The public healthcare sector’s IT vendor, Integrated Health Information Systems (IHiS), yesterday (Nov 1) announced a number of new measures it is taking to improve cybersecurity across the public healthcare system.
IHiS, which is owned by MOH Holdings, was implicated in the massive SingHealth data breach earlier this year, which saw the personal and medical information of 1.5 million Singaporeans, including PM Lee Hsien Loong, accessed and stolen by hackers.
An investigation into the incident revealed that the breach occurred because of a weak password on a computer, dormant admin accounts, and IHiS staff failing to immediately report suspicious account activity.
Here are some of the changes IHiS is promising to implement:
1. Teach staff to report suspicious activity quickly
The company said it is implementing a rule that suspicious IT incidents must be reported within 24 hours, whether or not initial investigations confirm them as security breaches. It also said it would provide training to its security team to understand advanced hacking techniques and how to identify them.
2. Use stronger passwords on computers
The company said it would improve its ability to “manage complex passwords centrally” and automatically update and protect administrator accounts linked to 60,000 devices, including desktops and laptops in public hospitals.
It would also implement two-factor authentication for admin logins. Similar to logins for bank accounts, this requires a one time password sent via SMS or a security token in order to access the account.
3. Be stricter about who gets access to information
Admin access to network servers will be subject to more stringent restrictions, and only authorised devices with updated anti-virus and anti-malware software will be able to sign in.
4. Actively try to find suspicious account activity
The company said it would implement proactive searches to detect suspicious activities that might have “evaded detection”, and would upgrade its access management with statistical modelling, analytics and AI to find unusual account activities faster. It plans to upgrade its clinic management software, Allscripts Sunrise, to block bulk requests for information and send an alert.
5. Install more sophisticated anti-malware blockers on servers and computers
After the data breach, IHiS promised to install Advanced Threat Protection systems on all devices by the end of the year – up from its original 2020 deadline. This technology protects devices against state-backed advanced persistent threat actors, which are said to be behind the SingHealth attack, according to The Straits Times.
6. Review and test the security of other medical record systems
As a precaution, the company will be reviewing the cybersecurity measures for other healthcare systems like public records of patient data. It added that the National Electronic Health Record system is being tested by GovTech, the Cyber Security Agency of Singapore, and external consultant PwC.
7. Consider using virtual browsers on computers
The company said it is working with the Ministry of Health to find an alternative way for healthcare workers to access the internet securely. It is testing out the possibility of using a virtual browser – meaning website content will be isolated and reproduced in a “contained environment” – to reduce the chances of downloading and launching malicious files.