SingHealth's data breach resulted in PDPC levying fines worth SGD1 million. Source: AFP PHOTO / The Straits Times / Mark CHONG

SingHealth’s data breach resulted in PDPC levying fines worth SGD1 million. Source: AFP PHOTO / The Straits Times / Mark CHONG

Singapore imposes largest ever fine for cybersecurity lapse

CYBERSECURITY is becoming a major concern for organizations and regulators everywhere, and in sectors such as healthcare, with institutions storing critical personal information — from financial data to medical reports — the stakes are higher.

In the recent SingHealth data breach, for example, personal information of 1.5 million patients, including that of Singapore Prime Minister Lee Hsien Loong and a few other ministers, was stolen. Some 160,000 people also had their outpatient prescriptions stolen.

According to the report issued by the Committee of Inquiry (COI) investigating the incident, the hack was a result of basic failings such as weak administrator passwords and delays in applying recommended patches to the organization’s systems.

While the 454-page report reconstructs the series of events and explains what exactly went wrong, it also identified five key findings that actually made SingHealth vulnerable to the attack in the first place. These were:

#1 | Inadequately trained staff

IHiS staff did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack.

#2 | Lapses in administrative action

Certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate, effective, or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack.

#3 | Existing vulnerabilities and weaknesses

There were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth network and SCM system that contributed to the attacker’s success in obtaining and exfiltrating the data, many of which could have been remedied before the attack.

#4 | Attack orchestrated by skilled hackers

The attacker was a skilled and sophisticated actor bearing the characteristics of an Advanced Persistent Threat group.

#5 | Better defenses could have helped avoid attack

While our cyber defenses will never be impregnable, and it may be difficult to prevent an Advanced Persistent Threat from breaching the perimeter of the network, the success of the attacker in obtaining and exfiltrating the data was not inevitable.

In addition, the report also provided 16 recommendations for SingHealth and other public health organizations in Singapore — many of which included remedying the aforementioned findings.

According to local media, in light of the report, Minister-in-charge of Cyber Security S. Iswaran and Minister for Health Gan Kim Yong told Parliament that the Personal Data Protection Commission (PDPC) had found both SingHealth and its IT vendor Integrated Health Information Systems (IHiS) guilty in the cybersecurity incident.

As a result, PDPC imposed its largest and second largest fine till date. It charged IHiS with SGD750,000 (US$550,000) and SingHealth with SGD250,000 (US$185,000) in light of the COI’s report.

“Even if organizations delegate work to vendors, organizations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers,” PDPC told The Straits Times.