Singapore explores virtual browsers following SingHealth data breach

Health Ministry is piloting the use of quarantined servers as part of efforts to "reduce the number of potential attack points", following last month's security breach that compromised the personal data of 1.5 million patients.
Written by Eileen Yu, Senior Contributing Editor

Singapore is assessing the feasibility of rolling out virtual browsers to reduce the attack surface of healthcare systems, following a critical cybsecurity breach that compromised personal data of 1.5 million patients.

Implementing virtual browsers would enable users to browse the web safely via quarantined servers, hence, reducing the number of potential attack points, said Singapore Health Minister Gan Kim Yong, in a statement delivered at a parliamentary session Monday.

He said the ministry currently was studying and piloting the virtual browser system, alongside the rollout of advanced threat protection--the latter of which had been in the works before last month's security breach, and was slated to complete by end of this month.

Singapore announced on July 20 that it had suffered its most serious data breach, affecting non-medical personal data of 1.5 million patients--including that of its Prime Minister Lee Hsien Loong--who visited SingHealth's cluster of healthcare facilities. Outpatient medical data of another 160,000 patients also were compromised, but these records were not modified or deleted.

Additional measures were taken to tighten the security of SingHealth's systems, including temporarily separating internet access from workstations to limit avenues for hackers to enter and exit the network.

Removing online access, however, could not serve as a permanent solution as healthcare providers depended on the internet to tap other systems for the delivery of some healthcare services, Gan noted. He said the healthcare ministry had assessed this measure, which had been adopted by other government agencies, and determined it would create operational challenges for healthcare workers and patients.

He said the pilot on virtual browser was expected to be completed by end-September.

Virtual browsers typically are physically or logically segregated from the computer's OS, isolating web browsing from other key components.

Gan added that Singapore's national electronic health record (NEHR) system, which ran as a separate system, was not affected by the cyberattack.

The health minister explained: "Due to the need for the system to interface with multiple external partners, the NEHR is designed differently from the systems that were infiltrated. Nevertheless, we recognise that this is an important national system of significant scale, as it will eventually house key medical records for all patients."

He said the health record system would be put through "a rigorous independent external review" before the government moved ahead with ongoing plans to mandate the contribution of electronic health records nationwide.

In addition, Singapore's Cyber Security Agency (CSA) and PwC Singapore would serve as independent third parties to identify any vulnerabilities and recommend measures to resolve them, he said.

"We must assure ourselves, users and patients that the necessary safeguards are in place, before we proceed with wider implementation of the NEHR," he noted.

A bill was mooted last November to compel all healthcare providers in the country to contribute to the national healthcare database. The health ministry then had said fewer than 70, out of the 1,600 GP clinics operating in Singapore, were part of the NEHR. In addition, just 3 percent of a local community of more than 4,000 private healthcare providers including GPs, hospitals, and nursing homes contributed to the database.

APT group behind SingHealth attack

Meanwhile, more details regarding the SingHealth breach have been released, though, the Singapore government remained mum about which state actors or hackers were behind the attack--assuming, it actually has identified the hackers.

In his statement during the parliamentary session, Singapore's Minister-in-Charge of Cybersecurity, S Iswaran said the cyberattack was the work of an Advanced Persistent Threat (APT) group, referring to "a class of sophisticated, usually state-linked, cyberattackers who conduct extended, carefully planned cyber campaigns".

He pointed to the cyberattack against the US Democratic National Committee in 2016 as the work of ATP groups, as well as the theft of more than 20 million personnel records from the United States Office of Personnel Management in 2014.

In the SingHealth attack, Iswaran added, the hackers had used "advanced and sophisticated" tools, including customised malware that broke through SingHealth's antivirus software and security tools. Upon breaching a workstation via the malware, the attacker infiltrated the network and took steps to remain undetected in the system before stealing patients' data, he said.

The minister said the attack fit the profile of certain known APT groups, but would not reveal any specific details "for national security reasons".

"The APT group that attacked SingHealth was persistent in its efforts to penetrate and anchor itself in the network, bypass the security measures, and illegally access and exfiltrate data," he said.

In a statement last week, the Singapore government said it had given the go-ahead for the deployment of new ICT systems to resume, after instructing such efforts to stop following the SingHealth breach.

CSA said the Smart Nation and Digital Government Group also would implement additional measures for critical government systems to strengthen the ability to detect and respond quickly to cybersecurity threats.

The cybersecurity agency added that it had instructed 11 critical information infrastructure sectors, highlighted in Singapore's cyberscurity bill, to take additional measures to beef up their network security. These should include removing all connections to unsecured external networks and implementing a secured information gateway between a two-way communication network.

Editorial standards