SingHealth cyberattack: IHiS, public healthcare system to see enhanced governance, changes to organisational structure

SingHealth cyberattack: IHiS, public healthcare system to see enhanced governance, changes to organisational structure

person using computer
A person using a laptop. (File photo: AFP)

SINGAPORE: Several changes will be made to enhance the governance and organisational structures across Singapore's public healthcare institutions and IHiS, including splitting the dual role currently held by a key executive, who is both the chief information security officer (CISO) at the Ministry of Health (MOH) and the director of cybersecurity governance at IHiS.

This was announced by Health Minister Gan Kim Yong in Parliament on Tuesday (Jan 15), following recommendations by a Committee of Inquiry (COI) into the cyberattack on SingHealth, which resulted in the biggest data breach in Singapore.

The four-member COI was tasked to establish the events and contributing factors leading to the cyberattack on SingHealth’s patient database system in which 1.5 million patients' non-medical personal data were stolen.

READ: SingHealth COI report: 16 recommendations put forward in dealing with IT security incidents

READ: SingHealth COI: Possible conflicts of interest raised as IHiS leaders had roles in Health Ministry

One of the COI’s recommendations was for an enhanced security structure across IHiS and the public healthcare institutions.

As such, the dual role of MOH CISO and the director of cybersecurity governance at IHiS will be separated, Mr Gan said.

The MOH CISO will be supported by a dedicated office at the ministry and report to the Permanent Secretary. The MOH CISO office will be the cybersecurity sector lead for the healthcare sector and will coordinate efforts to protect critical information infrastructure in the sector, and ensure that the sector fulfils its regulatory obligations under the Cybersecurity Act.

For its part, IHiS will have its own separate director of cybersecurity governance.

There will be also be changes at the cluster level.

“Together, these moves will strengthen oversight and minimise potential conflicts of interest between cybersecurity and operational demands,” he said.

READ: ‘The attacker could have been stopped': SingHealth COI report


Mr Gan also said that MOH will establish a more robust "Three Lines of Defence" structure within public healthcare, in order to make the system more resilient and robust against emerging and evolving cyber threats.

The first line will comprise staff who develop, deliver and operate the IT systems, while the second line comprises those with specific responsibility to oversee security strategy, risk management and compliance. The third line of defence comprises checks and assurances independent of IHiS and our healthcare clusters, and independent of the first two lines of defence.

As part of these, a dedicated Cyber Defence Group will be set up in IHiS headed by a senior leader.

The strengthened group will have independent oversight of cybersecurity implementation, compliance and risk management, and will oversee incident reporting and management, Mr Gan said.

"This will ensure that cybersecurity is managed at the senior management level, and an appropriate balance is struck between service delivery and cybersecurity considerations,” Mr Gan added.


A “Virtual Browser” will also be piloted this quarter in the National University Health System, allowing users access to the Internet and intranet systems on the same device.

These browsers will be deployed in selected job functions at selected departments and clinics. Some of the job roles participating in the pilot include frontline pharmacists, and emergency department clinicians.

Such a browser, trialed even before the cyberattack, allows access to the Internet through strictly controlled and monitored client servers.

“If we imagine loading a webpage or downloading a file from the Internet to be like receiving a letter, the client server is like a decontamination room where the letter is opened and only a picture is taken and sent to the recipient,” Mr Gan explained. He said the recipient reads the letter only via the picture that was taken, and does not touch the letter itself.

This process makes things safer for the recipient as malicious material or hidden messages are left behind in the decontamination room, he said.

While he acknowledged that such a solution does not fully eliminate cybersecurity risks, it reduces the attack surface “significantly”, while minimising impact on service efficiencies and patient care.

Apart from this small group of pilot Virtual Browser users, all other public healthcare staff will remain on Internet Surfing Separation, which was implemented immediately after the cyberattack.

Mr Gan also said that mandatory contribution of patient medical data to the National Electronic Health Record (NEHR) system will continue to be deferred, as it undergoes a series of cybersecurity assessments conducted by Cyber Security Agency, GovTech, and independent firm PWC.

“As the NEHR is an important large-scale national system, we want to be fully assured that all the necessary safeguards are in place to handle the evolving cybersecurity threat landscape,” he said.

Source: CNA/ja(aj)