The robustness or a lack thereof of a cybersecurity system should be viewed as a “key feature” of risk management, not as “an afterthought” and an issue that is exclusive to IT personnel, according to the chief executive officer of the Cyber Security Agency of Singapore (CSA).
In his testimony before the Committee of Inquiry (COI) on the final day of public hearings regarding the probe into the SingHealth cyberattacks, David Koh drew the analogy of car brakes when talking about cybersecurity, saying that one could “go fast” if one had “good brakes”.
Mr Koh, who is also the Defence Ministry’s Defence Cyber Chief, also said on Wednesday (14 Nov): “As with all high-level business risks, it should be managed at the appropriate level of leadership.”
Highlighting that the IT personnel at Integrated Health Information Systems (IHiS) was part of the service delivery team, he suggested that the IT security team should be given a clearer reporting structure that includes a direct channel to upper-level management.
He said: “Given that the core mission of the delivery group is to provide IT services to the different clusters, security-related workstreams might be overlooked in favour of service delivery objectives.”
Consequently, he proposed a “defence-in-depth” approach suggested by other experts which will see more intricate security mechanisms in place to protect what he dubbed the “crown jewels” of IHiS, namely the electronic medical records of SingHealth’s patients.
“Like a safe in a bank, privileged access to these records should have been behind locked doors, only accessible to a tightly-controlled group of people,” said Mr Koh.
“Front-end users” most susceptible to cybersecurity attacks: Mr Koh
Mr Koh added in his testimony that cybersecurity should not only be a part of the healthcare sector’s IT personnel’s concerns, but that “front-end users” such as doctors, nurses and pharmacists should also be trained to face such cyberattacks, as they are “often the weakest link in cybersecurity”.
“Cyber security is not the problem of the IT people. It is everyone’s problem. It is important for us to have similar initiatives for cyber security as we (would) in physical security,” emphasised Mr Koh.
IHiS “strategically headed in the right direction” as “gaps” are “being fixed”: Mr Koh
Despite his grievances regarding the flaws in the cybersecurity landscape in Singapore’s public healthcare system, Mr Koh acknowledged that IHiS was “strategically headed in the right direction,” and that such flaws should neither “be a sweeping indictment of the overall cyber security posture of the healthcare sector” nor “call into question the capabilities or commitment of IHiS management or staff as a whole.”
“The gaps that were found as a result of the SingHealth cyber attack were real, but they are being fixed,” assured Mr Koh.
The closing submissions for all parties involved in the cybersecurity fiasco will be heard on 30 Nov.
The COI on the SingHealth cyber attack, which was dubbed as the largest data breach in Singapore’s history, was convened on 24 Jul.
Chaired by former Chief District Judge and current member of the Public Service Commission, Mr Richard Magnus, the COI comprises four members who were tasked to probe into the cybersecurity breach against SingHealth’s patients’ records in early July, which affected the personal medical data such as the outpatient prescriptions of 1.5 million SingHealth patients, including that of Prime Minister Lee Hsien Loong.
