COI on SingHealth cyber attack: Change the way security incidents are reported, says CSA chief

In what was Singapore's worst cyber attack, the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong, was stolen by hackers in June. ST PHOTO: ARIFFIN JAMAR

SINGAPORE - The healthcare sector has been asked to change the way its IT security teams report incidents so that key decision makers can call the shots during a cyber attack.

A thorough review of the sector's IT processes and cyber-security training for relevant staff should also be carried out, a high-level panel heard on Wednesday (Nov 14).

These recommendations were made by Singapore's Comissioner of Cybersecurity and Cyber Security Agency chief David Koh, rounding up the scheduled hearings for the Committee of Inquiry (COI) looking into the SingHealth data breach.

In what was Singapore's worst cyber attack, the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong, was stolen by hackers in June.

On Wednesday, Mr Koh noted that the healthcare sector has a large scale of operations, with 60,000 endpoints, 6,000 servers and three terabytes of Internet traffic passing through its networks daily.

"Safeguarding such a large attack surface presents a huge challenge," said Mr Koh, adding that there was no need for a "sweeping indictment" of the healthcare sector's cyber-security measures.

He said the Integrated Health Information Systems (IHiS), Singapore's central IT agency for the healthcare sector, is headed in the right direction but added that it needs to learn from the SingHealth incident and take the necessary steps to improve.

One of these steps Mr Koh recommended is to change the way IHiS reports cyber-security incidents.

Reflecting on the structure of incident reporting at IHiS, Mr Koh pointed out that its IT security team is a sub-unit of its infrastructure services, which in itself sits within IHiS's delivery group. Reported security issues could thus be overlooked, in favour of service delivery objectives.

The structure could mean that the security team do not get proper access to appropriate-level managers, which would make escalating a problem difficult. Key decision makers might also not be fully aware of security and operational concerns.

Mr Koh called for a thorough review of IHiS's IT processes and better training to ensure that there are no gaps between staff's actions and its standard operating procedures (SOPs).

He noted that during the SingHealth data breach, there was a lack of clear understanding of SOPs and reporting protocols for security incidents, as well as an initial failure to recognise that a malicious attack had occurred.

The COI has previously heard that several IHiS staff had discovered signs of a breach occurring in June, though no action was taken until the following month.

To prepare for cyber attacks, staff should be aware of contingency plans that cover areas like incident response, crisis communication and business continuity.

Mr Koh added that it is also important that IHiS and the healthcare clusters in Singapore improve the awareness of front-end users, such as doctors, nurses, pharmacists and administrators, who are often the weakest link in cyber security.

When developing, upgrading or reviewing its systems, IHiS should also ensure that necessary security and mitigation measures against a cyber attack are in place - an approach which Mr Koh said has been lacking.

Cyber security, he added, should be built in as a key feature, like seat belts in a car, and not slapped on as an afterthrought.

Stronger, multi-layered security mechanisms should have been in place around the electronic medical records of all SingHealth patients, which was the target of the hackers.

"Like a safe in a bank, privileged access to these records should have been behind locked doors, only accessible to a tightly-controlled group of people," he said.

"The cyber-equivalent of tripwires, surveillance cameras and alarms should have been in place to monitor access, and to look out for suspicious activity."

Mr Koh's testimony concluded the COI's third tranche of hearings and its scheduled hearings for the fact-finding phase of its inquiry process.

In a statement on Wednesday, the COI secretariat said over 20 days of hearings, from the first in-camera session on Aug 28, the panel has heard from 37 witnesses. It has also received 26 written submissions from individuals, organisations and industry associations.

The closing submissions from the Attorney-General's Chambers, SingHealth, IHiS, Ministry of Health (MOH) and MOH Holdings will be heard on Nov 30.

The COI is expected to submit a report on its findings and recommendations by Dec 31 to Mr S. Iswaran, Minister-in-Charge of Cybersecurity and Minister for Communications and Information.

Join ST's WhatsApp Channel and get the latest news and must-reads.