SingHealth COI: IHiS’ systems were built for business efficiency instead of security, says CSA chief
While IHiS has done well in implementing technological advances to a large healthcare system, it did not pay enough attention to potential cyber threats arising from tech adoption, says Cyber Security Agency chief David Koh.
SINGAPORE: Cybersecurity should be a key feature rather than “slapped on as an afterthought”, said Cyber Security Agency (CSA) chief David Koh on Wednesday (Nov 14) in the final public hearing of the inquiry into the SingHealth cyberattack.
During his testimony, Mr Koh said that Integrated Health Information Systems (IHiS) – Singapore’s central IT agency for the healthcare sector – had a “relatively low level” of security oversight.
Employees who worked on cybersecurity were embedded in the service delivery group instead of having their own reporting line, he added.
These two points led him to believe that the senior management of IHiS had little line of sight of cybersecurity issues.
“Given that the core mission of the delivery group is to provide IT services to the different clusters, security-related workstreams might be overlooked in favour of service delivery objectives,” Mr Koh said.
Delivering technology to a large governmental healthcare system is a “huge task” in itself. It needs to be managed dynamically and with “due care” since IHiS is holding large amounts of personal and medical data, he added.
As such, the first of three recommendations he made to the Committee of Inquiry (COI) is for IHiS to review its organisational and reporting structure to ensure that cybersecurity considerations are escalated to the appropriate decision makers.
Mr Koh likened cybersecurity to the brakes of a car. One will only go fast when there are good brakes. That’s what protects us, he told the committee. It is a key enabler for tech adoption.
Mr Koh also said stronger, multi-layered security mechanisms should have been in place around IHiS’ “crown jewels” - the electronic medical records of all SingHealth patients.
It would be similar to the measures taken to protect a physical space such as a bank, he said, adding that that these instincts should be ported over when dealing with cyberspace.
“Like a safe in a bank, privileged access to these records should have been behind closed doors, only accessible to a tightly-controlled group of people. A cyber-equivalent of tripwires, surveillance cameras and alarms should have been in place to monitor access, and to look out for suspicious activity,” he said.
During the data breach, the abnormally large number of queries to SingHealth’s electronic medical records database was not flagged until performance issues arose, Mr Koh said. This was because the outdated computer systems were designed from the business efficiency perspective without the right cybersecurity measures, he explained.
Mr Koh recommended that IHiS adopt a “defence-in-depth” approach when developing or upgrading their systems and networks. He added that they should regularly review their systems to ensure that the necessary security and mitigation measures are in place.
His third recommendation was focused on raising the level of awareness and cyber hygiene of healthcare personnel as well as improve training and adherence to standard operating procedures (SOPs).
He added that IHiS and all public healthcare clusters have to improve the level of cyber hygiene among front-end users such as doctors, nurses, pharmacists and administrators.
As for cybersecurity personnel, Mr Koh said that there was a “lack of clear understanding” of SOPs and reporting protocols for security incidents. There was also an initial failure to recognise that a malicious attack had occurred, he added.
IHiS should conduct a thorough review of its processes to ensure that there are no gaps, followed by a “thorough and systematic” training of staff to make sure they know exactly what steps to take in the event of a cybersecurity incident, he said.
Despite those criticisms, Mr Koh added that the gaps uncovered as a result of the cyberattack are in the midst of being fixed. Mitigation measures such as the 18 additional security measures introduced in November are in line with CSA’s technical recommendations and will help to enhance to cybersecurity posture of IT systems within the public healthcare sector, he added.
“In my view, they should not be a sweeping indictment of the overall cybersecurity posture of the healthcare sector, nor does it call into question the capabilities or commitment of IHiS management or staff as a whole,” he said.
He added that IHiS is aware of the evolving threat landscape and is headed in the “right direction” cybersecurity-wise.
“IHiS needs, and has demonstrated resolve to learn from the SingHealth incident, and take the necessary to make improvements within the organisation - technical, operational, structural and process improvements,” he said.
The online attack is Singapore’s most serious breach of personal data to date. A total of 1.5 million patient records were accessed and 160,000 individuals had their outpatient dispensed medicine’s records taken, including that of Prime Minister Lee Hsien Loong.
READ: If they were looking to embarrass me, they would've been disappointed: PM Lee on SingHealth cyberattackers
The COI has concluded all scheduled hearings for the fact-finding phase of its inquiry process, the committee said in a statement.
The hearings, which started on Aug 28, took place over 20 days. The committee heard evidence from 37 witnesses including five experts, and received 26 written submissions from individuals, organisations and industry associations.
The closing submissions from the Attorney-General’s Chambers, SingHealth, IHiS, MOH Holdings and the Ministry of Health will be heard on Nov 30, said the committee.