Cyberattack on SingHealth's IT System

3.00 pm

The Minister for Health (Mr Gan Kim Yong): Mr Speaker, thank you for allowing me to make a Statement on the recent cyberattack on SingHealth’s information technology (IT) system. Several Members of Parliament have also asked about the incident, and I will address their questions in my Statement.

Sir, what we encountered was a sophisticated and unprecedented cyberattack. Personal particulars and outpatient dispensed medicines of SingHealth’s patients were accessed and copied.

Let me once again apologise to our patients for this incident. Our healthcare family’s priorities are not just to provide good patient care, but also to safeguard the confidentiality of their data.

This is a very serious cyberattack. The attacker accessed SingHealth’s system through an initial breach on a frontend workstation, circumvented the multi-layered security barriers by using advanced and sophisticated tools, and then gained access to privileged credentials to access the database. This is not the work of casual hackers or criminal gangs, but a sophisticated and resourceful attacker.

Let me provide a quick recap of the incident based on what we know thus far. On 4 July 2018, data administrators of our Integrated Health Information Systems (IHiS) detected unusual activity on one of SingHealth’s IT databases. IHiS is the technology organisation that administers the IT systems for the public healthcare sector.

The immediate priority of the team was to stop the unusual activity and block the connections to prevent further access. As a result, we prevented further loss of data and no further exfiltration has been detected since 4 July.

Concurrently, the IHiS team immediately investigated the suspicious activity to determine its nature and whether it was malicious. This process took time as our hospital systems process millions of data queries daily. There will always be a number of unusual processes that need to be investigated and most of these turned out to be legitimate activities. Furthermore, the attacker was careful to remove its traces as it worked, making investigation harder. On 10 July, IHiS confirmed from its investigations that it was a cyberattack, and informed SingHealth, the Ministry of Health (MOH) and the Cyber Security Agency (CSA).

Thereafter, several streams of tasks were carried out concurrently. An interagency team, comprising MOH, IHiS, SingHealth, the Ministry of Communications and Information (MCI) and CSA, worked closely together to contain the cyberattack and undertake measures to prevent further attacks. We implemented additional containment and monitoring measures, such as restricting user access, blocking additional connections, resetting security tokens, mandating password changes for users and heightened monitoring of IT systems across our public healthcare sector. At the same time, a separate team in IHiS supported SingHealth’s efforts to assess the extent of the data affected and identify the patients these data belong to, and to plan for patient engagement to inform them of the incident.

The cyberattack has resulted in the personal particulars of one-and-a-half million SingHealth patients being accessed and copied. These included the name, National Registration Identity Card (NRIC) number, address, gender, race and date of birth. Of this, 160,000 had information on their outpatient dispensed medicines accessed. However, no phone numbers, passwords or credit card information were accessed. All records in SingHealth’s IT system remain intact and are unaltered. IHiS staff combed through detailed access logs to confirm that the databases were not tampered with. Patient care has not been compromised and services were not disrupted during the period of the cyberattack.

Despite the additional cybersecurity measures, we detected further malicious activity on our networks, but no further patient data were accessed or copied. We decided to effect Internet surfing separation for SingHealth on 19 July to minimise the risk of further intrusion and exfiltration. On 20 July, we assessed that the situation had been stabilised and informed the public of the cyberattack, even while investigations were ongoing.

Between 20 and 23 July, SingHealth sent short message service (SMS) notifications to about two million patients who visited its healthcare institutions between 1 May 2015 and 4 July 2018, to inform them whether their personal information or medication information were affected. Let me just clarify that this includes patients who visited SingHealth during this period but whose data were not affected. SingHealth also set up an online data check through the SingHealth website and Health Buddy application and expanded its call centres to attend to queries from patients. Let me just clarify that this includes patients who visited SingHealth institutions during this period, but whose data was not affected.

Many of our colleagues from the healthcare family were mobilised at short notice to help manage the situation and address patient concerns about the cyberattack. I would like to thank them for stepping up in this time of need.

Patient well-being is our top priority. This includes safeguarding the confidentiality of patient data as well as ensuring safe and effective patient care. We face the constant challenge of striking the right balance between having stronger cybersecurity safeguards, while ensuring effective and safe patient care.

To achieve this, we adopted a multi-layered approach to cybersecurity.

First, prevention. Our systems are designed with defensive measures against illegal access. For example, there are multi-layer security defences in place, both at the perimeter guarding against threats on the Internet, as well as within the perimeter to protect against unauthorised access. Vulnerability scans and tests are conducted regularly. Independent IT security audits are also carried out, with the last such audit on the affected system carried out in the second half of 2017.

Second, detection. We have monitoring tools and services to detect breaches. Our systems are also designed to provide extensive detailed activity logs for internal and external round-the-clock monitoring.

Third, response. We have established operating and technical procedures and measures to contain the impact and neutralise the threat once a breach is discovered. In the event of a breach, we will also notify and work with CSA to contain and investigate the breach. Exercises are conducted regularly to ensure staff are familiar with the procedures.

Beyond setting up a resilient system, we also need a culture of vigilance and cybersecurity awareness. This applies to our healthcare staff, as well as our IT staff. We should always adopt safe cyber practices, watch for suspicious emails and messages, and report them to our IT departments as soon as possible.

Members of Parliament have also asked about Internet surfing separation (ISS). In view of continued malicious activity that we discovered, that we observed, I decided to temporarily impose ISS for all our public healthcare systems. ISS was implemented for SingHealth since 19 July, and the National University Health System (NUHS) and National Healthcare Group (NHG) have done so since 23 July. Imposing ISS will limit avenues for attackers to enter and exit the healthcare clusters’ IT systems. However, ISS has created some inconveniences as well as operational challenges for healthcare workers and patients. We have taken precautions to ensure patient care and safety are not affected. I would like to thank our healthcare workers and patients for their understanding and support.

Could we have initiated ISS earlier? ISS is not a decision to be taken lightly. In fact, even before the incident, IHiS had been working with our clusters to study and assess the feasibility of ISS and the ways to mitigate the impact on patients and healthcare professionals. Internet access is an integral part of many of our healthcare institutions’ daily operations. They rely on the Internet to access other systems for the delivery of some healthcare services. These include receiving and reading reports from laboratories, referrals to our private sector partners, video consultation and tele-rehabilitation, as well as the payments and claims systems. We were also learning from the experiences of other countries’ healthcare IT systems and exploring alternative approaches to achieve similar protection as ISS, while minimising the impact on operations and patients.

Many healthcare systems in other countries have also found it difficult to implement ISS for practical and operational considerations. Healthcare systems, such as Hong Kong’s Hospital Authority and Kaiser Permanante have not adopted full ISS. One possible approach we are studying and piloting is the virtual browser solution. This enables users to access the Internet more safely through a set of quarantined servers. This will reduce the number of potential attack points. The virtual browser solution will be complemented by the deployment of Advanced Threat Protection (ATP) measures, which will provide additional defence against advanced cyberattacks. The deployment of ATP had been initiated before this incident and is currently underway, expected to be completed by end of this month.

Our ongoing pilot on virtual browser was scheduled to be completed by September this year. Nevertheless, given the urgency of the matter, we went ahead to implement ISS, albeit a temporary measure. To mitigate the challenges on the ground and allow the healthcare institutions to continue to operate safely, our engineers worked overnight and through the weekend to put in place temporary work-around solutions. The team continues to be on the ground to resolve the problems that have arisen as a result of ISS. Areas that have been affected include reading of diagnostic reports from laboratories, video consultation and assessment of suspected stroke patients at our emergency department. Waiting times for consultation may also be longer as doctors may need to access references on the Internet through a separate computer.

There remain some issues not yet fully resolved, such as referrals to private sector partners, and submission and retrieval of results from screening systems. These do not compromise patient care and safety, but affect the efficiency of our healthcare system.

As a result of the security measures, some patients may experience a longer wait for consultations and in receiving their test results, as well as delays in checking their MediSave accounts or making their claims. The productivity and efficiency of our services may also be affected in some areas. We would like to thank our patients for their understanding as we work through these issues on the ground.

Although I said ISS was a temporary measure, now that it has been implemented, we will study the impact of ISS on the ground and determine whether we can keep it as a permanent measure, at least for some parts of our healthcare system. We will need to develop longer-term mitigation solutions to overcome the operational issues if ISS were to stay.

Sir, the cyberattack is unprecedented. Despite our security measures, the attackers had been very patient, very persistent and very resourceful. With advanced hacking tools, they eventually succeeded in gaining access to SingHealth’s IT system. We take this seriously as there is no reason to believe that they will not try again, with even more advanced tools. Therefore, we are reviewing the cybersecurity measures of our key IT projects and strengthening them where necessary.

Members of Parliament have asked about the National Electronic Health Record (NEHR) system. The NEHR is a separate system that was not affected by this cyberattack. Due to the need for the system to interface with multiple external partners, NEHR is designed differently from the systems that were infiltrated. Nevertheless, we recognise that this is an important national system of significant scale, as it will eventually house key medical records for all patients.

We will, therefore, put NEHR through a rigorous independent external review before we proceed with the mandatory contribution of electronic health records. We have engaged CSA and PricewaterhouseCoopers (PwC) Singapore as independent third parties to help identify any vulnerabilities and recommend measures to address them. We must assure ourselves, users and patients that the necessary safeguards are in place, before we proceed with wider implementation of NEHR.

However, we should not reverse our direction in the use of technology in healthcare. Digitalisation, technology and use of data in healthcare have brought many benefits to our patients. We cannot return to the days of paper and pencil.

IT systems have allowed us to greatly improve the safety and effectiveness of patient care. During an emergency where a patient is unconscious, access to his medical history in the NEHR helps doctors prescribe more effective medication and treatment in a timely manner. Data analytics help us to better understand disease patterns and plan ahead to meet our needs in the future. Automation improves productivity, reduces human errors and enables patients to receive better care.

When patients receive care beyond the hospital, integration of IT systems allows easier referrals across settings and enables better team-based care, and more effective emergency response. These have to be matched with efforts to continually improve our ability to secure patients' data, and the increasing robustness of the systems to deal with a constantly evolving cybersecurity threat.

Given the broader national cybersecurity implications, Minister Iswaran has appointed a Committee of Inquiry (COI) to look into this incident. We will extend our full support to the work of the Committee. We look forward to its report and recommendations to further strengthen our resilience against cyberattacks.

At the same time, we will be conducting a thorough review of the robustness of the cyber safeguards of our key IT systems. We will identify potential areas for improvement in cyber threat prevention, detection and response. To do this, we will bring in third-party experts to support us in this work where necessary.

Finally, we will ensure that the lessons learnt and improvements needed are shared widely, across both the public and private healthcare systems.

We must take this cyberattack seriously. While we have implemented additional cybersecurity measures, including the ISS, we must not be complacent and assume that we are now safe from cyberattacks. Instead, we must work on the assumption that the perpetrators will continue to try with increasingly sophisticated tools and techniques and may succeed in getting through. We must all remain vigilant, learn from this and continually strengthen our systems against evolving cybersecurity threats.

Mr Speaker: The Minister for Communications and Information will be making a related Ministerial Statement. I will allow Members to raise points of clarification on both Statements after this Statement. Mr Iswaran.

3.17 pm

The Minister for Communications and Information (Mr S Iswaran): Thank you, Mr Speaker, Sir. Let me start by reiterating the key facts.

First, SingHealth's IT system was the target of a deliberate and well-planned cyberattack.

Second, this attack caused the most serious breach of personal data in Singapore's experience.

Third, the personal particulars of 1.5 million patients, including the outpatient dispensed medication records of 160,000 patients, were illegally accessed and copied.

Fourth, Prime Minister Lee Hsien Loong's records were specifically and repeatedly targeted.

SingHealth and IHiS are private companies. They are not Statutory Boards. However, their patient databases are part of our Critical Information Infrastructure (CII). A cyberattack on any CII can disrupt essential services and affect public welfare and confidence.

We have done a detailed analysis of this attack and have determined that it is the work of an Advanced Persistent Threat (APT) group. This refers to a class of sophisticated cyberattackers, typically state-linked, who conduct extended, carefully planned cyber campaigns, to steal information or disrupt operations.

The APT group that attacked SingHealth was persistent in its efforts to penetrate and anchor itself in the network, bypass the security measures, and illegally access and exfiltrate data. The attack fits the profile of certain known APT groups. But for national security reasons, we will not be making any specific public attribution. Given the serious implications of this incident for public health and safety, I have convened a COI to get to the bottom of this incident, learn from it, and implement stronger safeguards.

We will do our utmost to strengthen our cybersecurity. But it is impossible to completely eliminate the risk of another cyberattack. This is an ongoing battle, with potential cyberattackers who are constantly developing their capabilities and seeking out new vulnerabilities.

We should not let this incident or any others like it derail our Smart Nation initiatives. In fact, we must pursue these initiatives for they will bring benefits and opportunities for Singaporeans.

What matters most is that our people and systems remain resilient, that we are able to respond swiftly and effectively to a cyberattack and that we strengthen our defences and harden our systems. I want to thank Members who have raised a range of questions on the cyberattack, our response and the COI, and I will now address them in detail.

Let me start by adding CSA's perspective to the Minister for Health's detailed account of this incident and subsequent response. On 10 July 2018, CSA was notified that an unauthorised network intrusion had occurred at SingHealth. CSA immediately deployed members of its National Incident Response Team (NIRT) to investigate the incident. The CSA team conducted forensic investigations on suspected compromised computers and supported IHiS in implementing measures to contain the attack. This included blocking unauthorised connections to prevent access by the attacker, resetting servers, enforcing mandatory password resets for all SingHealth users, heightened monitoring across all public healthcare IT systems, and implementing Internet Surfing Separation.

CSA's investigations ascertained that on 4 July, IHiS system administrators had discovered unusual activity on one of SingHealth's IT databases which triggered follow-up investigations by IHiS' IT team. CSA subsequently established that the attackers had obtained a foothold in SingHealth's network by infecting a frontend computer with malicious software, or what is called malware. The attackers had evaded detection by the SingHealth network security tools, moved stealthily through the system, eventually gained access to the database servers storing SingHealth's patient records, and copied the data to servers hosted overseas on 27 June to 4 July. No further data loss has been detected since 4 July.

Based on the logs, two types of data were illegally accessed – personal particulars, including the name, NRIC number, address, gender, race and date of birth of 1.5 million patients, and the outpatient dispensed medication records of 160,000 patients.

The attackers also repeatedly and specifically tried to steal the medical records and data of Prime Minister Lee Hsien Loong. Prime Minister Lee's personal particulars and outpatient dispensed medication records were stolen.

However, to reinforce the point that Minister Gan Kim Yong made, no telephone numbers, passwords or credit card information were accessed or stolen. Neither were other medical records, such as diagnoses, test results or doctor's notes. They were not illegally accessed. The data that was illegally copied was not tampered with, nor was it deleted.

CSA has done a detailed analysis of the SingHealth cyberattack and has determined that it is the work of an APT group. An APT group refers to a class of sophisticated, usually state-linked cyberattackers who conduct extended and carefully planned cyber campaigns to steal information or disrupt operations. Some recent examples of cyberattacks by APT groups include the hacking of the US Democratic National Committee in 2016, and the theft of more than 20 million personnel records from the US Office of Personnel Management in 2014. Singapore has also been the target of APT attacks, such as that on the National University of Singapore (NUS) and Nanyang Technological University (NTU) last year. The cyberattack on SingHealth had characteristics that are typical of an APT attack. The attacker used advanced and sophisticated tools, including customised malware that was able to evade SingHealth's anti-virus software and security tools. After establishing a foothold in the network, the attacker took steps to remain in the system undetected before stealing the patients' information. The attack fits the profile of certain known APT groups but, as I have said earlier, for national security reasons, we will not be making any specific public attribution.

Let me now turn to the COI. Mr Speaker, may I have your permission for the distribution of the note on the COI's composition and terms of reference, please?

Mr Speaker: Yes, please. [A note was distributed to hon Members.]

Mr S Iswaran: As the notes are being distributed, let me summarise. The COI will establish the events and contributing factors leading to the cyberattack and the incident response. It will also recommend measures to safeguard public sector IT systems containing large databases of personal data, including those in the public healthcare clusters, against similar cyberattacks. The COI will submit its report by 31 December 2018.

The Chairman and members of the Committee have the legal, technical and operational expertise to conduct a thorough and rigorous inquiry. The Chairman, Mr Richard Magnus, was formerly the Senior District Judge, and he has chaired two other COIs before; Mr Lee Fook Sun is the former president of ST Electronics and currently Executive Chairman of Quann World, a cybersecurity company; Mr T K Udairam was formerly Chief Executive Officer (CEO) of Changi General Hospital and he has decades of experience in healthcare administration; Ms Cham Hui Fong is a former Nominated Member of Parliament and Assistant Secretary General at the National Trades Union Congress.

The COI has already started its work. The Committee has had preparatory meetings and will soon hold its first pre-Inquiry conference. The Attorney-General's Chambers (AGC) will lead evidence and CSA will lead a team to conduct the investigations.

After receiving CSA's investigation report, the COI will conduct the Inquiry hearings. As some aspects of the Inquiry have security implications, the COI will decide which part of its hearings can be held in public.

Some Members have asked whether the SingHealth cyberattack could have been prevented and what are the lessons learnt. As the COI will be addressing these issues, I seek Members' understanding to allow the Committee to conduct a thorough investigation and to complete its work without pre-empting its findings.

Meanwhile, the Government has taken additional measures to strengthen our cybersecurity defences. CSA's forensic investigations team has analysed the compromised computers and extracted Indicators of Compromise. These are pieces of forensic data used to identify malicious activity on a network. CSA then instructed owners and regulators of CII to scan for these Indicators and advise on possible measures to mitigate a similar incident. CSA has also instructed CII sectors to strengthen the security around their network connectivity gateways.

In addition, the Cybersecurity Act passed by this House in February this year gives the Government additional levers to strengthen the protection of CII against cyberattacks and to respond to national cybersecurity threats and incidents. CSA is currently implementing the provisions of the Act and will designate all CII by the end of 2018.

Notwithstanding these measures, we must recognise that a balance must be struck between cybersecurity on the one hand, and operational efficiency and service quality on the other. This is a dynamic balance, one that will change as the threat landscape evolves. CSA will direct CII owners on the essential security measures they must adopt to meet a required standard. Beyond this, CSA will also render its professional advice on what CII system owners could do to further strengthen their defences. Ultimately, owners and regulators of CII are responsible for ensuring the security and uninterrupted operations of the essential services they provide.

The Government had taken the added precaution of calling for a pause in the introduction of new Information and Communications Technology (ICT) systems, although there was no evidence that Government ICT systems had been compromised in this cyberattack. The Smart Nation and Digital Government Group (SNDGG) was directed to review the cybersecurity measures of all existing and upcoming Government systems. SNDGG has completed its review and will implement additional security safeguards where necessary. The pause on new systems was lifted on 3 August, just Friday last week.

Cybersecurity is the foundation of our Smart Nation and Digital Government drive, and the Government is resolute in its commitment to strengthen our cyber defence, as well as our detection and response capabilities, in the face of the evolving cybersecurity threat.

All organisations – not just CII operators – should take this incident as a warning to review their cybersecurity system and ensure the protection of their IT systems and databases, including personal data.

There have been concerns that the data stolen through the SingHealth cyberattack could be used for fraudulent transactions or identity theft. I want to emphasise that there are multiple safeguards in place to mitigate such risks, especially for financial transactions and sensitive Government e-transactions.

Let me elaborate. Financial institutions generally do not rely solely on personal information, like those stolen in the SingHealth cyberattack, to verify customer identity. All banks and insurance companies in Singapore already have two-factor authentication (2FA) for online financial services, such as making fund transfers or accessing account details. To log in, the account holder has to input his/her Personal Identification Number (PIN) and a one-time-password (OTP), received via SMS or the bank’s authentication token. An additional authentication layer – commonly known as "transaction signing" – protects higher-risk transactions, such as adding a third party payee or transferring large sums of money. Unless the attacker has access to all authentication information, it would not be possible for fraudulent transactions or identity theft to occur.

To address any residual risk, the Monetary Authority of Singapore (MAS) has directed all financial institutions to take further measures, as announced in its press statement on 24 July.

Similarly, since July 2016, all sensitive Government e-transactions have been protected by SingPass 2FA. The account holder would need to input his/her SingPass username and password, and an OTP. Since the SingHealth cyberattack, agencies have taken further measures, such as heightened monitoring of their IT systems, and strengthening of the identity authentication process.

Individuals can also do their part by practising good personal data protection and cybersecurity habits. They should ensure that their passwords, user IDs and security questions are not based on personal data, use strong passwords, enable 2FA for online transactions, and watch out for fraudulent transactions and suspicious requests for personal data. SingCERT has published online the precautions that individuals can take in view of the SingHealth incident. Individuals may also contact SingCERT to report a cybersecurity incident, and the Personal Data Protection Commission to lodge reports of personal data breaches under the Personal Data Protection Act.

Mr Speaker, to conclude, I would like to emphasise that this was a well-planned and targeted cyberattack by an APT group. We will get to the bottom of this incident, learn from it and further strengthen Government IT systems. But I caution the House: we cannot completely eliminate the risk of another cyberattack breaking through our defences.

Ensuring cybersecurity is a ceaseless battle, like our battle against terrorism. It involves changing technology and sophisticated perpetrators who are constantly developing new techniques and probing for fresh weaknesses. Therefore, even as we do our best to strengthen our IT systems, it is crucial that our people and systems remain resilient, that we are able to respond robustly and decisively to an incident, and that we constantly learn and reinforce our system.

Despite this incident, or any others like it, we must press on with our plans for a Smart Nation, after learning and applying the lessons from this incident. We must adapt ourselves to operate effectively and securely in the digital age, to deliver better public services, enhance our economic competitiveness, and create good jobs and opportunities for Singaporeans.

The Government takes with utmost seriousness its responsibility of ensuring the security of public sector IT systems and databases. We will learn from this cyberattack, implement measures to better secure our IT systems and databases, and uphold public trust in our systems.

Mr Speaker: Dr Chia Shi-Lu.

3.37 pm

Dr Chia Shi-Lu (Tanjong Pagar): I thank both Ministers for their comprehensive Statements. We have been talking about cyberattack but, practically, this has been more a case of cyber snooping or cyber theft rather than an attack, which brings me to my main question: how sure are we that no malicious malware still remains in the systems? I think we have been lucky in the sense that the systems have not been disrupted in terms of patients' safety or care. But as I understand it – correct me if I am wrong – with this APT type of attacks, a lot of these initial attacks are meant to demonstrate that they can actually invade the systems, but the ultimate goal may be to be able to plant some malware that can disrupt our systems when the time comes. That was my main question: how sure are we that no malicious software remains in the systems, given that the databases is a very large and complex system.

Mr S Iswaran: Speaker, I thank the Member for his question. First, I do not think we should speculate on the motives of the attacker. I think it does not detract from the fact that this is an illegal criminal act and we have the responsibility to get to the bottom of it.

Having said that, can we be sure that there is no remnant malicious malware in the system? As I had said earlier, our agencies –CSA working with their counterparts in IHiS and SingHealth – have done everything they can to secure the system and to detect and eliminate the risk. In fact, as we also elaborated, even as we were doing the work to contain the challenge, as late as on 19 July, there was evidence of some residual risk which had to be dealt with. At midnight on 19 July, Internet Surfing separation was then imposed.

The short answer is that we have done everything in our means to secure the system, to detect any residual risk and eliminate it. But as I have said several times in the course of my Statement, one can never be sure that we have fully eliminated that risk.

Mr Speaker: Ms Joan Pereira.

Ms Joan Pereira (Tanjong Pagar): I thank the Ministers for their Statements. Since the cyberattack, a few of my elderly residents came to see me and told me that they worry that their medication records will be altered. How can we help our people, especially our elderly residents, to better understand our cybersecurity matters and even measures that will be taken?

Mr Gan Kim Yong: Mr Speaker, Sir, as I explained in my speech, IHiS, together with CSA, has gone through our detailed access logs to ensure that the data has not been altered. But we understand that patients will still be anxious and want to know more about this incident, and how they can protect themselves, and what implication there is for them. I encourage them to contact SingHealth which will then follow up with more detailed explanation specifically to the affected patients. There is a hotline that they can call, and the number is 6326 5555. If they want to have more details, please contact SingHealth and our people, our hotline operators, are trained to answer their questions and to help them clarify any doubts or anxiety that they may have with regard to their medication information.

Mr Speaker: Ms Sylvia Lim.

Ms Sylvia Lim (Aljunied): Speaker, I have two clarifications. I have actually filed a question to the Minister for Health to ask if the Government could elaborate on the reasons for the several days of delay between the time that the attack was confirmed and the time that the public was made aware of it. According to the timeline released by the Government, it was confirmed on 10 July that a cyberattack had indeed taken place and, two days later, in fact, a Police report was lodged. But the public only got to know about this attack on 20 July. I would like to ask the Minister to elaborate on the reasons why the public was not made aware earlier because they could have taken some steps, for example, to change their passwords or protect their information.

Second question is also for the Minister for Health. During the first press conference on 20 July, we noted that the Minister apologised for the incident. But we are hearing today, really, that the CIIs are responsible for safeguarding the data on the systems. So, is there any significance as to why it was not SingHealth that apologised but rather the Minister who apologised?

Mr Gan Kim Yong: I will first clarify the second question. I think SingHealth, during the press conference, had also apologised, probably it was not carried in the media. But they did apologise to the patients for the incident as well as the inconvenience that has been created. Anyway, my apology is on behalf of the entire healthcare family. I take it that, ultimately, I will have to apologise to the patients who are affected.

On the first question on the time between 10 July when we confirmed that it was a cyberattack and 20 July when we had a press conference and informed the public, I explained in my Statement that between 10 and 20 July, many things were happening and there were multiple streams of work that were carrying on at the same time. Our priority at that time was to ensure that our system was protected, our data would not be subject to further exfiltration. That took a while because, first, they had to trace back where the sources of attack came from, so that the Cyber Security staff would know where and how to protect the database. We also need to investigate to determine whether or not there were additional data that were compromised beyond what we already knew.

So, the first stream of investigation was to focus on protecting the data. The second stream of work was on investigation of the incident to trace back to see how it started, so that we were confident that this was the only attack that we were experiencing. The third stream was to identify what were the data that were compromised and who were the patients that were affected, so that we could pave the way to inform them. Therefore, the third stream was very important as well.

At the same time, SingHealth also started to prepare to inform the patients, and all these will require time. In the meantime, we also had to make sure that there were no further attacks on the system. As we mentioned earlier, as late as 19 July, there was still malicious activity in the data system. That is why we had to impose ISS on 19 July evening, so that on 20 July, when we disclosed to the public, we were quite confident that the system had been stabilised. At the same time, we have sufficient information to share with the public on how the incident happened, what were the data that were compromised, and who were the patients that were affected.

All these require time to prepare. And it is important for us to ensure that our information given to the public is accurate as far as we are able to ascertain.

Mr Speaker: Ms Denise Phua.

Ms Denise Phua Lay Peng (Jalan Besar): I thank the Minister for apologising and, in fact, not denying or defending the positions. So, thank you very much for that.

My second point is that cyberattacks, such as these, are actually, to me, a new form of terrorism that calls for the same, if not, more of the resources and attention that are given to, for example, physical terrorism by the Ministry of Home Affairs (MHA). There is a lot of public education. I can still remember it is run-hide-tell, and many of these are things that were done to ensure that we are very cognisant of physical terrorism. So, for cyber terrorism, it is all the more important.

In view that Minister Iswaran has said that the Smart Nation plans will press on for various reasons, what is the Government's plan in terms of added resources and also acquisition of cybersecurity expertise, for example? We know that nation-wide, there is a shortage of such cybersecurity expertise. And so, what are we going to do about it to ensure that we are protected in the long term as we proceed with our Smart Nation plans?

Mr S Iswaran: Mr Speaker, I thank the Member for her clarification. The Member is absolutely right. We should be very clear that our challenges with cybersecurity are in no way different from our challenges with terrorism. We have raised our awareness about terrorism. We have a systematic effort for that. But when it comes to cybersecurity and defences, perhaps the level of awareness is not as palpable. The reason is probably also because many of us, all of us, use digital devices as part and parcel of everyday life and we do not pause to think sometimes what the implications are of having this hyper-connectivity and the kind of data that flows through our devices and the connections that we have with the Internet and the wider Internet community.

So, in terms of the specific question, what are we doing? First, we have to use this opportunity to reinforce the message and the importance of cybersecurity to the general public and the measures that they can take at a personal level, which is what we have just outlined, but also to organisations, public and private organisations, because often the investment in cybersecurity is seen as a cost, without an obvious payoff and value. This sort of instances helps to crystallise why cybersecurity must be taken seriously at the top management level, and you put in place systems and make the judgement in terms of what kind of resources should be allocated for this.

As far as the Government itself is concerned, we are very clear that we have to continue to invest in our ability and capabilities to prevent, detect and respond to any kind of cyberattack. As I said earlier, the reality is that this is going to be a ceaseless battle because the perpetrators or the potential perpetrators are constantly developing their own capabilities. So, we have to also ensure that we are able to do so. This is why we are investing in cybersecurity, not only in terms of building our capabilities within CSA, but also in the broader system. We have many efforts in the broader ecosystem – the ICT ecosystem – and cybersecurity is one of the focal points for that.

And the final point I would make is that as part of our overall defence, if you will, cyber defence, this is not just a battle we fight alone. We have allies from around the world. All of them face similar challenges, they are all investing in their capabilities, and the cooperation with our allies helps to strengthen our own capabilities in resisting such attacks.

Mr Speaker: Assoc Prof Daniel Goh.

Assoc Prof Daniel Goh Pei Siong (Non-Constituency Member): Mr Speaker, I thank the Ministers. I have one clarification for Minister Iswaran and one for Minister Gan. For Minister Iswaran, will the Ministry be investigating whether there is any negligence on the part of SingHealth in meeting the standards of proactively protecting the CII under the Cyber Security Act? And for Minister Gan, the Minister mentioned that the permanent ISS may be implemented for parts of the healthcare system. Can the Minister elaborate which part of the system is likely to face the permanent ISS and, given that this attack happened at a frontline workstation, would this actually mean most of the healthcare systems face a risk?

Mr S Iswaran: Mr Speaker, the COI has been asked, as elaborated in the Terms of Reference, to study what were the factors that led to the incident and how were the relevant players involved in the response, in order to derive the lessons that can be used and applied in the context of our public sector ICT systems and databases and also specifically for the health system.

In that process, I imagine that they would be looking at what could have been done, what should have been done and then, make their recommendations accordingly. I would urge Members to refrain from going down the path of allocating blame at this stage. Our resolute focus should be on ensuring that the system in SingHealth is secure and patient data is protected. And for this, we need all parties who are involved to be working together in order to achieve that objective. The COI will conduct its due process and, when we have the outcome of that and we know the recommendations and findings, then we can take appropriate action.

Mr Gan Kim Yong: Sir, let me, first, respond to the second part of Assoc Prof Daniel Goh's question on which part of the system should be continued with ISS and which one should be exempted from ISS. It is still early days. I would not want to pre-empt the decision. IHiS, together with SingHealth and the clusters, are reviewing and we have also just implemented ISS. We really want to understand the impact on the ground and assess which are the parts that really can continue with the ISS and which are the portions of the healthcare system that actually ISS is not practical and could affect patient care in the long term.

So, just to explain, today, whilst we have introduced ISS, there are a number of workaround solutions which the IHiS team has been working with our clusters on the ground to help our doctors and patients to ensure that the system will continue. But some of these workaround solutions are not sustainable in the long term because they are basically workarounds. And, therefore, we will have to look at whether there are practical, long-term solutions for some of these workarounds. In areas where it is not possible and there may be alternative safeguards that will be able to provide added protection but not necessarily ISS, those are the alternatives that we could consider. One example I mentioned earlier in my Statement was a virtual browser solution, together with Advanced Threat Protection measures. Taken together, they will provide significant protection without having to resort to ISS.

I would imagine that in a healthcare system where care is quite closely linked to Internet access in some areas, for example, emergency departments and so on, it may be critical, and these are the areas which are more likely to be given certain rights for Internet access. And even with Internet access, there are ways to protect against our core database system. For example, you could designate specific servers that they have access to and denied access to other servers that are not related.

I do not want to go into too much detail because these also have implications on our security measures. Suffice to say that I do not want to pre-empt the outcome of the review. We give the Committee and the team time to look at the system and to review the implementation of ISS on the ground today. And from the experience of ISS, we can then make an informed assessment of which are the parts that should continue with ISS and which are the parts we should maybe refer to alternative solutions.

Mr Speaker: Mr Saktiandi Supaat.

Mr Saktiandi Supaat (Bishan-Toa Payoh): Mr Speaker, I would like to thank the Ministers for answering the questions and, in particular, allaying concerns about the impact of financial liabilities, especially to residents. I just have one question. In relation to the COI's Terms of Reference No 5, I noticed that the focus is largely on public sector IT systems. I am aware that the COI's Terms of Reference are, in particular, on public health data. Can the Minister for Communications and Information probably share a bit more about the private sector IT systems and, in particular, whether there are any public sector databases which potentially have systemic risk impact on Singapore and Singaporeans in particular? Maybe the Minister can share a bit more on that, in particular, for example, telecommunications companies, banks and private hospitals, and what is the plan, strategically, for CSA to address some of these issues.

Mr S Iswaran: I thank the Member for the clarification. First, we have to be clear. The COI's Terms of Reference have been scoped to focus on this incident because if we scope it too wide, then you will lose the value of setting up such a Committee, which is really to go deep, understand what the issues were and then to come up with valuable insights and recommendations which we can apply across the public sector and, specifically, in the healthcare system.

The Member then asked whether there are issues around databases and IT systems that reside outside the public sector. Sir, I want to bring Members back to the point I made earlier, which is that the CSA will be designating computer systems in 11 sectors as CIIs. Some of these sectors the Member highlighted are banking, telecommunications. There are others like energy, water and so on.

And each of these sectors has computer systems that may be within the public sector or in the private sector, but by virtue of the functions they perform, the databases they hold, they are deemed to be CIIs and, therefore, they will be designated and governed as such by CSA, by the rules and provisions under the Cyber Security Act.

And that is where, as I mentioned in my earlier Statement, CSA will ensure that there are certain minimum requirements that are implemented. But beyond that, there may also be certain advisory guidelines on what else they can do to further strengthen cybersecurity. But ultimately, the regulators and owners of those CIIs will have to make the judgement call and be accountable for the uninterrupted essential services they provide.

On the point of the private sector, what we learned from this incident will be shared. We have various platforms to do that in because there are, generally, various education sessions that Government agencies conduct to heighten awareness of cybersecurity and the measures that can be taken. We also have the frameworks of the Personal Data Protection Act and the Personal Data Protection Commission which are actively involved not just in following up on complaints or reports of personal data breaches but also in terms of raising awareness and education and sharing best practices, so that the general private sector can also continue to harden itself against cyberattacks.

Mr Speaker: Mr Low Thia Khiang.

Mr Low Thia Khiang (Aljunied): Sir, Minister Iswaran, in his Statement, mentioned twice that this attack is state-linked, which means I take it that it is not a normal kind of cyberattack and Singapore is being targeted by another state and thereby this attack is state-linked. If that is the case, then may I know whether the Government knows which state is behind the attack or is linked to this attack? And, if so, whether or not the Government is prepared to share the knowledge with Singaporeans on which state is carrying out such an attack on us. In the details, Minister Iswaran mentioned that the attack was conducted by a professional group, APT Group. Does the Government or CSA in its investigations, know what is the name of the Group and where this Group has launched the attack from? And the Minister also mentioned that data was copied to another server. So, may we know where is the server sited?

Mr S Iswaran: Mr Speaker, let me state it for the third time for the Member's reference. The attack fits the profile of certain known APT groups, but, for national security reasons, we will not be making any specific public attribution.

The Member asked whether we are prepared to share the names, if we know specifically who, and whether we are able to then share that. I would put to the Member that, first, I have explained why we have a larger set of concerns around this matter. Secondly, in this sort of matter, whilst one can have a high level of technical confidence, one may not be able to have the certainty that you might need in order to specifically assign responsibility. And this is the kind of evidentiary threshold that may not stand up in a Court of law but, at the operational level, the agencies that are involved have a high level of confidence in their findings.

Having said that, we do not think it serves our national interest, nor is it a productive exercise for us to be making specific public attribution. What is essential is that we diagnose the problem clearly and take the appropriate steps. And if, in the process of the COI deliberations, specific attribution can be made in a manner where action can subsequently be taken up in a Court of law, we will certainly consider that course of action.

Mr Speaker: Er Dr Lee Bee Wah.

Er Dr Lee Bee Wah (Nee Soon): Sir, I have one question for Minister Iswaran. Many of my residents expressed concern when they heard that their personal details had been stolen, especially of NRIC. They are very worried and they do not know how this data will be used later on. I would like to ask the Minister: what more can the Government do to address the concerns of those whose details had been stolen?

And there are some suggestions whether an SMS alert can be sent to them if, let us say, their NRIC details were being used, for example, to open certain accounts or be involved in certain financial transaction.

Mr S Iswaran: Mr Speaker, I thank the Member for her question which I think is a genuine true reflection of some of the concerns on the ground. That is why, in my Statement, I try to explain why Singaporeans in general and elderly residents, in particular, can draw some comfort from the fact that transactions that involve banks, financial institutions and those involved in sensitive Government e-transactions all have 2FAs. So, it is not just about the ID, although in some cases, and I think, in many cases, the IC number is used as the ID. And this might be an opportunity for us to review that and see whether we can use other IDs which are more robust. And then, in addition to ID, you need the password as well as the one-time password.

So, what we can explain to our residents in general is that the system that is in place is a secure one. But what might be prudent for them to do is, where they have got accounts, where they have already set them up and they have used their IC number particularly as an ID, or in some cases, people even use their NRIC as the password, they should reset and ensure that they have thoroughly reviewed this kind of exposure.

On the point the Member made about alerting them to any other kind of activity which can have financial implications, typically, in all of these transactions, you would have to not just put in your IC number or name. If you are going to, for example, buy something online, you need either credit card data or some other kind of financial information. That information has not been taken in this instance and, therefore, that link is broken. Hence, the consumers and the general residents can be comforted by that. But we should not get complacent and we should review this. And where they have got some accounts, it is well worth using this opportunity to look at resetting passwords.

Mr Speaker: Mr Vikram Nair.

Mr Vikram Nair (Sembawang): I believe Minister Iswaran mentioned that this has many analogies to a terror attack. And certainly, in dealing with the terrorists, the Government does have powers, for example, under the Internal Security Act, to investigate and detain without evidence that would stand up in a Court of law. And the national security reason is why you would not want to put it in the Court of law. Does the Minister think we need similar frameworks to deal with cyber threats?

Mr S Iswaran: I thank the Member for the question. I think our existing legislative framework provides us with sufficient scope, because if you can demonstrate and prove a criminal act, then you can take action under the Penal Code or appropriate legislation. If we can find a specific actor or individual who has posed a threat to our national security, then we also have legislation that allows us to take action against such individuals. So, the legislative levers are adequate. But this is a domain where the nature of the crime and specific attribution can be quite challenging at times.

Mr Speaker: Mr Leon Perera.

Mr Leon Perera (Non-Constituency Member): I thank the Ministers for their Statements. Just one supplementary question for Minister Iswaran. After the conclusion of the COI process, will MCI or other relevant authorities attempt to reach out to cybersecurity and IT professionals across the whole-of-Government and, indeed, in the private sector, to apprise them of some of the findings, to educate them maybe about the signatures of some of these groups that have made the attacks so that they can be better alerted to detect and pre-empt them, and also educate them on some of the preventive measures that they should undertake, drawing on the learnings from not just this attack, but perhaps the one at NUS and NTU as well that happened previously?

Mr S Iswaran: The answer is certainly yes. In fact, that is the objective of the exercise. We want to make sure that whatever the findings are, we are able to extract the lessons and recommendations which can then be used not just within the public sector or within the CII sectors but for other private sector operators because there is a general concern about security.

But the qualifier I will make is that what we can share is constrained by the considerations I had pointed out earlier. Secondly, it is also about having a risk-adjusted approach because, in certain types of companies and certain types of operations, their risk profiles are different and are at a lesser level and, therefore, they may not need to do everything. But they do need to take up certain basic measures for cybersecurity purposes. So, it has been a differentiated approach. But the larger point about drawing lessons which can then be shared, this is something that we certainly intend to do.

Mr Speaker: Mr Chong Kee Hiong.

Mr Chong Kee Hiong (Bishan-Toa Payoh): As IT talents are global and, as part of our cyber defence, I would like to ask the Minister if the Singapore Government Ministries, Organs of State and Statutory Boards and agencies have in place bug bounty programmes to tap upon the global expertise of white hats or ethical computer hackers, and if the compensations for their effort and time are globally competitive.

Mr S Iswaran: I understand where the Member is coming from. Let me say this: we are aware of the range of possible ways to harness talent, and we have to use them in a judicious way in order to ensure that we have our fair share of the talent that is needed for the kind of challenges that we face.

Mr Speaker: Mr Cedric Foo.

Mr Cedric Foo Chee Keng (Pioneer): My question is for the Minister for Communications and Information. While we regret this incident in SingHealth, can the Minister enlighten us whether other countries are also victims of cyberattacks? Secondly, can the Minister confirm that, apart from the COI, there is also a Police report that is lodged, and what is the purpose of that Police report? Is it to see if any crimes have been committed?

Mr S Iswaran: I thank the Member for the questions. First, have other countries been victims of cyberattacks? In my Statement, I highlighted a couple, both of which are in the context of the US. But there have also been other incidents in Europe. And I think many of these may not even be reported in the public domain, but we know that they are occurring. So, the truth of the matter is that this is a universal challenge; we are not an exception. In fact, every country is facing this challenge and the greater their connectivity and the use of digital technologies, the greater their challenge as well. So, that is an important point that all of us need to understand and appreciate.

The second point is on the contemporaneous Police investigation. So, the COI is doing its work. It will be aided by CSA, which leads a team of investigators, and they will also have the AGC leading evidence. The Police report was lodged because there was suspicion of a crime being committed. And so, the Police will investigate this incident in that context. But the Police will also take reference from any deliberations that take place in the COI.

And I would add that there is a third stream, because there was also a report lodged with the Personal Data Protection Commission. And they, too, are conducting their own investigations. And again, they too, will take reference from what is being conducted within the COI hearing process as well.

Mr Speaker: I will take one last question. Mr Liang Eng Hwa.

Mr Liang Eng Hwa (Holland-Bukit Timah): This question is for Minister Iswaran. My sense, after hearing what the Minister said in the Statement, is that we are really at the mercy of these state-linked cyberattackers, almost to operate on their terms. So, I want to ask the Minister whether besides the defensive measures that we take, are there any counter-offensive measures that we can also take as part of cybersecurity strategy so that we can not only defend but also deter such attacks.

Mr S Iswaran: Let me say this. First of all, I think we should not create the impression that we are helpless or that we are at the mercy of these potential perpetrators. If that was the case, then why have this strong robust response? Because we have conviction that we can deter, and we have the capability. And where we do not, we will build it, and we will find ways to strengthen our systems so that we can resist such attacks.

And as far as this effort is concerned, it is also important that even as we do this, it is important that, psychologically, not just this House, but Singaporeans at large, understand that it cannot be foolproof. And so, we must have that resilience that when it happens, we will pick ourselves up again and we will learn from it, grow stronger and we will carry on. I think that is the most important aspect of the way we can deter such attacks.

Mr Speaker: Order. I propose to take a break now. I suspend the Sitting. I will take the Chair at 4.35 pm. Order. Order.

Sitting accordingly suspended

at 4.14 pm until 4.35 pm.

Sitting resumed at 4.35 pm.

[Mr Speaker in the Chair]