A senior manager at Integrated Health Information Systems (IHiS) did not report the cyber attack as he feared added pressure and more work.

With no clarity on how such incidents should be reported, a junior staff member who discovered the breach left it to her direct supervisors to follow up.

Such organisational failings at IHiS - the Health Ministry's (MOH) IT arm - were laid bare after 22 days of hearings by a Committee of Inquiry (COI) last year.

The SingHealth attack last June, Singapore's worst data breach, is believed to have been state-sponsored, and the COI found that the attacker was skilled and sophisticated.

The personal data of 1.5 million SingHealth patients, including Prime Minister Lee Hsien Loong, was accessed and stolen.

Examining the events and factors leading up to the attack, the COI, chaired by retired judge Richard Magnus, made clear in its 453-page public report released today that a change in organisational culture, mindset and structure, as well as effective and agile leadership by senior management, is necessary to implement its proposed recommendations.

The COI issued 16 recommendations in the report, aimed at building a culture of security, securing public healthcare systems and improving incident and post-incident responses, as part of its terms of reference.

Seven of the recommendations are priorities SingHealth and IHiS must immediately take steps to implement. They include beefing up incident response processes, identifying and plugging gaps in security technologies, as well as improving staff awareness on cyber security. (See report below.)

All 16 recommendations are also applicable to organisations that manage large amounts of personal data, the COI said, though in practice, implementation will depend on existing policies, processes and personnel in each of these organisations.

It wrote: "While some measures may seem axiomatic, the cyber attack has shown that these were not implemented effectively by IHiS at the time of the attack.

"For IHiS, SingHealth, and other organisations responsible for large databases of personal data, getting the fundamentals right is a necessary and vital step in building cyber security competencies and the ability to counter the real, present, and constantly evolving cyber security threats."

To ensure SingHealth and IHiS implement its recommendations effectively, the COI proposed the two organisations provide updates every six months to the Healthcare IT Steering Committee, the healthcare sector's highest platform for cyber security issues, chaired by the permanent secretary of the MOH.

Audit checks should also be conducted by MOH shortly after the specified implementation dates.

A fuller version of the COI report, not published due to national security and to prevent copycat attacks, was submitted to Minister-in-charge of Cyber Security S. Iswaran on Dec 31 last year.

Responding to the report, IHiS chief executive Bruce Liang said in a statement: "(We will) do our utmost to drive change throughout our organisation, with patient well-being as our priority.

"We are committed to a continuous process of improvement to further strengthen our cyber defence in the public healthcare sector."

SingHealth's group chief executive Ivy Ng said that it will work closely with the MOH, IHiS and industry experts to proactively implement the COI's recommendations.

Since the attack, SingHealth has reinforced the culture of personal ownership of cyber defence, she added, and all staff are empowered to identify and report cyber security threats.

An MOH spokesman said the ministry is committed to safeguarding patient data and will work towards improving its systems and processes.

She added: "MOH apologises once again to all affected patients for the incident."

Health Minister Gan Kim Yong and Mr Iswaran will give ministerial statements in Parliament next week with more detailed responses to the report.

