CSA chief: IHiS’ IT processes need review
Conclusion of hearings on SingHealth hack
Cyber security should be viewed not as a technical issue but a management issue handled at senior levels, stressed Singapore's Commissioner of Cybersecurity.
In light of this, the healthcare sector has been asked to change the way its IT security teams report incidents, so key decision-makers can call the shots during a cyber attack.
A thorough review of the sector's IT processes and cyber security training for relevant staff should also be carried out, a high-level panel heard yesterday.
Mr David Koh, the Cyber Security Agency (CSA) chief, made these recommendations yesterday, rounding up the hearings for the Committee of Inquiry looking into the SingHealth data breach.
In Singapore's worst cyber attack, hackers stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong, in June.
Mr Koh noted that the healthcare sector has a large scale of operations.
Like a safe in a bank, privileged access to these records should have been behind locked doors, only accessible to a tightly controlled group of people.Cyber Security Agency chief David Koh, on the medical records of SingHealth patients
"Safeguarding such a large attack surface presents a huge challenge," he said.
He added that the Integrated Health Information Systems (IHiS), Singapore's central IT agency for the healthcare sector, is headed in the right direction but needs to learn from the SingHealth incident and take the necessary steps to improve.
One of the steps he recommended is to change the way IHiS reports cyber security incidents.
Reflecting on the structure of incident-reporting at IHiS, he pointed out its IT security team is a sub-unit of its infrastructure services, which sits within IHiS' delivery group. Reported security issues could thus be overlooked in favour of service delivery objectives.
The structure could mean that the security team does not get proper access to appropriate-level managers, which makes escalating problems difficult. Key decision-makers might also not be fully aware of security and operational concerns.
Mr Koh called for a thorough review of IHiS' IT processes and better training to ensure that standard operating procedures (SOPs) are followed.
During the SingHealth incident, he said, there was a lack of understanding of SOPs and reporting protocols for security incidents, as well as an initial failure to recognise that a malicious attack had occurred.
When developing, upgrading or reviewing its systems, IHiS should also ensure that security and mitigation measures against a cyber attack are in place - an approach which has been lacking, said Mr Koh.
Cyber security should be built in as a key feature, like seat belts, not slapped on as an afterthought, he said.
Stronger, multi-layered security mechanisms should have been in place around the electronic medical records of all SingHealth patients.
"Like a safe in a bank, privileged access to these records should have been behind locked doors, only accessible to a tightly controlled group of people," he said.