Executive Summary

This article highlights the greatest data breach in Singapore's history, which happened on SingHealth's Sunrise
Clinical Management (SCM) database between late June and early July 2018. The paper begins with a short
introduction to the growing significance of information technology in hospital information systems and a
description of the case in Section 1. The second portion discusses the Hospital Information system’s evolution
and history. It critically analyzes the expanding usage of technologies in hospital information systems, as well
as the associated opportunities and difficulties. Then, in Section 3, based on the analysis in Section 2, the
various causes of the data breach in the case are examined. Finally, the research ends by presenting many
suggestions for improving the security of Hospital Information Systems.
Contents
1. Introduction & Background.......................................................................................................3
2. Hospital Information systems (HIS)..........................................................................................3
2.1 Historical Background & Evolution.....................................................................................3
2.2 Advantages and challenges...................................................................................................4
3. 2018 SingHealth data breach case.............................................................................................5
3.1 What happened?....................................................................................................................5
3.1.1 The timeline.......................................................................................................................5
3.2 Committee of Inquiry (CoI)..................................................................................................5
3.2.1 Recommendations made by the CoI..................................................................................6
4. Summary and Conclusion..........................................................................................................7
5. References..................................................................................................................................8
1. Introduction & Background

Advanced Technologies implementation has accelerated the pace of change in every industry, making
management processes more productive and smoother, therefore providing quality services to a more number of
people globally. Healthcare is not an exception (Mobisoft Infotech, 2020). In health care, information
technology (IT) is gaining traction and Health Information Systems have become common in every nation
(Ammenwerth et al., 2003). The field of healthcare informatics, which encompasses healthcare data,
information systems, and business, has benefited significantly from technological advancements. Health
Information Systems (HIS) are such a technical benefit to the health business, assisting in the efficient handling
of healthcare data (Mobisoft Infotech, 2020). These technological advancements obviously provide immense
options for reducing clinical errors (For instance medication errors, diagnostic errors), assisting medical
professionals (For example timely, accurate patient information), increasing care efficiency (Example: shorter
patient wait times), and even improving the quality of patient care (Bates et al., 2001). However, there are
several risks linked with health information technology: Modern information systems are expensive, and their
failure may have adverse consequences for patients and personnel (Ammenwerth et al., 2003). Networked
healthcare also raises questions regarding the safety and privacy of patient information. According to CIS, the
healthcare industry faces a host of cybersecurity-related issues. As a result, issues range from malware that
compromises system security and privacy to DDoS attacks that hinder institutions' ability to care for patients.
Laws such as HIPAA stress the need of securing sensitive patient data via the use of technology. (Health
Insurance Portability and Accountability Act, 1996).

Between late June and early July 2018, state-sponsored hackers carried out a "deliberate, targeted, and well-
planned" cyberattack on SingHealth's Sunrise Clinical Management (SCM) database. The assault gained access
to nearly 1.5 million patients' records, including Prime Minister Lee Hsien Loong's (Packetlabs, 2019).
Inadequate cybersecurity knowledge, weak passwords, unpatched software, personnel who fell victim to
phishing assaults, and an IT team incapable of identifying, much less mitigating, a security crisis. These are just
a few of the basic flaws that paved the way for Singapore's greatest data breach in history (Packetlabs, 2019).

2. Hospital Information systems (HIS)

2.1 Historical Background & Evolution

The history of health information management ranges from the simplest means of recording a patient's
symptoms, worries and treatment for usage by just one healthcare professional to the most complete technique
of gathering, integrating and harmonizing data for the conveniences of cooperation amongst health care
providers, researchers and managers (OpenTextblogs, 2022). Medicine has its roots in ancient Greek stories
used to document effective surgical procedures, share observations on signs and outcomes, and instruct those
who provided medical advice. Medical records that precede Simon Forman and Richard Napier's records,
astrologers who chronicled their customers' health concerns and treatment, are the oldest full collection of
medical records in existence. (OpenTextblogs, 2022). The arrival of computers in 1970 permitted the electronic
storage of records, but the expense of obtaining and maintaining a mainframe, as well as the cost of data
storage, restricted the use of technology to handle medical records in the largest organizations. When computer
technology improved to the point that it could handle large amounts of data, the field of health informatics as
we know it today was born. (OpenTextblogs, 2022).

The phrase "information system" is often used with wide meaning, for instance, “a system, whether automated
or manual, that comprises people, machines, and/ or methods organized to collect, process, transmit and
disseminate data that represent user information”. Similarly, to this definition, the phrase "hospital information
system" has been used (Winter & Haux, 1995). For over two decades, hospital information systems have
existed (Haux, 2006). When we examine our communities now, we must acknowledge that, in the meantime,
our civilizations have continued to evolve dramatically. Over the previous several decades, both medicine and
informatics have made enormous advances (Haux, Ammenwerth, Herzog & Knaup, 2002; Ammenwerth et al.,
2003). Especially, the World Wide Web's success has introduced new dynamics. E-health is gaining major
traction these days as a result of the many benefits and possibilities available (Klaib et al., 2019). Many clinical
data archives are being made available online, and web interfaces to commercially accessible information
systems are either being developed or currently in use. Most importantly, the web and its technologies
demonstrate the capacity to sustain a sophisticated economy (Kuhn & Giuse, 2001).

2.2 Advantages and challenges

Reliable health networks exchange data between patients and health care providers, aid in logistics, and allow
new sorts of application services. Coordination may be facilitated through secure intranet access to patient data.
Connecting healthcare institutions to reputable suppliers might strengthen the supply chain; and, when
appropriate, giving treatment remotely could bring different insights for both patients and caregivers(Kuhn &
Giuse, 2001). Numerous examples exist of effective health information systems that have a discernible impact
on healthcare. In Europe, for example, BAZIS transitioned from a government-sponsored experimental
initiative to the commercial sector, eventually becoming the main hospital information system in the
Netherlands. To ensure that users have access to adequate clinical material in the hospital database at an early
time, system development did not begin with financial and administrative features; they were added later. The
emphasis was on patient information, and development started in medical departments capable of supporting a
'full' work process. Extensive analyses have proven the benefits in terms of care quality and cost savings
(Bakker & Leguit, 1999). The Brigham Integrated Computing System (BICS) has proved the benefits of
electronic order input in terms of enhancing care quality. In 1999, around 400 orders were adjusted as a
consequence of a computer reminder or alert. With high user satisfaction, alerts, structured ordering, allergy,
and medication interaction checks, reminders for subsequent orders, and adverse event monitoring are all
implemented (Teich et al.,1999). There are many significant issues connected with health information systems
digitalization, which may result in incidents like the cyberattack on SingHealth's Sunrise Clinical Management
(SCM) database. The next section discusses the case in detail.

3. 2018 SingHealth data breach case

According to the Singapore Cyber Security Agency (CSA), 2019 While the number of common cyber threats
discovered in Singapore decreased in 2018, Singapore remains a target of sophisticated actor cyber-attacks. The
2018 SingHealth data breach was an event that occurred between 27 June and 4 July 2018 and was instigated by
unknown state actors.

3.1 What happened?

During that time span, 1.5 million SingHealth patients' personal information was taken, as were records of
outpatient medications provided to 160,000 patients. Between 1 May 2015 and 4 July 2018, fraudulently
accessed and copied the names, National Registration Identity Card (NRIC) numbers, locations, birth dates,
ethnicity, and gender of patients who attended specialty outpatient clinics and polyclinics (Wikipedia, 2022).
Patient diagnoses, test findings, and physicians' notes were unaltered (The Straits Times, 2018). It was
discovered that information on Prime Minister Lee Hsien Loong was targeted explicitly (Packetlabs, 2019). The
hackers gained access to the computers of SingHealth, Singapore's biggest healthcare company, which includes
four hospitals, five national specialty centers, and eight polyclinics. Two further polyclinics were formerly
administered by SingHealth (The Straits Times, 2018).

3.1.1 The timeline

Around August 2017, the hacker initially gained ingress to SingHealth's IT network via the compromise of front
end machines, mainly probably via phishing efforts. During December 2017 and June 2018, the intruder
traversed the network laterally, compromising additional terminals, databases, and user accounts. Beginning in
May 2018, the attacker made many unsuccessful efforts to gain admission to SingHealth's patient database
system. The intruder obtained database passwords on 26 June 2018 and quickly began searching and extracting
patient data. On 4 July 2018, an information technology manager at Integrated Health Information Systems
(IHiS), the information technology firm that services the public healthcare sector, including SingHealth, noticed
suspicious database queries. IHiS's information technology managers halted the suspicious queries and
instituted protocols to avoid future searches (CSA Singapore Cyber Landscape, 2018). On 10 July 2018, the
Cyber Security Agency of Singapore (CSA), SingHealth's top management, the Ministry of Health (MOH), and
the Ministry of Health Holdings were notified of the cyber incident (MOHH)

3.2 Committee of Inquiry (CoI)

On 24 July 2018, a Committee of Inquiry was established to examine the attack's causes and recommend ways
to help avoid future assaults. The four-member group is led by former Chief District Judge Richard Magnus and
includes representatives from a cyber-security company, a healthcare technology company, and the National
Trades Union Congress (The Straits Times, 2018).

3.2.1 Recommendations made by the CoI

In the 450-page report, the COI also highlighted that “the need” and “mindset” to undertake constant database
monitoring “was not part of the consciousness” of the network designers and operators at the time of the cyber
assault. The COI offered sixteen recommendations on strategic and operational initiatives to bolster SingHealth
and IHiS's cybersecurity posture. These principles apply to all organizations that manage big databases of
personal data. The following (Refer to Table 1) are some critical steps that all organizations should consider
implementing (CSA Singapore Cyber Landscape, 2018).

Table 1. CoI committee key recommendations

Recommendation Description
Integration of Integrating cybersecurity into the organization's risk management process involves
Cybersecurity into discussions and choices on how to balance cybersecurity and trade-offs (For instance,
the Risk cost, operational needs) depending on particular business factors (for example, patient
management safety in the public healthcare sector) handled at the high lead level.
process
Training Providing training to its employees to increase knowledge of proper cyber hygiene
practices, and foster an organizational culture in which cybersecurity is everyone's
duty. And employees must be trained and equipped to recognize and react to
cybersecurity problems, as well as to report these occurrences in a timely way.
Additional Defense Adding additional protections to levels of security measures, such as encryption,
mechanisms firewalls, and strong data access policies, in order to better prevent, detect, and react
to cyber events
Routine inspections Conducting extensive and routine inspections and audits to identify gaps in the design
and auditing and implementation of policies, processes, and procedures, and ensuring that these
gaps are addressed in a timely manner.
 cyber incident Creating cyber incident response strategies for a variety of situations and frequently
response strategies testing and updating them via realistic exercises and simulations.
Source: Author’s compilation using CSA Singapore Cybersecurity Landscape 2018 report

4. Summary and Conclusion

Healthcare is one of the most controlled and scrutinized businesses on a worldwide scale. Healthcare providers
and payers are subject to stringent legal, regulatory, and policy restrictions and duties. Additionally, cyber risks
to healthcare have been a significant issue for years owing to a variety of causes (Harman, 2021). Healthcare is
plagued by a number of cybersecurity issues. These issues range from malware that threatens system security
and patient confidentiality to distributed denial of service (DDoS) attacks that hinder institutions' ability to
provide patient care (CIS, 2021).

A data breach is one of the most prevalent cyber hazards in the healthcare industry (Harman, 2021). According
to the Ponemon Institute and Verizon's Data Breach Investigations Report (2021), Data breaches in the
healthcare industry are more frequent than in any other industry. Credential-stealing software, an insider
revealing patient data on purpose or by accident, or missing laptops or other devices may all lead to these
incidents. PHI (Personal Health Information) is more precious on the black market than credit card numbers or
any other kind of Personally Identifiable Information (PII). Medical databases are more attractive targets for
cyber criminals because of this. They may either sell the PHI or use it for their own benefit. Approximately 15
million health data have been affected as of this writing, according to the health and human services breach
report.

Singapore's personal data breach in July 2018 affected 1.5 million SingHealth patients, including Prime
Minister Lee Hsien Loong. The leak was caused by poor system management, a lack of personnel training, and
other significant problems. IHIS, the IT agency responsible for the public health system's information
technology and security, lacks enough cybersecurity knowledge, resources, and training to react appropriately to
the incident. However, staff training was not the only problem; it was the network's vulnerabilities, faults, and
misconfigurations that enabled the hackers to successfully infiltrate the system and exfiltrate data. Indeed, cyber
attackers got access to a public general hospital's Citrix servers through a critical code flaw in the link between
the Citrix servers and the hospital's Service Control Manager (SCM) database. These types of cyber assaults
may be prevented by implementing a defense-in-depth strategy and enforcing security rules and procedures.
Regular security inspections along with sufficient staff training about these types of assaults will aid in
identifying risks as soon as possible. As the CoI study notes, "users' level of cyber hygiene must continue to
improve."
To summarize, the rising usage of information technology (IT) and the digitization of information systems have
heightened the possibility of cyber assaults. Regardless of the many advantages, the potential of hacking cannot
be ignored, since sensitive patient data is at risk. The cyber-attacks on health care systems are increasing day by
day and these kinds of accidents not only jeopardize the patients' information security but also cast doubt on the
future. Proper application of defense mechanisms and network security is critical to preventing a data leak in the
first place. Encryption is the most effective method of preventing patient data from being accessed if someone
has access to healthcare systems. It is critical that encryption be used both at rest and during transit, and that
third parties and suppliers with access to healthcare networks or databases handle patient data appropriately as
well. It is advised that employees get training on safe PHI use and management in order to minimize data
breaches caused by employee mistakes, such as a lost device or an inadvertent disclosure.

5. References

2018 SingHealth data breach - Wikipedia. En.wikipedia.org. (2022). Retrieved 1 May 2022, from
https://en.wikipedia.org/wiki/2018_SingHealth_data_breach.

2021 data breach investigations report. Verizon Business. (n.d.). Retrieved May 1, 2022, from
https://www.verizon.com/business/resources/reports/dbir/

Ammenwerth, E., Gräber, S., Herrmann, G., Bürkle, T., & König, J. (2003). Evaluation of health information
systems—problems and challenges. International journal of medical informatics, 71(2-3), 125-135.

Ammenwerth, E., Haux, R., Kulikowski, C., Bohne, A., Brandner, R., Brigl, B., ... & Wolff, A. C. (2003).
Medical informatics and the quality of health: new approaches to support patient care. Methods of information
in medicine, 42(02), 185-189.

Bakker, A. R., & Leguit, F. A. (1999). Evolution of an integrated HIS in the Netherlands. International Journal
of Medical Informatics, 54(3), 209-224.

Bates, D. W., Cohen, M., Leape, L. L., Overhage, J. M., Shabot, M. M., & Sheridan, T. (2001). Reducing the
frequency of errors in medicine using information technology. Journal of the American Medical Informatics
Association, 8(4), 299-308.

Cyber attacks: In the healthcare sector. CIS. (2021, July 14). Retrieved May 1, 2022, from
https://www.cisecurity.org/insights/blog/cyber-attacks-in-the-healthcare-sector

Data breaches: In the healthcare sector. CIS. (2021, July 14). Retrieved May 1, 2022, from
https://www.cisecurity.org/insights/blog/data-breaches-in-the-healthcare-sector
Harman S, (2021, December 29). Healthcare cybersecurity: Threats and mitigation. Infosecurity Magazine.
Retrieved May 1, 2022, from https://www.infosecurity-magazine.com/blogs/healthcare-cybersecurity-threats/

Haux, R. (2006). Health information systems–past, present, future. International journal of medical informatics,
75(3-4), 268-281.

Haux, R., Ammenwerth, E., Herzog, W., & Knaup, P. (2002). Health care in the information society. A
prognosis for the year 2013. International journal of medical informatics, 66(1-3), 3-21.

Klaib, Ahmad & Nuser, Maryam. (2019). Evaluating EHR and Health Care in Jordan According to the
International Health Metrics Network (HMN) Framework and Standards: A Case Study of Hakeem. IEEE
Access. PP. 1-1. 10.1109/ACCESS.2019.2911684.

Kuhn, K. A., & Giuse, D. A. (2001). From hospital information systems to health information systems. Methods
of information in medicine, 40(04), 275-287.

Packetlabs. 2019. SingHealth Data Breach: A Series of Unfortunate Cybersecurity Events | Packetlabs. [online]
Available at: <https://www.packetlabs.net/posts/singhealth-data-breach/> [Accessed 30 April 2022].

Personal info of 1.5m SingHealth patients, including PM Lee, stolen in Singapore's worst cyber attack. The
Straits Times. (2018). Retrieved 1 May 2022, from https://www.straitstimes.com/singapore/personal-info-of-
15m-singhealth-patients-including-pm-lee-stolen-in-singapores-most.

Singapore Cyber Landscape 2018. (2019). Retrieved 1 May 2022, from

https://www.csa.gov.sg/news/publications/singapore-cyber-landscape-2018.

Teich, J. M., Glaser, J. P., Beckley, R. F., Aranow, M., Bates, D. W., Kuperman, G. J., ... & Spurr, C. D. (1999).
The Brigham integrated computing system (BICS): advanced clinical systems in an academic hospital
environment. International journal of medical informatics, 54(3), 197-208.

Tham, I. (2018, July 24). 4-member committee of inquiry convened to investigate singhealth cyber attack. The
Straits Times. Retrieved May 1, 2022, from https://www.straitstimes.com/singapore/four-member-committee-
of-inquiry-convened-to-investigate-singhealth-cyber-attack

The History of Health Information Management - From Then to Now. OpenText Blogs. (2022). Retrieved 1
May 2022, from https://blogs.opentext.com/history-heath-information-management-now/.

What is Health Information System (HIS) &amp; its importance? Mobisoft Infotech. (2020, November 24).
Retrieved May 2, 2022, from https://mobisoftinfotech.com/resources/blog/importance-of-health-information-
system/#:~:text=Health%20Information%20System%20is%20a,coordinated%20treatment%20from
%20healthcare%20providers.
Winter, A., & Haux, R. (1995). A three-level graph-based model for the management of hospital information
systems. Methods of Information in Medicine, 34(04), 378-396.