The cyber attack on SingHealth has revealed lapses in IT systems and organisations, and is something that must be put right, Prime Minister Lee Hsien Loong said on Tuesday (Oct 2).
June's attack on a critical system belonging to the public hospital group was a "harsh reminder" that cyberspace is not a benign environment, he said, speaking at the inaugural Stack 2018 Developer Conference organised by the Government Technology Agency of Singapore.
Although the attacker was sophisticated and well-resourced, the incident also revealed "internal weaknesses and lapses" in IT systems and organisations.
It led to the worst data breach in Singapore's history, involving the personal data of 1.5 million patients and outpatient prescription records of 160,000 people, including the Prime Minister and several ministers.
Last week, the four-member Committee of Inquiry tasked to look into the cyber attack at SingHealth heard that an old server had not had security software updates for 14 months. It was one of the many pathways used by hackers to reach SingHealth's critical systems where the data breach occurred.
"We have to improve and put these right. We have to train up our people, institute robust processes, inculcate the right mindsets and enforce accountability," said PM Lee.
Singapore started building stronger defences after 2013, when a member of global cyber activism group Anonymous sought to bring down many government websites, including transactional ones.
Notably in April 2015, the Cyber Security Agency (CSA) was created to strengthen the country's cyber-security posture to assist its Smart Nation push.
The high-level agency has been tasked to coordinate public- and private-sector efforts to keep the lights on for critical systems, such as those in the healthcare, energy and banking sectors, in the event of a cyber attack.
The CSA developed an overarching Cybersecurity Bill, which was passed unanimously in Parliament in February this year.
Among other things, the new law empowers the Commissioner of Cybersecurity to demand data or seize computers from owners of not only critical information infrastructure (CII), but also non-CII systems deemed to be essential for investigations. The law also mandates that owners of CII report security breaches and attacks "within hours".
"This latest SingHealth incident only drives us to redouble our efforts," PM Lee said yesterday.
And even though there will be a re-engineering of the Government where IT systems are radically overhauled and processes revamped, he noted that the cyber-security journey is a long and unending one.
"There are many things we can do to tighten processes and fix weaknesses without affecting the user experience," he said.