SINGAPORE: Amid the backdrop of an increase in online threats, Australia is focused on making sure its citizens’ data is properly safeguarded by designing its IT systems and processes with security a key component from the start rather than tacked on later.

Ms Narelle Devine, chief information security officer of the Australian Government Department of Human Services, said during a panel session at RSA Conference on Thursday (Jul 26) that the threat landscape is complex and it is getting “less easy to tell” if a cyberattack is committed by a cybercriminal group or by state actors.

This, she explained, is because there is a “crossover” of skills between what the cybercriminals usually have and those of nation-state perpetrators.



The SingHealth cyberattack, considered to be the most serious breach of personal data in Singapore, is an example of how the environment for governments and corporations is fraught with danger.

While declining to comment directly on the SingHealth incident, Ms Devine pointed out that such attacks do not change her agency’s perspective on the issue. In fact, there has been a lot of effort put in to make sure its IT systems have been developed with cybersecurity in mind from the beginning.



She told Channel NewsAsia on the sidelines of the panel session that while there might be a minimum compliance level in place with regards to securing its systems, “compliance is not resilience”. Resilience - one’s ability to recover following a breach - has also to be baked in institutionally through aspects like regular, strict testing.



Australia is an interesting case study as it’s also trying to get its citizens to get on its electronic health records platform, called My Health Record. It is meant to allow patients and doctors to upload medical information like prescriptions and medical summaries to an online account. Users can configure who can see what, and which third-parties are allowed access to their health data.



However, there have been concerns over how the platform is being secured and whether people would be aware of and know how to use the privacy controls included in the platform, according to local media reports.



There have been similar data privacy concerns here as Singapore looks to revamp its healthcare law to make data contributions to the National Electronic Healthcare Record (NEHR) system mandatory for both public and private healthcare providers.

NEHR is a platform that brings together patient records such as their medication and laboratory reports from different care providers, and the information is shared across providers.



Following the cyberattack on SingHealth’s patient database, authorities said the plan for mandatory contributions to the NEHR is paused until further notice.



NOTIFY, BUT WITH FACTS



On the legal end, the Australian Government this year amended its laws to include mandatory breach notifications and setting the timeframe to within 30 days for affected parties to inform authorities of such incidents, the official said.



Singapore, too, has its Cybersecurity Act which was passed in Parliament this February but has not come into force and does not have a stipulated timeframe for breach notifications.



As for how should governments inform citizens of such state-level cyberattacks, Ms Devine said it is all about balance.



“There is an element of being transparent to people,” she explained. “This has to be balanced by the authorities providing factual reasons and information (regarding the incident).”



She added: “In general, there is a need to give people the time and space to do that (notification).”