SINGAPORE - A tiered model of Internet access will be in the works for the healthcare sector here, should a virtual browser solution being tested now prove effective, said Minister for Health Gan Kim Yong.

Under this model, Internet surfing separation will remain for those whose job roles do not need Internet access, such as administrative staff performing back-end tasks. This also applies to staff whose access to the Web can be provided via a separate device such as a mobile phone or non-Internet facing device.

But for roles where access to the Internet and the internal healthcare group's network is needed on the same device, a virtual browser solution may be the "best solution", Mr Gan told Parliament on Tuesday (Jan 15) in a ministerial statement on the investigations into last year's cyber attack on healthcare cluster SingHealth's database.

Mr Gan said that a virtual browser will allow access to the Internet through strictly controlled and monitored client servers, and that his ministry had been experimenting with this solution before the SingHealth cyber attack.

"Our earlier technical trial conducted at the healthcare clusters has shown that a 'Virtual Browser' is technically feasible," said Mr Gan, adding that the next step would be to run a pilot of this solution in different settings and healthcare roles to test its effectiveness.

The pilot will begin in the first quarter of this year at the National University Health System. It will be conducted and evaluated over six months.

Mr Gan told the House of efforts by the Ministry of Health (MOH) in beefing up cyber security in the public healthcare sector.

On the organisational front, it will be separating its Chief Information Security Officer (CISO) and the Director of Cyber Security Governance at the Integrated Health Information Systems (IHiS), which is the technology vendor for Singapore's healthcare sector.

The MOH CISO will also be supported by a dedicated office in the ministry and will be the cyber security sector lead for the healthcare sector. IHiS will have its own Director of Cyber Security Governance.

Second, the healthcare sector will also establish a more robust defence structure that comprises three lines of defence. The first will involve staff who develop, deliver and operate IT systems, the second will oversee security strategy, risk management and compliance while the third will involve independent checks.

The third area involves improving healthcare staff's cyber-security awareness and capacity, said Mr Gan.

He added that IHiS will engage specialist providers to conduct realistic hands-on "Cyber Range" simulation training starting this year to improve staff's cyber-security awareness and capacity.

This, he said, will augment the classroom discussion-based table-top exercises currently conducted for security incident response personnel.

"We agree that the 'people' element is foundational and critical to our cyber defences. Every user needs to be trained and equipped to understand the important role that they play in cyber defence," said Mr Gan.