Singapore’s largest healthcare provider was fined Sg$250,000 and its security vendor Sg$750,000 for the massive data breach that also affected Prime Minister Lee Hsien Loong.
After receiving the findings of a four-member Committee of Inquiry (COI) assigned to investigate the cyberattack early this month, the Personal Data Protection Commission (PDPC) imposed a total of Sg$1 million (around $740,000) to SingHealth and its IT vendor Integrated Health Information Systems (IHiS).
The findings, according to the news story of Straits Times, contains sensitive information and classified as Top Secret for concerns on national security.
The report found out that SingHealth left the duties of securing the patients’ data to its third-party supplier, in this case, the IHiS.
The investigating committee called on 37 witnesses in a 22-day public hearing. The attack is believed to be state-sponsored and committed by experienced criminal hackers.
The Singapore government disclosed the cyberattack in June last year. It exposed personal data of 1.5 million SingHealth patients and even outpatient prescription information of 160,000 people. The country’s prime minister was not spared from the attack.
The severity of the attack is massive that it prompted IHiS to fire employees who were found to have neglected their duties. The chief executive and some members of the senior management team were given hefty fines.
SingHealth took responsibility for the incident.
The government has ramped up its cybersecurity solutions and accepted the recommendations of COI. This may include “increased automation of the roll-out of software patches, and audits and drills will be intensified. Internet surfing separation and the use of a virtual browser are also in the works for the healthcare sector,” according to the report of The Straits Times.
The government acknowledged that this will not be the last time they will be targeted and is looking at more long-term solutions such as a tiered model for internet access. It will identify which specific jobs need access to the internet. It is also considering managed use of the web through the use of separate devices without having to connect to the internet.
Image by Sasin Tipchai/Pixabay