Professor Kwek and Mr. Tan, to "forcefully remind them of the need for vigilance".
Since 2016, SingHealth employees would have received a cybersecurity and data protection reminder during login and the language of this message will be reinforced, said Dr. Kwek.
In addition, more and more leadership notes will be sent on cybersecurity and the intensification of cybersecurity topics at public meetings. Currently, six to twelve of these memos are sent each year.
This will "engender" a "culture" in staff that privacy of data is critical to ensuring safety and providing good clinical care, Dr. Kwek said.
CDI hearings are expected to continue on Friday.
Source link
