Singapore suspended all its pending Smart Nation projects in July 2018 following the discovery that hackers had stolen sensitive health records of 1.5 million SingHealth hospital patients, of whom 160,000—including Prime Minister Lee Hsien Loong—also had their outpatient medication information stolen. The suspension allows a comprehensive review of cybersecurity measures across Singaporean government systems. This jeopardizes the timetable for the city-state's planned digitization of government services, around which the Smart Nation project revolves.
On 14 January 2019, Singapore’s Commissioner for Personal Data Protection, Tan Kiat How, released his 51 page Decision following his investigation into the case. The PDF of Case DP-1807-B2435 makes for interesting reading for anyone interested in the anatomy of a serious hacking incident.
Further, the penalties imposed by the Personal Data Protection Commission (PDPC), totaling S$1 million (HK$5,774,000, US$736,000), give rise to speculation as to what penalties might be imposed should a similar incident occur in Hong Kong.
SingHealth is one of three healthcare clusters in the Singapore public healthcare sector. All Singapore’s healthcare systems are centralized within Integrated Health Information Systems Pte Ltd (“IHIS”). IHIS and SingHealth are wholly-owned subsidiaries of the MOH, the government-owned corporatized institutions in the public healthcare sector. MOH determines the policies and structures within the healthcare sector. SingHealth employs both a GCIO and a CISO.
SingHealth uses SCM, an electronic medical record software which allows real-time patient data to be accessible across Singapore. In addition to patient particulars, the database contains each patient’s full medical records. As of July 2018 the SCM database contained patient data of over 5 million unique individuals.
As is often the case, the hack appears in retrospect as a comedy of errors. However, the intruder was patient, sophisticated, and spent considerable time exploiting highly specific vulnerabilities.
The attacker gained initial access to the SCM network in August 2017 by infecting a user’s workstation, probably through a phishing attack. Having obtained a bridgehead, the attacker used customized malware to infect and gain remote access to and control of other workstations between December 2017 and May 2018. This led to access and control of two user accounts, one of which was “secured” with an poorly chosen password (“[email protected]”), while the other account used a password which was self-generating during installation.
Between late May and mid-June 2018, the attacker made multiple failed attempts to access the SCM database. On 11 June an IHIS database administrator discovered these failed attempts. She spotted more such attempts over the following two days and shared this with colleagues (and created a chat group).
Personnel alerted included the CISO and the Security Incident Response Manager (“SIRM”). However, IHIS’ Security Incident Response Team (“SIRT”) was not formally activated at any point. Exfiltration of data took place between 27 June and 4 July 2018. Further exfiltration was stopped by the intervention of a senior IHIS analyst who on 4 July created the firewall rules necessary to protect the SCM database.
Both the SIRM and the CISO were aware of the suspicion of attack since 13 June and the remediation steps of 4 July. The CISO did not make further enquiries. The SIRM was overseas until 18 June and did not arrange cover. Senior management at IHIS and the SingHealth GCIO were only alerted to the attack on 9 July 2018. Over the ensuing two weeks IHIS and the Cyber Security Agency of Singapore faced repeated attempts by the attacker to access the SCM network. Public announcement was made on 20 July followed quickly by notifications to affected individuals. On 1 November 2018 IHIS announced 18 security measures by way of remediation and fortification of their cyber defenses.
IHIS acts as a “data intermediary” (equivalent to a data processor in Hong Kong), processing personal data on behalf of SingHealth. Under section 4(3) of Singapore’s Personal Data Protection Act 2012 (“PDPA”) IHIS had the same obligation in respect of such personal data as if it had been the data user/controller. Therefore, both SingHealth and IHIS are obliged to make reasonable security arrangements to protect SingHealth’s patients’ personal data.
Section 24 of the PDPA requires an organization to protect the personal data it holds by making reasonable security arrangements. What is reasonable depends on the nature of the data, the form in which it has been collected, and the possible impact of its loss.
Commissioner Tan spent some time cataloguing the numerous safeguards, committees and audit procedures across SingHealth and IHIS. These proved to be fallible, as the errors identified were human rather than mechanical ones.
The SingHealth CISO did not escalate the security events of which he was aware in mid-June 2018, but deferred to the SIRM’s assessment as to whether an incident was reportable. In his turn the SIRM wrongly thought that a cyber security incident should only be escalated when it is “confirmed”. This had the effect of preventing the resources and processes attendant on a Category 1 reportable security incident being brought into play. Although on its face this delay is inexplicable, a footnote to the Decision notes:
“The evidence also suggested that the reluctance to escalate potential security incidents may have come from a brief that it would not reflect well in the eyes of the organization if the matter turned out to be a false alarm”.
There is a lesson there for all of us!
Although the Commissioner found that the SingHealth CISO failed to discharge his duties, such a single point of failure pointed to a systemic problem. As all IT functions and capabilities for the public healthcare sectors are centralized in IHIS (and the CISO had no staff reporting to him), the Commissioner noted that SingHealth’s CISO and GCIO Office had no option but to rely on IHIS for their oversight of cybersecurity incidents. The Commissioner found that SingHealth had failed to put in place reasonable security arrangements to protect the personal data it held, and directed SingHealth to pay a penalty of S$250,000 (HK$1,443,000, US$184,000).
The Decision catalogues numerous shortcomings in IHIS’ practices, policies and response, including the following:
- IHIS did not have a written policy on IT security incident reporting for its non-security staff;
- IHIS had not followed or enforced its own policies in relation to implementation of firewall rules. These weaknesses were exploited by the attacker;
- IHIS’ administrators had not consistently applied the policy to have a 15-character password;
- dormant accounts were not disabled;
- vulnerabilities which had been flagged to IHIS in previous technical audits were either not remedied or not addressed in time. Worse, remediation was stated to be done when it was not actually done or not done thoroughly.
IHIS was also found to have breached section 24 of the PDPA. Owing to its central role in the incident, the Commissioner directed IHIS to pay a financial penalty of S$750,000 (HK$4,330,000, US$552,000). He said he would have imposed the maximum penalty allowed of S$1 million against IHIS but for IHIS’ cooperation, admission of liability and immediate effective remedial action following the breach.
Although arguments may be raised that for a public official to impose a financial penalty on what are effectively two public sector bodies simply involves the circulation of public funds, the Decision reads to an outsider as a serious evaluation of the problems and shortcomings involved, culminating in career influencing penalties.
Hong Kong’s equivalent legislation
Like Singapore, Hong Kong wishes to be seen as a leader in information and communication technology. Hong Kong has had its fair share of data outages and hacks, most recently in the private sector, although our hospitals have not been immune from data loss problems.
Hong Kong’s Privacy Commissioner Stephen K Y Wong has been vocal in calling for enhancements to the Personal Data (Privacy) Ordinance (“PDPO”) in the area of cybersecurity and to take up some of the advancements of the EU’s General Data Protection Regulation (“GDPR”). Hong Kong currently does not mandate data breach notification (Singapore’s Cybersecurity Law 2018, effective last August, does).
So, what would have happened in Hong Kong?
There are three fundamental differences in the approach taken under the PDPO compared to Singapore’s law, relevant to this incident.
First, Hong Kong’s law does not impose direct obligations upon data processors (the equivalent of IHIS, as data intermediary in PDPA parlance). This was recognized as a lacuna in the public consultation before the PDPO’s 2012 amendment. However, provisions imposing liability upon processors were dropped so as to make room for the major changes passed in the 2012 amendment, which imposed hefty fines and complex regulations concerning misuse of personal data for direct marketing (in direct response to the 2010 incident involving Octopus cards). Data users (as SingHealth were in the recent Decision) are fully responsible for the actions and defaults of their data processors, and are required to impose appropriate obligations on those processors by contractual means. However, in practice, if Hong Kong law applied to this incident, those investigating would have had recourse only to SingHealth.
Secondly, the Hong Kong Privacy Commissioner does not have the power to impose any financial penalty. He can investigate breaches in response to complaints, and issue enforcement notices (if he has reason to believe the data user will not heed his recommendations). For a fine to be imposed, a prosecution must first be made by the public prosecutor. (A report in January 2017 indicated that fewer than 5 percent of cases forwarded to the police by the Privacy Commissioner led to a prosecution in 2016).
Thirdly, although it is most likely that were it to occur in Hong Kong, SingHealth’s actions would constitute a breach of the PDPO, the available financial penalty would be far lower. Although the fines available for the misuse of personal data in the context of direct marketing are meaningful (up to HK$1 million in extreme cases—less than one-fifth of the penalties available under the Singapore regime), the 2012 amendments to PDPO which increased such fines did not result in increased tariffs for other breaches of the PDPO.
Hong Kong’s 4th Data Protection Principle provides that a data user must take all practicable steps to ensure protection against unauthorized access to personal data it holds. By section 4 of the PDPO, data users must not act, or engage in a practice, that contravenes a data protection principle. If the Privacy Commissioner served an Enforcement Notice, and that Notice was contravened, the data user would be subject to a fine Level 5 (up to HK$50,000) and imprisonment for 2 years for first conviction. If the offense continues after the conviction, a daily penalty of HK$1,000 applies.
While it is true that Hong Kong has a tradition of public inquiries following disasters, and such inquiries generally do not entail the imposition of direct financial penalties, where an investigation is undertaken in respect of a major cyber event, Hong Kong people may expect to see more significant penalties imposed.
Peter Bullock is a partner and technology lawyer with King & Wood Mallesons. He is contactable via email: [email protected]