A Committee of Inquiry (COI) that comprises four members was selected to probe into the recent cybersecurity breach against SingHealth’s patients’ records, which was dubbed as the largest data breach in Singapore’s history.
In a press release by the Ministry of Information and Communication (MCI), the COI, which was convened yesterday on 24 Jul, will be spearheaded by former Chief District Judge and current member of the Public Service Commission, Mr Richard Magnus.
Mr Magnus said: “This is a responsibility that I take seriously. I will work with the COI members to ensure that we fully deliver on this important task which has been entrusted on us.”
The remaining members of the COI are Executive Chairman of cybersecurity solutions company Quann World, Mr Lee Fook Sun; group Chief Operating Officer of healthcare technology company Sheares Healthcare Management, Mr T.K. Udairam; and Assistant Secretary-General of the National Trades Union Congress, Ms Cham Hui Fong.
Previously, Minister-in-charge of Cybersecurity S Iswaran declared that he will call upon the COI to look into the SingHealth cyber attack.
“It is an important step in getting to the bottom of the incident and keeping Singaporeans’ trust in our systems,” said Mr Iswaran.
According to the Terms of Reference for the COI, the COI’s task include establishing “the events and contributing factors leading to the cybersecurity attack on Singapore Health Services Private Limited (SingHealth)’s patient database system on or around 27 June” this year, and “the subsequent exfiltration of patient data therefrom”.
The COI will also investigate how the “Integrated Health Information Systems Private Limited (IHiS) and SingHealth responded” to the data breach, on top of recommending “measures to enhance the incident response plans for similar incidents” and to increase the protection of “SingHealth’s patient database system against” similar breaches.
Measures “to reduce the risk of such cybersecurity attacks on public sector IT systems which contain large databases of personal data, including in the other public healthcare clusters” will be discussed as a part of the COI’s task.
The COI will also, “in accordance with the provisions of the Inquiries Act”, hold public and private inquiries, and “consider the evidence put before the COI as led by the Attorney-General or his designates”, before submitting “a report of its proceedings, findings and recommendations” to Mr Iswaran by 31 Dec 2018.
Speaking at the MCI Workplan Seminar at Orchard Hotel yesterday, Mr Iswaran said: “This incident was a deliberate and sophisticated attack that caused the most serious breach of personal data in Singapore’s history.”
However, he added: “But we were also fortunate because it could have been worse. We were fortunate that there was early detection in the exfiltration of data.”
He also stressed that while the Government is channelling its maximum efforts to buttress its systems, Singapore cannot completely eliminate the risk of another cyber attack.
“This is the nature of this ongoing battle. The would-be attackers are constantly developing new capabilities even as we reinforce our IT systems,” he said.
“It is also crucial that we do not allow this incident, or any others like it, to derail our plans for a Smart Nation,” he added.
The cybersecurity breach affected the personal medical data such as the outpatient prescriptions of 1.5 million SingHealth patients, including that of Prime Minister Lee Hsien Loong.