I’m not sure if this qualifies as a news report, because there isn’t much new to report regarding the SingHealth hack. But I suppose I will share with you some of the acronyms which came up in Parliament.
- CII, which stands for Critical Information Infrastructure. There are 11 sectors like media, transport and telecoms and they straddle public and private sectors. When the Cyber Security Act passed in February takes effect, the CSA or Cyber Security Agency will set some minimum requirements for these sectors to comply with to secure what data they have on you and me.
- APT, which stands for Advanced Persistent Threat. Such APT groups are usually state-linked and make it their business to steal data or disrupt operations. SingHealth was hacked by an APT group but the G can’t say which or what or who because of national security considerations. In fact, it might not even get it right – at least it might not stand up in a court of law. Such an APT group had done the same before, attacking National University of Singapore and Nanyang Technological University’s computer systems.
- ATP, which stands for Advanced Threat Prevention. This is not a group but some kind of security system that is being put in place in the health sector. There is also a “visual router’’ that is being piloted somewhere in the healthcare system.
Phew. Now that the technical part is over, here are some interesting bits.
What has the G got to do with SingHealth?
We already know that the July 20 press conference announcing the hack was fronted by Communications Minister S Iswaran and Health Minister Gan Kim Yong, who apologized for the hacking incident. Personal data of 1.5 million patients and outpatient medication records of 120,000 people, including the Prime Minister, were stolen.
But why was Mr Gan apologising and not the SingHealth people, asked Workers’ Party’s Sylvia Lim.
Mr Gan said it was because he was part of the healthcare family, adding that SingHealth had apologized too. Mr Iswaran had the better response. Right from the start, he said that SingHealth was a private company “not a statutory board’’ but because it was part of Singapore’s critical infrastructure, the G had to get involved.
That delay between discovering the hack on July 4 and telling the public on July 20 – what gives?
Mr Gan gave a long answer about having to secure the system, to make sure there were no remants of malware and to investigate what happened. Right up to July 19, there were attacks and that was when the decision to do an ISS was made (Sorry. Forgot about this acronym – Internet Surfing Separation). It’s a pity that there wasn’t more dogged questioning on this point – were the authorities really so convinced even at such an early stage that no patient will be affected by the stolen data in the meantime?
Would ISS, if put in place earlier, have foiled the hackers?
This is where it gets interesting. Deputy Prime Minister Teo Chee Hean had said after the hack that ISS would have done the trick. Yesterday, Mr Gan didn’t give a yes or no answer but went to great lengths to explain why this was difficult to do in the healthcare sector. It would inconvenience patients and doctors and lead to longer waiting times. He also made it plain that the healthcare sector wasn’t asleep; its professionals had been trying out different ways in the meantime to secure data with as little inconvenience to patients and doctors as possible.
He added that the ISS, a temporary measure, might well become permanent for some parts of the healthcare sector.
Was there any negligence on the part of SingHealth, asked Non-Constituency MP Daniel Goh. Mr Iswaran’s answer was to ask that people do not go “down the path of allocating blame’’. He noted that a Committee of Inquiry had been set up to look at what happened. The police and the Personal Data Protection Commission will be investigating as well. The COI will deliver its report by Dec 31.
Should we worry about our stolen personal data?
Mr Iswaran wasn’t as blunt as CSA head David Koh who has been pilloried for saying they were of “no commercial value”. Instead, he made it clear that very little use can be made of them, because most online transactions required much more than personal identification details to proceed. (Unless, of course, you’re silly enough to use your IC number as your password).
Both ministers stressed that only name, birthdate, gender and race and IC number were stolen, not credit card numbers, email addresses or telephone numbers. Nor were any details in the system changed.
I wondered at that point if Workers Party MP Png Eng Huat would stand up from his seat to ask the question he had tabled: whether the G would bear responsibility for any stolen identity crime committed as a result of the hack. He didn’t.
Sitting in the gallery, I thought the MPs were pussyfooting about the issue. First, no one asked why the SingHealth cyber people only spotted the hack on July 4, when it actually started on June 27. Second, since an APT had been levelled at the two universities in the past, what has been the outcome of those investigations that might have been learning points for others? Third, even if the APT group can’t be named, did our cyber sleuths let the supposed state know that we know? Or do they already know that we know?
I suppose we should leave everything to the COI, which will open some hearings but not those which touch on national security. Then it will publish its report.
Goodness! That will be next year!