Senior leaders have key role in cyber security: Commissioner

Cyber security should be viewed not as a technical issue, but a management issue that is handled at senior leadership levels, stressed Singapore's Commissioner of Cybersecurity.

In the light of this, the healthcare sector has been asked to change the way its IT security teams report incidents, so that key decision-makers can call the shots during a cyber attack.

A thorough review of the sector's IT processes and cyber-security training for relevant staff should also be carried out, a high-level panel heard yesterday.

Mr David Koh, who is the Cyber Security Agency chief, made these recommendations yesterday, rounding up the hearings for the Committee of Inquiry (COI) looking into the SingHealth data breach.

In what was Singapore's worst cyber attack, hackers stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong, in June.

Mr Koh noted yesterday that the healthcare sector has a large scale of operations, with 60,000 endpoints, 6,000 servers and three terabytes of Internet traffic going through its networks daily. "Safeguarding such a large attack surface presents a huge challenge," he said.

He added that the Integrated Health Information Systems (IHiS), Singapore's central IT agency for the healthcare sector, is headed in the right direction, but needs to learn from the SingHealth incident and take the necessary steps to improve. One of the steps he recommended is to change the way IHiS reports cyber-security incidents.

Reflecting on the structure of incident reporting at IHiS, he pointed out that its IT security team is a sub-unit of its infrastructure services, which sits within IHiS' delivery group. Reported security issues could thus be overlooked in favour of service delivery objectives.

The structure could mean the security team does not get proper access to appropriate-level managers, which makes it difficult to escalate problems. Key decision-makers might also not be fully aware of security and operational concerns.

Mr Koh called for a thorough review of IHiS' IT processes and better training to ensure that standard operating procedures (SOPs) are followed.

During the SingHealth incident, he said, there was a lack of understanding of SOPs and reporting protocols for security incidents, as well as an initial failure to recognise that a malicious attack had occurred.

To prepare for cyber attacks, staff should be aware of contingency plans covering areas such as incident response, crisis communication and business continuity.

Mr Koh said it is also important that IHiS and the healthcare clusters in Singapore improve the awareness of front-end users, such as doctors, nurses, pharmacists and administrators, who are often the weakest link in cyber security.

When developing, upgrading or reviewing its systems, IHiS should also ensure that security and mitigation measures against a cyber attack are in place - an approach which has been lacking, said Mr Koh.

Cyber security, he added, should be built in as a key feature, like seat belts in a car, and not slapped on as an afterthought.

Stronger, multi-layered security mechanisms should have been in place around the electronic medical records of all SingHealth patients, the target of the hackers.

"Like a safe in a bank, privileged access to these records should have been behind locked doors, only accessible to a tightly controlled group of people," he said.

"The cyber equivalent of tripwires, surveillance cameras and alarms should have been in place to monitor access, and to look out for suspicious activity."

In a release yesterday, the COI secretariat said the panel had heard from 37 witnesses over 20 days of hearings, from the first in-camera session on Aug 28. It had also received 26 written submissions from individuals, organisations and industry associations.

The closing submissions from the Attorney-General's Chambers, SingHealth, IHiS, Ministry of Health (MOH) and MOH Holdings will be heard on Nov 30.

The COI is expected to submit a report on its findings and recommendations by Dec 31 to Mr S. Iswaran, Minister-in-charge of Cybersecurity and Minister for Communications and Information.