Cyber-security exercises needed to better prepare for cyber attacks: Expert at COI on SingHealth cyber attack

The SingHealth data breach was the worst cyber attack to hit Singapore, compromising the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people.
The SingHealth data breach was the worst cyber attack to hit Singapore, compromising the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people.PHOTO: ST FILE

SINGAPORE - An expert has called for more exercises involving simulated data breaches to allow professionals in an organisation to practise responses for a cyber-security incident.

Like counter-terrorism exercises and fire drills, exercises that simulate data breaches could help turn the tide when a cyber attack occurs, said Dr Lim Woo Lip.

The executive vice-president of technology and capability at Ensign Infosecurity was testifying on Friday (Nov 9) before a high-level panel looking into the SingHealth data breach in June.

The worst cyber attack to hit Singapore compromised the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.

Dr Lim was speaking during the third tranche of hearings, which will run until Nov 15.

The current tranche consists of experts recommending enhancements to cyber-attack incident response plans, to better protect SingHealth's patient database system against cyber-security attacks.

Dr Lim said exercises involving simulated cyber breaches will allow IT, security, legal and corporate communications professionals to be more familiar with what needs to be done when a cyber attack occurs.

 
 
 
 

Presenting a report he had prepared for the Committee of Inquiry (COI), Dr Lim said: "A cyber-security exercise is something not all organisations are very familiar with yet.

"This exercise also does double up as training, as you go through more exercises, you are more familiar and you strengthen your standard operating procedure."

In his report of recommended cyber-security measures, Dr Lim said that these exercises should expose participants to realistic situations, with real-time injects that test the knowledge and skills of the different organisation members.

Besides cyber-security exercises, Dr Lim also recommended data at all states to be encrypted.

This includes inactive data that is stored physically in any digital form, otherwise known as data at rest.

Sensitive medical records - such as personal information, medical reports and doctor's prescriptions - are pieces of information in an electronic database that cyber criminals are after, said Dr Lim.

Any sensitive data that is not protected would be vulnerable to attack.

"Since the sensitive data are the crown jewels that attackers are after, encryption should be applied to data at all states," he said.

Dr Lim acknowledged that encryption of all data could hurt the efficiency of an organisation's systems.

He suggested that should full encryption be impossible due to operational efficiency, SingHealth and the Integrated Health Information Systems (IHiS) - which runs the IT systems of all public healthcare operators in Singapore - could just anonymise all data containing personal identifiers, which he said is quite a "simple process".

As an added level of security, the data retrieval process should include a 2-factor authentication mechanism before data can be de-anonymised.

These measures would, he said, bolster the data's defences, without hampering a researcher's access to it.

"Such an approach will also allow the researchers in the healthcare sector to be able to continue their research and analysis using the anonymised data as the individual identity should not be required in their studies," he said.

At the start of the hearings on Friday, Solicitor-General Kwek Mean Luck said the experts' views will be used to draw up recommended measures to reduce the risk of such cyber-security attacks on public sector IT systems, including in the other public healthcare clusters .

Such systems contain large databases of personal data.

Local and foreign experts in the field of cyber security will be called to testify, including Cyber Security Agency chief David Koh and representatives from the Health Ministry.

Mr Kwek also gave an update on the written representations that the COI accepted from the public from Sept 11 to Oct 31.

He said that the COI found many of the 26 submissions from individuals and organisations to be useful.

The COI's chairman Richard Magnus said that the committee has seen all the submissions and agreed that there is no need to further hear from the contributors.

"The submissions speak for themselves," he said.

During the hearing, Mr Magnus also asked Dr Lim if it was possible to overcome advanced persistent threats, which are stealthy and continuous hacking processes, just like what happened with the SingHealth breach.

To this, Dr Lim replied that it is possible, provided the system has a “sophisticated detections engine”.