After a series of data breach cases recorded in Singapore in the past year, the entire public service will now be required to follow a common framework to protect citizens’ personal data, starting with 13 new measures.
These digital measures, a few of which are being implemented, look at making databases unusable if the information in it has been wrongly extracted, detect abnormal transmission and limit users’ access rights.
These technical measures were announced on Monday (15 July) and they are the first of the many to come from a new Public Sector Security Review Committee, which was summoned by Prime Minister Lee Hsien Loong in April 2019.
They were convened following a government-wide stocktake of how data management was conducted at five important agencies in Singapore handling medical and financial data of citizens.
Examples of the measures include having sensitive files encrypted and extremely private information of individuals, like one’s HIV status, are to be kept hidden in a separate system with tighter controls. Besides that, personal information of ministers and other prominent individuals are also to be placed in different systems with more stringent protection.
It is said that these new 13 measures will fall on a common definition of what is required for sensitive information as laid out in the new Information Sensitivity Framework. It will also replace the current practices by public agencies, many of which designed the practices themselves.
All 13 measures will eventually be implemented in accordance to the highest level of protection for the most sensitive information. For example, the database of patients with infectious diseases and individuals who are declared bankrupt will have the highest form of protection involving most, if not all, of the 13 measures.
Additionally, more measures will be introduced later on and will be included in the committee’s final report due this November. Some of the planned measures include methods to better handle third-party vendors as well as train government servants on data security practices in order to prepare Singapore for a safer digital future.
“These include measures to better ensure high data protection standards by third parties that handle government data,” noted a spokesman from the Smart Nation and Digital Government Office.
The committee was formed following a series of cyber-security breaches over the year, which includes the most recent incident where personal data of over 800,000 blood donors retrieved illegally and uploaded on an unauthorised server for more than two months. Secur Solutions Group, a Health Sciences Authority technology vendor, was said to be responsible for the incident.
If that is not all, in January this year, the Ministry of Health (MOH) said that the private information of 14,200 HIV-positive individuals had been leaked by an American named Mikhy Farrera-Brochez who had lived in Singapore. He got hold of the data through his partner, Ler Teck Siang, a local doctor who at one time headed MOH’s National Public Health Unit.
However, the worst cyber-attack that hit the Republic involved the database of the country’s largest public healthcare cluster SingHealth, and it happened in June last year. Hackers managed to secure the personal information of 1.5 million patients and outpatient prescription information of 160,000 individuals, including PM Lee.
Lapses highlighted in AGO report
Just yesterday (16 July), the Auditor-General’s Office (AGO) released its latest report where it highlighted lapses in the IT controls mainly in the Ministry of Manpower (MOM), Singapore Customs and the Ministry of Defence (MINDEF).
It said that MOM did not know that five servers for two of its IT system were not able to send logs to its IT security monitoring system for nearly seven months because of outdated configurations. Besides that, its operating systems (OS) operators, who were all outside vendors, had unrestricted access to IT system processing work permits and employment passes.
“Any unauthorised activity could compromise the confidentiality and integrity of the data in the system. The administrators could delete audit trails to remove any trace of unauthorised activities carried out,” said AGO.
On top of that, seven vendor staff at Customs had the access to the most privileged OS user account without password authentication. They could do it in six out of the seven system servers checked by AGO.
As for MINDEF, it did not review the access records by vendors to its controlled information since 2014. Additionally, AGO also noted that a number of IT vendor staff were granted access to read personnel and payroll information.
Although the government is now trying to curb the problem by rolling out these 13 new measures, but what is interesting is that they seem to place more importance to the personal data of ministers compared to citizens, since it will be kept in different systems with more stringent protection.
As such, we can’t help but wonder why the personal information of a regular citizen is any different from the ministers?
Shouldn’t all Singaporeans be protected with the same level of security?