01-Nov-2018 Update on Steps Taken to Strengthen Cybersecurity across Public Healthcare System Page ContentSingapore, 1 November 2018 – With heightened cybersecurity threats following the SingHealth cyberattack, the Integrated Health Information Systems (IHiS) has taken several steps to strengthen cybersecurity measures across all public healthcare clusters and agencies. These measures help to improve our capacity to prevent cyberattacks, and also strengthen our ability to detect and respond should an intrusion take place on our critical systems. Additional Security Measures Implemented ProgressivelyIHiS has expedited the planned implementation of Client Advanced Threat Protection (ATP). Client ATP goes beyond conventional defence against malwares by blocking threats based on the techniques used by advanced threat actors. As of 26 October 2018, ATP has been deployed in over 6,000 servers and over 60,000 endpoint devices such as PCs, laptops and others. Full deployment is expected to be completed by the end of the year. Temporary Internet Surfing Separation1 (ISS) was implemented across the public healthcare sector earlier as a precaution. Mitigating measures were introduced for 46 public healthcare institutions to minimise the operational disruptions caused by the ISS. IHiS is working with the Ministry of Health on a long term approach to the internet access strategy for public healthcare, as Internet connectivity plays an integral part in many aspects of healthcare delivery. On-the-ground implementation of ISS and alternative methods of protecting internal networks, such as the use of a virtual browser2 solution, are being actively studied. A trial was carried out earlier to assess the technical feasibility of the virtual browser solution and test the compatibility with corporate applications. A pilot with a small group of users will be conducted to evaluate the user experience and further assess the security of the solution. The pilot is expected to complete by mid next year. IHiS has also identified and initiated 18 security measures that are being implemented progressively. These measures include:a) Addressing Advanced Persistent Threats (APT) by sophisticated actors: Several measures are being initiated to improve our ability to detect indicators-of-compromise, record and monitor endpoints’ system-level behaviours and events, detect advanced malwares and remove the threats, if any. Two-factor authentication will also be implemented for endpoint local administrators who manage end-user devices and installation of software.An expanded suite of managed security services will be implemented via the Advanced Security Operations Centre including proactive threat hunting, threat intelligence, response services, and more. In threat hunting, for example, proactive and iterative searches are conducted to detect malicious or suspicious activities that may have evaded detection. b) Addressing Vulnerabilities to Prevent Unauthorised Access to Public Healthcare Clusters’ IT Networks: To further prevent the use of weak passwords, IHiS is enhancing the access management capability to manage complex passwords centrally, and automatically update and protect administrator accounts. More stringent restrictions will also be imposed on administrative access to servers within the network. The access management will be boosted with threat analytics to provide earlier detection of suspicious account activities by applying a combination of statistical modelling, machine learning, as well as behaviour analytics to identify unusual activities, and respond faster to threats. To secure the network against unpatched equipment, the access control will be enhanced to allow only authorised devices that are patched with the updated anti-virus and anti-malware signatures to join the network.c) Enhancing Security of the Allscripts Sunrise Clinical Manager (SCM): IHiS is enhancing the SCM infrastructure to strengthen security and reduce the risks for the SingHealth SCM database. Database activity monitoring for SCM (which processes an average of 42,000 queries per second) is already in place and is being enhanced with more comprehensive blocks and alerts on execution of bulk queries. Reviewing Key Systems A comprehensive review of cybersecurity safeguards for key systems including the Electronic Medical Record systems for all public healthcare clusters will be conducted as a precaution. The National Electronic Health Record system is also being reviewed and tested by GovTech and the Cyber Security Agency of Singapore, as well as by PwC, an independent IT consultant. This will ensure that these systems have adequate and appropriate cybersecurity measures to safeguard patient data. Improving Organisational Processes and SOPsOther than infrastructural and software enhancements, IHiS has also improved its organisational processes and standard operating procedures (SOPs) to reduce the risks and impact of human errors. For example, IHiS has instituted a requirement for suspicious IT incidents to be reported within 24 hours, even if initial investigations cannot determine that they are security incidents. Additional checklists will be progressively put in place to ensure compliance with the SOPs. We have also stepped up staff engagement to heighten vigilance against potential threats. This includes increased alerts and reminders to staff, as well as planned roadshows and briefings on cybersecurity. Training for the security team will also be strengthened to enhance their ability to prevent, detect, and respond to advanced and evolving cyber threats. This includes understanding advanced hacker tools, techniques and exploits, in-depth intrusion detection and advanced digital forensics. ConclusionAs cyber threats evolve and become increasingly advanced, sophisticated, and persistent, IHiS will continue to work with our public healthcare users, CSA, industry cybersecurity experts, and regulators to continually strengthen security measures for our public healthcare system. 1 Internet Surfing Separation is the practice of disallowing computers that are connected to the internal networks and systems from accessing the Internet. To access the Internet, staff will need to use separate terminals which are not connected to internal networks and systems.2. Virtual Browser is a solution where the content of websites that users visit is displayed and executed on an isolated and contained environment. As users only access reproduced content, it minimises the risks of their machine downloading and executing malicious files which may reside on the original sites.