An exhaustive report that details the events leading up to the cyber attack on SingHealth’s patient database – the most serious data breach in Singapore’s history – has been submitted to Minister-in-charge of Cybersecurity S. Iswaran.
The report sums up and assesses the evidence collected over 22 days of mostly public hearings from 37 witnesses. It also makes recommendations on ways to secure huge databases in order to avoid a similar incident.
In a letter to Mr Iswaran yesterday, the four-member Committee of Inquiry (COI) that looked into the incident said: “This report contains sensitive information and is hence classified ‘Top Secret’.”
“The contents of the report are the unanimous view of all members of the committee,” it added.
The full report on the attack, which is believed to be state-sponsored and the act of sophisticated hackers, is not being published for reasons involving national security.
However, the COI will release a public version of the report, including all its recommendations, by Jan 10, said a Ministry of Communications and Information spokesman. It will be accessible at http://mci.gov.sg/coireport
Mr Iswaran, who is Minister for Communications and Information, and Minister for Health Gan Kim Yong, are expected to respond to the report in Parliament when the House sits this month.
In a letter thanking the COI for its report, Mr Iswaran said the panel has closely examined the responses to the incident and submitted a comprehensive set of recommendations to better manage and secure the IT systems of SingHealth, as well as those of other public healthcare clusters and the public sector, against similar attacks.
“The COI report is the result of an extensive fact-finding process and a rigorous inquiry over the past five months,” he said.
“The Government takes cyber security with utmost seriousness,” Mr Iswaran added. “We will learn from this incident and take measures to further strengthen our public sector IT systems and uphold the trust of Singaporeans.”
The high-level COI – chaired by retired senior judge Richard Magnus and with Mr Lee Fook Sun, executive chairman of security firm Ensign InfoSecurity, Mr T. K. Udairam, group chief operating officer of Sheares Healthcare Management, and Ms Cham Hui Fong, assistant secretary-general of the National Trades Union Congress, as other members – was appointed on July 24 to investigate Singapore’s worst data breach.
In June last year, hackers stole the personal data of 1.5 million SingHealth patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.
In his closing remarks on Nov 30, Mr Magnus said that organisations must assume that they are already under cyber attack by proactively identifying and mitigating breaches.
Solicitor-General Kwek Mean Luck from the Attorney-General’s Chambers, which led the evidence for the COI, spoke about the importance of organisational culture as cyber defence is everyone’s job, and not just that of the IT department.
Mr Kwek also outlined 16 recommendations, including improving staff’s cyber security awareness and performing enhanced checks.
Organisational culture became a key focus as the COI felt that people are at the heart of all processes and systems.
One issue that came under scrutiny was how certain staff at the Integrated Health Information Systems (IHiS), Singapore’s central IT agency for the healthcare sector, failed to act appropriately to report suspicious network activities.
The lack of situational awareness and training among staff contributed to the breach which took place from June 27 to July 4.