SINGAPORE: A four-member Committee of Inquiry (COI) was appointed on Tuesday (Jul 24) to look into the SingHealth cyberattack, considered to be the most serious breach of personal data in Singapore’s history.
Minister-in-charge of Cybersecurity S Iswaran said on Jul 20 he would convene the COI to investigate the incident, and the body will be chaired by retired chief district judge Richard Magnus.
On Tuesday, the Ministry of Communications and Information (MCI) in a press release gave more information on its makeup, saying he would be joined by three more members.
These include Mr Lee Fook Sun, chairman of Quann World, Mr T K Udairam, group chief operating officer of Sheares Healthcare Management and Ms Cham Hui Fong, assistant secretary-general of the National Trades Union Congress (NTUC).
In a statement, Mr Magnus said: "This is a responsibility that I take seriously. I will work with the COI members to ensure that we fully deliver on this important task which has been entrusted to us.”
The COI was tasked to establish the events and contributing factors leading to the cyberattack on SingHealth’s patient database system on or around Jun 27 this year, and the subsequent stealing of data from the network.
It will also look at how Integrated Health Information Systems (IHiS) and SingHealth responded, and recommend measures to enhance the incident response plans for similar incidents and measures to better protect SingHealth’s IT system against similar attacks.
With these findings, the committee is to also recommend measures to reduce the risk of such cyberattacks on public sector IT systems which contain large databases of personal data including in the other public healthcare clusters, MCI said in the press release.
The COI will conduct private and public hearings, and is to submit a report on its findings and recommendations to Mr Iswaran by Dec 31, 2018, it added.
The minister, during his speech at the ministry’s annual workplan seminar on Tuesday, said the SingHealth cyberattack is an example of incidents that threaten to erode the “precious trust” in the institutions in Singapore, which has been painstakingly built up.
“This incident was a deliberate and sophisticated attack that caused the most serious breach of personal data in Singapore’s history,” Mr Iswaran said. “But we were also fortunate because it could have been worse. We were fortunate that there was early detection in the exfiltration of data.”
He added that while the Government will do everything it can to strengthen its systems, it cannot completely eliminate the risk of another cyberattack.
“That is the nature of this ongoing battle. The would-be attackers are constantly developing new capabilities even as we reinforce our IT systems,” he said.
He also reiterated his earlier message, as well as that of Prime Minister Lee Hsien Loong, that the incident, or any others like it, should not be allowed to derail Singapore’s Smart Nation plans.
“Digital is the way of the future,” Mr Iswaran said. “We must adapt ourselves to operate effectively and securely in the digital world, to deliver better public services, enhance our economic competitiveness and create opportunities for our enterprises and our people.”
DATA REGULATIONS TO BE UPDATED
The minister also pointed out that one of the Government's responsibilities is to provide transparent, effective and progressive regulations, including those governing data.
He said the Personal Data Protection Act (PDPA) is currently being reviewed to strike the right balance between organisations' legitimate need to collect and use personal data and people's concern for greater accountability for the use of such data.
In a response to Channel NewsAsia's queries on Tuesday, an MCI spokesperson said the Personal Data Protection Commission (PDPC) has been notified of the cyberattack and will investigate the matter.
SingHealth and IHiS are corporate entities which are bound by the PDPA, the spokesperson added.
"PDPC will take into account the Committee of Inquiry’s report in its determination/assessment of any appropriate action to be taken," the spokesperson said.
Other initiatives to strengthen the local regulatory landscape include the development of Singapore's own certification system, said Mr Iswaran. The Data Protection Trustmark will recognise organisations with high standards of data protection and facilitiate cross-border data exchanges, he said.