Hearings on SingHealth cyber breach from Sept 21

Some members of the public may be called on to present their views on several matters, including ways to better protect SingHealth's patient database and the large databases residing in public sector computer systems.
Some members of the public may be called on to present their views on several matters, including ways to better protect SingHealth's patient database and the large databases residing in public sector computer systems. ST PHOTO: SYAMIL SAPARI

Cyber-security experts may be invited to present their views before the Committee of Inquiry

A tranche of hearings, some of which will be open to the public, will start from Sept 21 as the four-member Committee of Inquiry (COI) investigates the breach involving the private data of 1.5 million SingHealth patients.

The hearings, lasting two weeks until Oct 5, will be held in Court 5A of the Supreme Court, the COI Secretariat said in a statement yesterday.

Details of the hearings will be provided in the coming days.

Some members of the public, including cyber-security experts, may be called on to present their views on several matters, including ways to better protect SingHealth's patient database and the large databases residing in public sector computer systems.

They have been invited to submit their written representations and indicate whether they are willing to appear before the COI to give evidence.

The hearings will also solicit views on how future responses to similar incidents can be enhanced.

During the hearings, these experts may be asked to take the stand for the COI to clarify their written representations.

Meanwhile, a review of the network security of Singapore's 11 critical service sectors will be completed by the end of this year.

The COI, headed by former chief district judge Richard Magnus, convened in private on July 24 to inquire into the events contributing to the breach, which took place between June 27 and July 4 this year. The first hearing by the high-level panel examining Singapore's worst cyber attack took place behind closed doors on Aug 28.

Specifically, critical information infrastructure (CII) owners were instructed to remove links to "untrusted" external networks or use secure information gateways to protect the connections.

Mr Aloysius Cheang, Asia-Pacific executive vice-president of the Centre for Strategic Cyberspace + Security Science, a London-based think-tank, said instructions to CII owners to remove links to "untrusted" external networks or use secure information gateways to protect the connections are a good fundamental step.

"But there is still a lot of work to be done to develop meaningful controls and strategies that meet the unique business requirements of each sector," he said.

The COI, headed by former chief district judge Richard Magnus, convened in private on July 24 to inquire into the events contributing to the breach, which took place between June 27 and July 4 this year.

The first hearing by the high-level panel examining Singapore's worst cyber attack took place behind closed doors on Aug 28.

 
 
 

The COI Secretariat previously said hearings would be private if information affecting national security or involving patient confidentiality are expected to be shared.

The Attorney-General's Chambers (AGC), which presented evidence from the first witness, will continue to lead evidence in subsequent hearings.

The AGC has presented evidence in previous COI hearings, such as the probe into the riot in Little India in December 2013.

The SingHealth cyber attack led to the leakage of outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.

Members of the public with concerns related to personal data are urged to contact the Personal Data Protection Commission (PDPC).

The PDPC is already looking into whether there were security lapses by SingHealth and its technology outsourcing vendor, Integrated Health Information Systems, and whether they are liable for a fine of up to $1 million under the Personal Data Protection Act.

Written representations must be e-mailed to coi_secretariat@mci. gov.sg by 5pm on Oct 31.

 
A version of this article appeared in the print edition of The Straits Times on September 12, 2018, with the headline 'Hearings on SingHealth cyber breach from Sept 21'. Print Edition | Subscribe