A more secure way of accessing the Internet was meant to be put in place to protect public medical systems some time this year, but had to be pushed back to next year because of technical issues.
Mr Chua Kim Chuan, director of cyber-security governance at Integrated Health Information Systems (IHiS), whose job involves developing policies to strengthen security in the healthcare sector, said staff from SingHealth and IHiS also took part in regular exercises to prepare for cyber emergencies.
Giving evidence yesterday to the Committee of Inquiry (COI) looking into the SingHealth cyber attack, Mr Chua said a "remote browser solution" was scheduled to be implemented in FY2018. This allows users to access the Internet without being directly connected to networks and servers.
It was chosen over Internet surfing separation (ISS), which delinks work systems from Internet access, as feedback from the healthcare sector showed that Web access was needed for daily operations.
However, following June's cyber attack, the Health Ministry implemented ISS across public healthcare clusters for a limited period. The ministry is looking into making it permanent in some areas, said Health Minister Gan Kim Yong in August.
Yesterday, Mr Chua also told the COI that Cyber Security Agency of Singapore's (CSA) regulations require all critical sectors to run annual exercises for their critical information infrastructure operators.
Since 2016, three exercises had been conducted for SingHealth to gauge the organisation's and IHiS' preparedness in responding to cyber attacks. The most recent was in March.
Mr Chua said SingHealth and IHiS staff showed they were "well-prepared".
But COI panel member T.K. Udairam asked why IHiS senior manager (Infra Services-Security Management) Ernest Tan Choon Kiat had failed to flag suspicious network activities despite having attended the exercise last year.
"(In the exercise) we meet for one specific purpose, which is to rehearse and respond to a cyber attack," said Mr Chua, adding that in the classroom setting, participants would have responded to any scenario as a confirmed incident, and might not have the situational awareness to identify a real incident.
He said his team was looking into strengthening participants' ability to identify threats earlier in future exercises.