COI on SingHealth cyber attack: Proposals to beef up cyber defence span 3 levels of handling

Hackers stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people when they successfully hacked into SingHealth's system from June 27 to July 4.
Hackers stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people when they successfully hacked into SingHealth's system from June 27 to July 4.PHOTO: ST FILE

Security must be tackled at organisational, industry and govt levels, say expert witnesses

A slew of recommendations spanning various areas have been made by several experts testifying before a high-level panel tasked to investigate the SingHealth data breach, Singapore's worst cyber attack.

Put together, the proposals form a multi-layered framework that is essential to bolster defences against online attacks here, say experts, who also cite challenges in implementing these recommendations.

A four-member committee of inquiry (COI), which has been holding public and closed-door hearings since Aug 28, concluded its fact-finding phase on Wednesday.

It is expected to submit a report on its findings and recommendations by Dec 31 to Mr S. Iswaran, Minister-in-charge of Cybersecurity and Minister for Communications and Information.

Hackers stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong, when they successfully hacked into public healthcare cluster SingHealth's system from June 27 to July 4.

In short, the recommendations heard from both local and foreign experts in the past two weeks cut across three levels: the organisational level, the industry one and the government level.

Mr Bryan Tan, a lawyer from Pinsent Masons MPillay specialising in technology law and data protection, said: "It must be a multi-level approach and it cannot be half-baked.

  • KEY SUGGESTIONS

  • ORGANISATIONAL LEVEL

    •  Cyber security at the Integrated Health Information Systems, Singapore's central IT agency for the healthcare sector, SingHealth and other critical information infrastructure sectors should be viewed not as a technical issue, but a management issue, handled at senior leadership levels.

    •  Organisations need to be able to capture and reference information about potential breaches easily, which would help with investigations and prevent similar incidents.

    •  An organisational structure, such that cyber security is everyone's responsibility, should be put in place, where everyone knows and understands their role.

    •  Install an automated system that analyses behaviour and raises alerts on suspicious activity to identify online threats.

    •  When developing, upgrading or reviewing an organisation's systems, security should be incorporated into their design. Mitigation measures against a cyber attack need to be in place.

    INDUSTRY LEVEL

    •  The healthcare sector has been asked to change the way its IT security teams report incidents, so that key decision-makers can call the shots during a cyber attack.

    •  A thorough review of the sector's IT processes and cyber-security training for relevant staff should also be carried out.

    GOVERNMENT LEVEL

    •  Government and industry players need to work together on collective systems that share information to continually learn and prepare defences.

    •  Cyber-threat exercises involving different sectors, and between the Government and industry players, should be carried out.

    Hariz Baharudin

"I agree it takes more than just an organisation, or more than just technology, to improve cyber security."

He was referring to a comment by Commissioner of Cybersecurity David Koh in his testimony on Wednesday that cyber security should be viewed not as a technical issue, but a management issue.

At an organisational level, cyber-security concerns should be handled by senior management or key decision-makers, said Mr Koh.

Mr Joseph Gan, president and co-founder of security solutions firm V-Key, said this approach was critical, given how cyber security is a complex issue.

"There are a lot of processes to consider and to be put in place, and a lot of these would require executive buy-in and guidance," he said.

Some experts, such as Mr Koh, told the COI that cyber security should be incorporated into the design of an organisation's systems, so that they would be sensitive to potential threats and mitigation measures can be put in place.

This is important because cyber security hinges on picking up on signals and knowing what to do with them, said Associate Professor Alan Chong of the S. Rajaratnam School of International Studies.

He said: "IT and cyber security are parallel to intelligence analysis. It is not just a matter of getting scientists or engineers involved. It is also about making sure that the available systems, technology and personnel are able to scan for these signs and flag threats."

At the industry level, expert witnesses such as Dr Lim Woo Lip, executive vice-president of technology and capability at Ensign Infosecurity, told the COI of the need for more exercises involving simulated data breaches.

Others also called for a thorough review of the healthcare sector's IT processes and cyber-security training for relevant staff.

SHARING INFORMATION

The former director of America's National Security Agency, Mr Keith Alexanders, said that information about cyber threats could be shared among firms in the industry.

 
 
 
 

Mr Alexanders, who is now chief executive of IronNet Cybersecurity, said cyber security has thus far been approached through an individualistic lens.

The sharing of information is done only after malware has been detected, due to liability and public image concerns, he added.

Some experts made recommendations at the government level too.

Mr Alexanders added that government and industry players need to work together on collective systems that share information to continually learn and prepare defences.

This is because cyber criminals are able to find vulnerabilities and breach any organisation's IT system given enough time, and current protection measures are insufficient, he added.

Prof Chong said that given the way cyberthreats are developing, the measures needed to monitor and defend against them are starting to look like the way society deals with terrorism, with the government and the private sector working together.

According to him, terrorism has evolved to evade established measures to counter it and to take advantage of any loopholes in the system.

For example, he said that terrorists have gone under the radar to move from big groups to organised cells to lone wolves who become radicalised by extremist teachings.

"The threat is constantly changing and there needs to be focus and collaboration between different stakeholders."

But there will be challenges in implementing the recommendations, say those interviewed.

Instilling a culture of heightened awareness about cyber security, be it at the company, industry or even government level, will take some time, said Mr Gan.

This is because cyber security might not come naturally to most people, and there is a need to teach them about best practices and the right mindset.

"I do not think it is something that can be achieved overnight. It would require education about cyber security, which tends to be a complex subject because you have to understand what the attacks are and how to defend against that," he said.

 
A version of this article appeared in the print edition of The Straits Times on November 17, 2018, with the headline 'Proposals to beef up cyber defence span 3 levels of handling'. Print Edition | Subscribe