A distributed denial-of-service (DDoS) attack has been identified as the cause of an online service outage that affected several public healthcare institutions in Singapore.
And the attacks are continuing, according to national healthtech agency Synapxe, which is responsible for the IT operations that support the country's public healthcare network. This network encompasses 46 public healthcare institutions, such as hospitals and polyclinics, and 1,400 community partners that include nursing homes and general practitioners.
Internet connectivity was disrupted on November 1 when attackers flooded the affected servers with requests, preventing legitimate users from accessing the websites of several hospitals. Affected institutions included Tan Tock Seng Hospital, Singapore General Hospital, and National University Hospital, and three local public healthcare clusters, including SingHealth (Singapore Health Services) and National Healthcare Group.
Online connectivity was down for just over seven hours. During this time, services that needed connectivity were inaccessible, including email and staff productivity tools. Most affected services were restored by 5.15pm on November 1.
Synapxe said there was no evidence to suggest public healthcare data and internal networks had been compromised. It added that mission-critical systems supporting clinical services and operations at the healthcare institutions remained up, including access to patient records and internal networks.
The healthtech operator said it had detected an abnormal surge in network traffic on the morning of November 1, which circumvented tools it had in place to block errant activities.
The agency said its networks are protected with "a layered defence" that is architected to detect and respond to online threats, including DDoS attacks.
"Our systems are also designed with redundancies for resilience and these include system backups. To minimize the risks of being overwhelmed by higher-than-usual internet traffic, Synapxe subscribes to services that block abnormal surges in internet traffic before they enter our public healthcare network," it said. "Once the traffic is cleared by the blocking service, firewalls [also] are in place to allow only legitimate traffic into the network."
The DDoS attack, though, had "overwhelmed" the firewall behind these blocks, which triggered the firewall to filter out the traffic and rendered services that depended on online connectivity inaccessible.
Synapxe said it worked with its service providers to roll out measures to block the abnormal traffic, so legitimate requests could come through and affected services were restored progressively.
The DDoS attacks are "continuing", it said, adding that this might mean further occasional disruptions to internet services.
Its investigations into the incident are ongoing and are being carried out alongside Singapore's cybersecurity regulator, Cyber Security Agency (CSA).
"The incident is a stark reminder that DDoS attacks are on the rise, with changing attack methods," Synapxe said. "DDoS attacks cannot be prevented and the defences against DDoS attacks will have to constantly evolve to keep up with advancements.
"The public healthcare sector will take this opportunity to review our defences against DDoS attacks and learn from the episode to further strengthen our cybersecurity," it added.
SingHealth was fined SG$250,000 over the incident, while Synapxe (then called Integrated Health Information Systems) was slapped with a SG$750,000 fine for failing to take adequate security measures to safeguard personal data.
Last month, CSA took further steps to expand a national security labeling initiative by including medical devices, releasing a sandbox with which manufacturers can test their products. The government agency said 15%, or more than 16,000, of medical devices in local public healthcare institutions have internet connectivity and medical devices increasingly are connected to hospitals and home networks. This can drive up cybersecurity risks, where security gaps in software used for clinical diagnostics, for instance, can be exploited to generate wrong diagnoses, CSA said.
It added that unsecured medical devices can also be targeted in DoS attacks, thereby, preventing patients from receiving treatment. CSA hopes the expansion of the security labeling scheme to include medical devices will motivate manufacturers to embed security into their product design, and that healthcare operators can make more informed decisions on the use of such devices. The scheme encompasses four ratings, with each level reflecting additional tests on which the product was evaluated.