In his opening statement at the start of the Committee of Inquiry’s (COI) public hearings on the SingHealth data breach, Solicitor-General Kwek Mean Luck gave an overview of the incident and noted a few key factors that led to the breach.
Among the factors, he stated that a potential flaw in the software which may have contributed to the breach was flagged to the Integrated Health Information Systems (IHiS)(IHiS) as early as 2014. No action was however taken by IHiS despite this vulnerability being specifically flagged.
This is a rather disturbing finding. It is one thing if IHiS was caught off guard but quite another if it took no action despite being told of a vulnerability within the system. Is this gross negligence?
IHiS would appear to be no stranger to glitches. Hot on the heels of the SingHealth cyber security breach, it appeared to be in the centre of a medicine dosage glitch which led to over 800 GP patients receving mislabelled medicine after a glitch hit the Ministry of Health's GPConnect system. While IHiS has apologised for this mistake, it is important to note that the consequences of such a breach could have been colossal. In mistakes such as these, is a mere apology enough?
Mr David Koh, chief executive of the Cyber Security Agency of Singapore has said that CEOs and other decision-makers should be held accountable whenever a cybersecurity breach takes place. In view of that statement, should the higher ups within IHiS similarly be held accountable?
What does accountability mean? Is it just a simple case of apology and business as usual thereafter?
In the case of IHiS which seems to have a catalogue of errors under its belt, I would think that a total overhaul of its top brass is required. It was told of a vulnerability it did nothing about. This was then followed by a cyber security breach on such a massive scale that our Prime Minister's details were also illegally accessed. This is then followed by the mislabelling of medication. All of these missteps lead me to think that IHiS is very poorly managed and if that is indeed the case, it would only be fair to the public that the management team is completely overhauled. IHiS is after all funded by public monies.
We will have to wait for the final results of the COI to see what the repercussions are. However, I hope it is not a slap on the wrist and business as usual. The sheer negligence of failing to take no action after being tipped off on a vulnerability is beyond belief.