Why weren't recommendations implemented before cyber attack?

In the COI report, it was stated that MOH acted on the CSA of Singapore's recommendations following the discovery of the attack last July.
In the COI report, it was stated that MOH acted on the CSA of Singapore's recommendations following the discovery of the attack last July. PHOTO: ST FILE

I thank the Ministry of Health for its response to my questions pertaining to the Internet surfing separation (ISS) in the SingHealth data theft incident (Healthcare Internet access balances operational use, security, Jan 28; and Why wasn't cyber security strategy to cut Internet rolled out?, Jan 19).

However, my questions remain unanswered.

While it may have been necessary to reiterate what was stated in the Committee of Inquiry (COI) report, the response basically echoes the points about declined productivity, workflow obstacles and challenges in delivering safe patient care.

In the COI report, it was stated that MOH acted on the Cyber Security Agency (CSA) of Singapore's recommendations following the discovery of the attack last July.

Why didn't MOH take a phased approach for these recommendations before the cyber attack?

The report also indicates that in 2015, CSA had recommended an Internet isolation technology solution - a variant of ISS as a full-fledged ISS was considered not feasible at that time - for public healthcare institutions.

As rightly pointed out by MOH in its reply, this is not totally risk-free, but it reduces the dangers significantly while minimising impact on operations.

Hence, why wasn't a test-bed approach taken by public healthcare institutions earlier?

While I do acknowledge that it is not straightforward for SingHealth to implement ISS and a balanced approach is required, it is also important for MOH to inform the public why, despite recommendations, the implementation of ISS or its variants was not conducted prior to the attack.

Tan Kar Quan

A version of this article appeared in the print edition of The Straits Times on February 02, 2019, with the headline 'Why weren't recommendations implemented before cyber attack?'. Print Edition | Subscribe