SingHealth data came under attack before plans to strengthen Internet protocols were put in place

Intrusions into SingHealth's electronic medical records system began undetected on June 27, 2018.
Intrusions into SingHealth's electronic medical records system began undetected on June 27, 2018.PHOTO: ST FILE

SINGAPORE - A more secure way of accessing the Internet, thus protecting public medical systems, was meant to be put in place sometime this year, but had to be pushed back to next year because of technical issues.

Mr Chua Kim Chuan, director of cyber-security governance at Integrated Health Information Systems (IHiS), whose job is to develop policies to strengthen security in the healthcare sector, said staff from SingHealth and IHiS also took part in regular exercises to prepare for cyber emergencies.

But he admitted that "out of a classroom environment, situational awareness might be different".

Giving his statement on Wednesday (Oct 31) to the Committee of Inquiry (COI) probing the SingHealth cyber attack, Mr Chua said a "remote browser solution" was scheduled to be implemented in FY2018. This allows users to access the Internet without being directly connected to networks and servers.

It was chosen over Internet surfing separation (ISS), which delinks work systems from Internet access, as feedback from the healthcare sector showed that Web access was needed for daily operations.

However following June's cyber attack, the Health Ministry implemented ISS across public healthcare clusters for a limited period. The ministry is looking into making it permanent in some areas, said Health Minister Gan Kim Yong in August.

On Wednesday, Mr Chua also told the COI that Cyber Security Agency of Singapore's (CSA) regulations require all critical sectors to run annual exercises for their operators of critical information infrastructure.

 
 
 
 

Since 2016, three exercises had been conducted for SingHealth to gauge the organisation's and IHiS' preparedness in responding to cyber attacks. The most recent was in March.

The exercises evaluated participants as they discussed their roles and responses during cyber-security emergencies. Mr Chua said SingHealth and IHiS staff showed they were "well-prepared".

But COI panel member T.K. Udairam asked why IHiS senior manager (Infra Services-Security Management) Ernest Tan Choon Kiat had failed to flag suspicious network activities despite having attended the exercise last year.

"(In the exercise) we meet for one specific purpose, which is to rehearse and respond to a cyber attack," said Mr Chua, adding that in the classroom setting, participants would have responded to any scenario as a confirmed incident, and might not have the situational awareness to identify a real incident.

Mr Chua said his team was looking into strengthening participants' ability to identify threats earlier in future exercises.