SingHealth hack welcomes us back

Pulse+IT had a very leisurely summer holiday, thank you very much, including plenty of time for summer reading. This included perusing a stunning profile of Epic founder Judy Faulkner in the New York Times just before Christmas that we highly recommend you take a look at.

Epic's headquarters in rural Wisconsin includes a treehouse, a Humpty Dumpty sculpture and a conference room reached by way of a rickety bridge. The article itself has a fascinating profile of Ms Faulkner, who has long been of interest to the health IT industry despite flying very much under the radar of the wider industry.

She is a fascinating figure – the head of one of the most profitable health IT companies in the world for 40 years, with a personal fortune counted in the billions, who also just happens to be a woman. She has also been famously media shy, although much less so in the last few years. While IT trade journalists have on very rare occasions been able to interview her, it is unprecedented for a reporter from a big outlet like the New York Times to take an interest, let alone be invited to visit. The end result is seriously weird.

As the new year began we also heard from Singapore, where a full report from its commission of inquiry into exactly what happened during last year's hack of its public health system was released. When the attack was reported on here in Australia in late July, it came just as the opt-out period for the My Health Record started, and there were obvious links drawn to what could potentially go wrong.

However, rather than Singapore's National Electronic Health Record (NEHR) that was hacked, it was SingHealth's acute care electronic medical record system. SingHealth is the island nation's largest hospital group and runs its four public hospitals and a number of specialty clinics using Sunrise Clinical Manager (SCM), an EMR owned by Allscripts that was inherited when it merged with Eclipsys in 2010.

It turns out that the hacker gained access to SingHealth's IT network in 2017, most likely through phishing attacks, the report says. The hacker then lay dormant for some time before compromising Citrix servers at Singapore General Hospital. The hacker unsuccessfully tried to access Sunrise from these servers for a month or so, with suspicious activity picked up by staff at SingHealth's IT support firm Integrated Health Information Systems (IHiS), in June.

However, the hacker seems to have then successfully obtained credentials to the SCM database on June 26 and the next day, began querying the SCM database and exfiltrating patient records. This activity remained undetected by IHiS until July 4, when it was stopped.

The attack affected 1.5 million people including Prime Minister Lee Hsien Loong, whose medication records were, in the words of Singapore's Minister in Charge of Cybersecurity, “specifically and repeatedly targeted”.

The committee report, released last week, found that the Singapore General Hospital servers were not adequately secured against unauthorised access and two-factor authentication (2FA) for administrator access was not enforced. There was also a coding vulnerability in the SCM application which the report says was likely exploited by the attacker to obtain the credentials.

The Singapore government knows, but is not releasing, the identity of the attacker. IHiS has sacked two employees, one from its Citrix team and a security incident response manager, and demoted others. It has also fined its CEO and some senior managers, holding them collectively responsible. We'd recommend having a look at the report, which is not only thorough but very well-written.

Back home, and the year is busy already. In New Zealand there's an interesting stoush brewing between practice management system vendor Medtech and competitor Indici that is now before the courts. The Australian trial of the Health Care Homes program has been extended by a full 18 months, although the expectations of patient enrolment have been slashed. There's a new CEO of the Medical Software Industry Association in Emma Hossack, but the RACGP has lost the CEO of its technology arm Oxygen, which was in the news last year over the Hello Health hoo-ha.

It looks like we're all gearing up for another big year in digital health. As the twice postponed deadline for opting out of the My Health Record approaches, we wonder if there will be a spike in chatter about it. You can see from this Google Trends search just how much interest there was in My Health Record in July and then again in November. What will the week of January 31 bring?

That brings us to our poll question for the week: Do you think there'll be another big surge in people opting out?

Sign up to our weekend edition or Pulse+IT Chat to vote, or leave your thoughts below.

You need to log in to post comments. If you don't have a Pulse+IT website account, click here to subscribe.

Sign up for Pulse+IT eNewsletters

Sign up for Pulse+IT website access

For more information, click here.

Copyright © 2019 Pulse+IT Magazine
No content published on this website can be reproduced by any person for any reason without the prior written permission of the publisher.