Ministers' answers

Health Minister Gan Kim Yong and Minister for Communications and Information S. Iswaran responded to concerns raised by MPs.

Dr Chia Shi-Lu (Tanjong Pagar GRC): Is there malware still lurking in SingHealth's database and systems?

Answer: "We have done everything in our means to secure the system, to detect any residual risk and eliminate it," said Mr Iswaran.

But there is no guarantee all risks have been wiped out.

Up to the day before the breach was made public, there were still malware activities in the data system. This led the Government to require all public healthcare clusters to remove Internet surfing from their systems on July 20.

Ms Sylvia Lim (Aljunied GRC): Why was there a delay between the time the data breach was confirmed (July 10) and its announcement to the public (July 20)?

Answer: During the 10 days, there were multiple streams of work to ensure SingHealth's systems were protected against data theft or being further compromised, said Mr Gan.

The Government had to trace the source of the breach, investigate how it started and identify whose information had been stolen.

SingHealth also needed time to get things ready to inform the affected patients. "All these require time to prepare, and therefore it is important for us to ensure that our information given to the public is accurate as far as we are able to ascertain," Mr Gan said.

Ms Lee Bee Wah (Nee Soon GRC): What more can the Government do to assuage the concerns of people robbed of their data?

Answer: The two-factor authentication (2FA), already a requirement for online transactions involving financial institutions and the Government, is an extra security layer against the fraudulent use of stolen data, said Mr Iswaran.

This means both a password and a one-time password (OTP) are needed to access such services. But security can be compromised should a person use his or her NRIC number as the password to access online services. Singaporeans should reset such a password.

Mr Iswaran added that this may also be an opportunity for the Government to review the use of NRIC numbers as the ID for certain online transactions.

Associate Professor Daniel Goh (Non-Constituency Member of Parliament): Is the data breach caused by negligence at SingHealth?

Answer: The Committee of Inquiry's (COI) investigations will look into the causes to draw lessons that can be applied to other systems and databases in the public sector, said Mr Iswaran.

"In that process, I imagine that they would be looking at... what should have been done and then make their recommendations accordingly," he said. The focus should be on ensuring that SingHealth is secure and patient data is protected, not "allocating blame at this stage".

Mr Cedric Foo (Pioneer): What is the purpose of making the police report on the breach?

Answer: When there is a suspicion of a crime being committed, a police report is lodged, said Mr Iswaran. The police's investigations will take reference from the COI's deliberations.

A report was also made to Singapore's data watchdog, the Personal Data Protection Commission, which is also conducting its own investigations, and will take reference from the COI.

Hariz Baharudin

A version of this article appeared in the print edition of The Straits Times on August 07, 2018, with the headline 'Ministers' answers'. Print Edition | Subscribe