Cyber criminals can find vulnerabilities and breach any organisation's IT system, given enough time, and current protection measures are insufficient.

To counter this, the Government and industry players need to work together on collective systems that share information to continually learn and prepare defences, former director of the United States' National Security Agency Keith Alex-ander said yesterday.

He was testifying before the Committee of Inquiry (COI) looking into the SingHealth cyber attack. Hackers stole the data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.

"The threats we face exceed the defences that we have... We need to up the game on the defence, and the defences have to grow quickly," said Mr Alexander, now chief executive officer of IronNet Cybersecurity.

In a submission to the COI, he said that cyber security has thus far been approached through an individualistic lens. The sharing of information is done only after malware has been detected due to liability and public image concerns.

But collective cooperation is needed for the cyber security of all sectors, including healthcare, he said. "It is ironic that the network and associated devices have become the biggest technological advances of our time, yet we don't use a network to defend a network," Mr Alexander said in his report, referring to the links between different stakeholders that could be used to bolster cyber defence.

He called for cyber threat exercises involving different sectors, and between the Government and industry players.

He stressed the need for a system that can analyse behaviour and raise alerts on suspicious activity to identify online threats, which will make collective defence a possibility.

For instance, if an unauthorised user makes repeated requests for a particular patient's data or for data from a large number of patients, a system should be in place to detect this.

"An effective and tested behavioural analytic capability produces a wealth of events that can be shared in a collective defence strategy at network speed," he said.

During the hearing, Solicitor-General Kwek Mean Luck, who is leading the inquiry, asked if such behavioural analytical tools were already commercially available.

These tools are already out there, said Mr Alexander, but many firms do not always accurately state the limitations of their products. The solution is to run these tools through comprehensive and effective testing and emulation programs.

Mr Alexander was also asked about the use of two-factor authentication and its potential to be used in the healthcare sector - a suggestion that the COI has heard from other experts in previous sessions.

"It can and should be used, especially in sensitive data transactions, and should be considered for the healthcare sector here," he said.

Hariz Baharudin