Confirmation prompts for emails among 13 data security measures to be rolled out across public sector
The Public Sector Data Security Review Committee says these recommendations come after its in-depth inspection of five Government agencies’ IT systems, including the Health Ministry and CPF Board.
SINGAPORE: The high-level committee tasked with reviewing data security practices across Singapore’s public sector is recommending that 13 technical measures, including confirmation prompts for emails with sensitive data, be implemented immediately and ahead of its final report to Prime Minister Lee Hsien Loong later this year.
In a progress report issued by the Smart Nation and Digital Government Office (SNDGO) on Monday (Jul 15), the Public Sector Data Security Review Committee said it is completing a comprehensive review of the civil service’s data security regime.
This includes a government-wide stocktake of data management practices and in-depth inspections of key IT systems, it said.
According to an SNDGO spokesperson, the in-depth inspections focused on the IT systems of five agencies that deal with high volumes of sensitive data.
These agencies are the Ministry of Health, Health Sciences Authority (HSA), Health Promotion Board (HPB), Central Provident Fund Board and the Inland Revenue Authority of Singapore, the spokesperson added.
Singapore's healthcare sector agencies have been plagued with data breach incidents over the past year.
Last July, news of the most serious breach of personal data in Singapore’s history broke, with 1.5 million SingHealth patients’ records - including that of the prime minister - accessed and copied.
This was followed by the revelation this January that the HIV-positive status and personal information of 14,2000 people from the country’s HIV registry had been leaked online by Mikhy Farrera Brochez.
The US citizen had previously worked as a lecturer in two polytechnics in Singapore but returned home after serving time for fraud and drug-related offences.
The HSA in March then revealed that the personal information of 808,201 blood donors was left exposed online for nine weeks from Jan 4 after the data was mishandled by one of its IT vendors.
The vendor, Secur Solutions Group, subsequently said that the information had been accessed illegally and possibly stolen.
The committee said the current security regime has “strong fundamentals” but there is a need to strengthen it for the future, given the increasing complexity of the IT systems, the greater demand for the use of data to provide digital services to the public and the need to use data for better policy-making.
It is thus looking at enhancing the regime in three ways: Technical, process and people strategies, the press release said.
For technical measures, specifically, the release said that the Government agrees with the committee’s recommendation to immediately deploy several readily implementable ones for existing and new systems to strengthen data security standards.
The most immediate ones focus on the sending and receiving of data, it said.
These include: Having a data file integrity verification system so the contents are not tampered with; strengthening password and encryption requirements across more types of data files; and having prompts before public servants send out emails that include sensitive data.
The SNDGO spokesperson said the aim is to have these three measures deployed across the public sector by the end of the year.
The Government will progressively roll out 10 other technical measures recommended such as tokenisation, partitioning of data according to the level of sensitive data within and having enhanced logging and active monitoring of data access.
There is no stated timeframe for completion.
Besides the technical measures, the committee is also looking at process and people measures to round out its recommendations. These include measures to better ensure high data protection standards by third parties that handle Government data as well as those helping to raise the data security capabilities among public officers.
The review committee was convened by Mr Lee in March and is chaired by Senior Minister and Coordinating Minister for National Security Teo Chee Hean.
Other ministers involved with the country’s Smart Nation efforts such as Foreign Minister Vivian Balakrishnan, Communications and Information Minister S Iswaran and Trade and Industry Minister Chan Chun Sing are also included.
The findings and recommendations are to be submitted to the prime minister by Nov 30.