SINGAPORE: Singapore’s central information technology agency for the healthcare sector – the Integrated Health Information Systems (IHiS) - already has in place a “well-established” IT security and governance framework, but more remains to be done to strengthen the system, an expert witness told a Committee of Inquiry (COI) on Friday (Nov 9).
Presenting recommendations from his report, IT expert Dr Lim Woo Lip stressed the need for a comprehensive and balanced approach when dealing with cybersecurity.
Dr Lim, the executive vice president of Ensign Infosecurity, is the first expert witness to testify in a public hearing by a four-member COI looking into the data breach at SingHealth. More experts will take the stand next week.
“From the statements provided by IHiS’ employees, the existing IT security policy and governance framework within the healthcare sector appears relatively well established,” said Dr Lim.
READ: SingHealth COI: Possible conflicts of interest raised as IHiS leaders had roles in Health Ministry
READ: SingHealth cyberattack: IHiS announces measures to protect healthcare sector against online threats
“The IT systems and networks of any national critical information infrastructure (CII), for example SingHealth, are complex … Hence a more systematic and holistic approach needs to be adopted when planning and implementing the overall cyber defence capability for CIIs,” he added.
The cyberattack on SingHealth’s database in July is Singapore’s most serious breach of public data to date. In all, 1.5 million patients’ non-medical personal data were stolen, while 160,000 of those had their dispensed medicines’ records taken too.
Among those affected was Prime Minister Lee Hsien Loong, with the attackers targeting his personal particulars and information about his medicines.
Database administrators from IHiS discovered the breach on Jul 4.
READ: Singapore health system hit by ‘most serious breach of personal data’ in cyberattack; PM Lee's data targeted
Since September, a COI has been holding public hearings to investigate what happened during the data breach.
Members of the public were also invited to submit written representations between Sep 11 and Oct 31, and a total of 26 submissions were received, it was revealed on Friday.
Many of the submissions contain “useful points”, said Solicitor-General Kwek Mean Luck, but none of the contributors will be called upon to give further evidence before the COI.
"NOBODY CAN GUARANTEE 100 PER CENT CYBER DEFENCE"
During his testimony, Dr Lim, who leads his company’s research and development in vulnerability research, pointed out the magnitude of the task that cyber defenders face in keeping systems secure.
“The common saying is that you have to do it right every time, but the attackers just need to (get through once),” he said.
“We need to be mentally prepared that cyberattacks will happen. It's not a question of if, but when they happen.”
As such there is a need for early detection of potential threats, said Dr Lim.
READ: If they were looking to embarrass me, they would've been disappointed: PM Lee on SingHealth cyberattackers
“Organisations should try to push the defence further outward, putting in place more sophisticated detection and monitoring capabilities to detect advanced threats as early as possible,” Dr Lim added.
Stressing the need to be proactive, Dr Lim also listed several recommendations, including mandatory implementation of 2-Factor Authentication (2FA) or multi-factor authentication to further protect data stored in the Electronic Medical Record (EMR) system.
For ease of convenience, staff could be required to use 2FA when they first access the database, rather than at every login, suggested Dr Lim. To further improve security, a time limit could be implemented for every session.
Another measure that should be implemented is the encryption of medical records of patients, stressed Dr Lim.
“Patients’ sensitive medical records such as personal information, medical reports and doctors’ prescriptions are the crown jewels in the EMR system that cyber criminals are after,” he said.
“Any sensitive data in the IT network that are not duly protected … are deemed vulnerable to attack.”
Recognising that such encryption could “degrade the effectiveness” of the system, he elaborated that SingHealth and IHiS could consider anonymising all data containing personal identifiers if full encryption was not possible.
To provide extra security, the data retrieval process should include 2FA before data can be de-anonymised.
“Such an approach will also allow the researchers in the healthcare sector to be able to continue their research and analysis using the anonymised data as the individual identity should not be required in their studies,” Dr Lim added.
The hearings are expected to resume on Monday.