Cyber security not just a ‘technical issue’ for IT personnel to handle: CSA CEO

SINGAPORE — Cyber security should be viewed like the brakes of a car, in that one could “go fast” if one had “good brakes”, said the chief executive officer of the Cyber Security Agency of Singapore (CSA) on Wednesday (Nov 14).

Testifying on the last day of public hearings into the cyber attacks on national health cluster SingHealth, Mr David Koh — who is also the Defence Ministry’s Defence Cyber Chief — used the car analogy to illustrate his point about how cyber security should be seen as a “key enabler” instead of “a drag” on technology adoption.

Neither is cyber security just a “technical issue”, nor is it a problem that only IT personnel handle, he added.

Cyber security should instead be viewed as a risk management issue that is built in “as a key feature, rather than slapped on as an afterthought”.

“As with all high-level business risks, it should be managed at the appropriate level of leadership,” Mr Koh told the four-member Committee of Inquiry (COI) convened to investigate the data breach.

In the SingHealth cyber attacks, sophisticated hackers stole the personal data of 1.5 million patients as well as outpatient prescription information of 160,000 of them, including Prime Minister Lee Hsien Loong.

Mr Koh noted that the IT security team at the Integrated Health Information Systems (IHiS) — the Health Ministry’s info-technology arm — was part of the service delivery group.

“Given that the core mission of the delivery group is to provide IT services to the different clusters, security-related workstreams might be overlooked in favour of service delivery objectives,” he said, adding that the “legacy system” which IHiS had was built on a “service delivery” purpose.

A clearer reporting structure for the IT security team, with a direct line to senior management, should be encouraged, he suggested.

While delivering technology to the healthcare sector is a huge challenge, Mr Koh told the committee that by focusing primarily on delivery and not being cognisant of cyber threats would mean that “we are expanding the potential attack surface”.

A “defence-in-depth” approach when developing and upgrading networks should be in place, he added, echoing calls made by other experts to have stronger, multi-layered security mechanisms to guard IHiS’ “crown jewels” — the electronic medical records of SingHealth’s patients.

“Like a safe in a bank, privileged access to these records should have been behind locked doors, only accessible to a tightly-controlled group of people,” Mr Koh said.

He also raised the point other experts made about the need to beef up training, as well as adhering to standard operating procedures. Those in the cyber-security ecosystem should be given essential training, and would benefit if they have access to senior leadership, Mr Koh added.

While IT security staff members need to be given “systematic training” to maintain standards, Mr Koh said organisations in the healthcare sector need to also improve the level of cyber hygiene among “front-end users”.

These includes doctors, nurses and pharmacists. “Front-end users are often the weakest link in cyber security,” Mr Koh said.

“Cyber security is not the problem of the IT people. It is everyone’s problem. It is important for us to have similar initiatives for cyber security as we (would) in physical security,” he stressed.

Still, despite the gaps pointed out throughout the course of the COI hearings, Mr Koh said that IHiS was “strategically headed in the right direction” in its cyber security framework.

“The gaps that were found as a result of the SingHealth cyber attack were real, but they are being fixed.

“In my view, they should not be a sweeping indictment of the overall cyber security posture of the healthcare sector, nor do they call into question the capabilities or commitment of IHiS management or staff as a whole,” Mr Koh told the committee.

Mr Koh’s testimony on Wednesday capped off 20 days of hearings, where 37 witnesses came forward to give evidence to the COI.

The closing submissions for all parties involved, including SingHealth, IHiS, as well as the Attorney-General’s Chambers — which is leading evidence in the COI — will be heard on Nov 30.

RECAP OF THE COI HEARINGS FOR THE SINGHEALTH CYBER ATTACKS

Since Aug 28, the COI has heard evidence from 37 parties, in its investigations into the unprecedented cyber attacks on SingHealth's patient records system.

The first hearing was held behind closed doors on Aug 28. The secretariat had previously said that it was in the interests of national security to conduct some hearings in private, or on camera. Otherwise, the evidence may be exploited to carry out more cyber attacks, for example, or patients' personal data may be revealed.

Among the witnesses at the hearings were IHiS chief executive officer Bruce Liang, SingHealth’s group chief executive officer Ivy Ng, as well as General (Retired) Keith Alexander, the former director of the United States’ National Security Agency.

The four-member COI is chaired by retired senior judge Richard Magnus. Its other members are Mr Lee Fook Sun, executive chairman of cyber-security firm Ensign InfoSecurity; Mr T K Udairam, group chief operating officer of healthcare technology firm Sheares Healthcare Management; and Ms Cham Hui Fong, assistant secretary-general of the National Trades Union Congress.

After hearing the closing submissions from the parties involved, the COI will have to submit its report to Mr S Iswaran, Minister-in-charge of Cybersecurity, by Dec 31.