SINGAPORE: Five “top priority” recommendations were proposed by Solicitor-General Kwek Mean Luck for Singapore’s healthcare institutions to work on, as the 21-day Committee of Inquiry (COI) hearings on the SingHealth cyberattack came to a close on Friday (Nov 30).
Mr Kwek, giving his closing statement to the committee, said the five recommendations can be split between strategic- and operational-level ones. Measures include raising awareness of cybersecurity and tighter control of privileged administrator accounts.
The five are also part of a wider 16-point recommendation made by him to be considered by the COI, as members develop their final report due at the end of this year.
For strategic-level recommendations, the Solicitor-General said an “enhanced cybersecurity posture” must be adopted by public health institutions as well as Integrated Health Information Services (IHiS), Singapore’s central IT agency for the healthcare sector.
PLUGGING THE GAPS
Mr Kwek pointed out that through the hearings, it was found that while IHiS’ existing IT security policy framework is relatively well established, “there were gaps between policy and practice”. One example is that password management policies were not properly implemented and incident reporting policies not followed.
“A defence-in-depth approach involving multiple layers of defence comprising people, technology and operations should be adopted,” he suggested. “The more valuable the asset, the more layers of defence should be in place to protect it.”
READ: COI for SingHealth cyberattack: IT gaps, staff missteps contributed to incident, says Solicitor-General
Mr Kwek added that all systems and networks should be reviewed comprehensively and periodically, something that the Ministry of Health (MOH) has undertaken to do and enhance its Healthcare IT Security Policy and Standards document.
Another recommendation at the strategic level is for staff awareness on cybersecurity to be improved.
“It is an obvious priority, given that even the best technological solutions can be circumvented by lax security practices by end-users,” he said.
This, Mr Kwek added, can be done by having staff training that expresses the idea that cybersecurity is everyone’s job and not just the IT department’s. Training should also be ongoing and employees be tested on their awareness through things like mock phishing exercises in a formalised programme, rather than in an ad hoc manner, he said.
The Solicitor-General said MOH has “fully taken this on board” and on behalf of all parties accepts that there is a need to strengthen this aspect such that “cybersecurity is a way of life”.
The other three recommendations are:
- Enhanced security checks must be performed, especially on critical information infrastructure systems;
- Privileged administrator accounts must be subject to tighter control and greater monitoring;
- Incident response processes must be improved to more effectively respond to cyberattacks.
Incident response, or the lack thereof, from middle-management IHiS executives such as senior manager Ernest Tan and SingHealth Cluster Information Security Officer Wee Jia Huo were brought to light during the COI hearings, and highlighted by Mr Kwek in his closing statement.
“IHiS has agreed that a key contributing factor was the misapprehension of the correct incident reporting standards by Ernest and Wee,” the Solicitor-General said. “IHiS has undertaken to ensure that the purpose of timely incident reporting is communicated to all staff through training, exercises and education.”
The COI was convened to look into the country’s most serious breach of personal data, with 1.5 million Singaporeans’ personal information stolen. Of these, 160,000 - including Prime Minister Lee Hsien Loong - had their outpatient dispensed medicines’ records taken as well.
The hearing, which started at the end of August, saw 37 witnesses providing evidence to the committee.
Mr Kwek said the 16 recommendations proposed are equally applicable to other public sector IT systems that contain large databases of personal data, including the other two healthcare clusters.
The other proposals include forging partnerships between the Government and private sector to promote collective security. One example he gave was how the Cyber Security Agency (CSA) has formed partnerships with Internet service providers (ISPs) to allow for ISP-level detection of threats.
The Health Ministry is also looking at setting up a dedicated Chief Information Security Officer (CISO) office to help improve the competency of computer security incident response personnel, he added.
“HIGHLY SOPHISTICATED” APT ACTOR CANNOT BE IGNORED
Mr Kwek, in his closing observations, also reiterated the point that while the evidence has shown that more can be done to deter or slow the cyberattack on SingHealth, an “important factor” is that it was perpetrated by an advanced persistent threat (APT) actor who “planned and executed with patience”.
Given that the focus of the inquiry was not on fault finding but to learn from the incident, the Solicitor-General said there have been valuable lessons learnt which will help to “shore up defences against the increasingly sophisticated nature of cyberattacks”.
COI chairman Richard Magnus also said in his closing remarks that cyberattacks are a reality today, and APTs are constantly evolving in their sophistication.
This is why organisations need to adopt an “assume breached mindset”, and not only have a proactive defence strategy but also security systems and solutions that enable them to detect and respond to cyber threats early. In turn, these systems and solutions should be complemented with the right people and processes.
“People are a potential weak link, if not the weakest link,” he said.
“Organisations thus need to provide staff with requisite training and ensure that staff remain updated on current threats so that an attitude of shared responsibility can be cultivated.”