An expert has called for more exercises involving simulated data breaches to allow professionals in an organisation to practise responses for a cyber-security incident.
Like counter-terrorism exercises and fire drills, exercises that simulate data breaches could help bolster defences when a cyber attack occurs, said Dr Lim Woo Lip.
The executive vice-president of technology and capability at Ensign Infosecurity was testifying yesterday before a high-level panel looking into the SingHealth data breach in June.
The worst cyber attack to hit Singapore compromised the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.
Dr Lim was speaking during the third tranche of hearings, which will run until next Thursday. The current tranche consists of experts recommending enhancements to cyber-attack incident response plans, to better protect SingHealth's patient database system against cyber-security attacks.
Presenting a report he had prepared for the Committee of Inquiry (COI), Dr Lim said: "A cyber-security exercise is something not all organisations are very familiar with yet. This exercise also does double up as training; as you go through more exercises, you are more familiar and you strengthen your standard operating procedure."
In his report, Dr Lim said that these exercises should expose participants to realistic situations, with real-time injects that test the knowledge and skills of the different organisation members.
PRACTICE MAKES PERFECT
A cyber-security exercise is something not all organisations are very familiar with yet. This exercise also does double up as training; as you go through more exercises, you are more familiar and you strengthen your standard operating procedure.
DR LIM WOO LIP, executive vice-president of technology and capability at Ensign Infosecurity, presenting his report of recommended cyber-security measures.
Besides cyber-security exercises, Dr Lim also recommended data at all states to be encrypted. This includes inactive data that is stored physically in any digital form, otherwise known as data at rest.
Sensitive medical records - such as personal information, medical reports and doctor's prescriptions - are pieces of information in an electronic database that cyber criminals are after, said Dr Lim. Any sensitive data not protected would be vulnerable to attack.
"Since the sensitive data is the crown jewels that attackers are after, encryption should be applied to data at all states," he said.
Dr Lim acknowledged that encryption of all data could hurt the efficiency of an organisation's systems.
He suggested that should full encryption be impossible due to operational efficiency, SingHealth and the Integrated Health Information Systems - which runs the IT systems of all public healthcare operators here - could anonymise all data containing personal identifiers, which he said is quite a "simple process".
At the start of the hearing yesterday, Solicitor-General Kwek Mean Luck said the experts' views will be used to draw up recommended measures to reduce the risk of such cyber-security attacks on public-sector IT systems, including those in the other public healthcare clusters that contain large databases of personal data.
Local and foreign cyber-security experts will testify, including Cyber Security Agency of Singapore chief executive David Koh and representatives from the Health Ministry.
Mr Kwek also gave an update on the written representations that the COI accepted from the public from Sept 11 to Oct 31.
He said the COI found many of the 26 submissions to be useful.
COI chairman Richard Magnus said the committee has seen all the submissions and agreed that there is no need to further hear from the contributors. "The submissions speak for themselves," he said.
During the hearing, Mr Magnus also asked Dr Lim if it was possible to overcome advanced persistent threats, which are stealthy and continuous hacking processes, just like what happened with the SingHealth breach. To this, Dr Lim replied that it is possible, provided the system has a "sophisticated detections engine".