Government accepts committee’s findings on SingHealth cyber attack

SINGAPORE — The Government accepts all findings by the Committee of Inquiry (COI) set up to investigate the SingHealth cyber attack that occurred between June 27 and July 4 last year, Communications and Information Minister S Iswaran said in Parliament on Tuesday (Jan 15).

The four-member COI, led by retired judge Richard Magnus, submitted its report to Mr Iswaran on Dec 31 and released its 450-page report to the public on Jan 10 detailing its key recommendations and findings.

In Singapore’s worst cyber attack to date, hackers stole the personal data of 1.5 million SingHealth patients as well as the outpatient medical records of 160,000 of them, including that of Prime Minister Lee Hsien Loong.

Mr Iswaran said that the Government will “fully adopt” the COI’s recommendations, which include improving cyber-security awareness among employees, performing enhanced security checks — especially on critical information infrastructure (CII) systems — as well as reviewing cyber stack, or the layers of security technology put in place to defend against cyber attacks.

While the COI’s report has helped the Government to sharpen its focus and strengthen its cyber-security measures, Mr Iswaran cautioned that there is “no permanent fix or absolute cyber security”.

“It is a constant battle… This was not the first instance where we were targeted and it will not be the last,” he said.

Actions taken by the Cyber Security Agency (CSA) after the SingHealth cyber attack:

• Instructed all CII sectors to strengthen network security, such as removing non-essential connections to unsecured external networks

• Accelerated implementation of the Cyber Security Act

• Designated all 11 CII sectors by the end of last year, which are now required to adhere to essential cyber-security measures laid out in the Act

• Instructed all CII sectors to review technology measures, such as mandating cyber-security training and awareness programmes and closing any gaps identified

Measures by the Smart Nation and Digital Government Group (SNDGG):

• Use technology to automate cyber-security tasks such as patch management

• Increasing frequency of internal checks and security audits

• Conduct exercises to sharpen readiness of public service officers

• Shore up defences at the perimeter of government systems

• Introduce measures to better detect and respond to intrusions

• Enlist expertise of the larger cyber-security community, such as ethical hackers

Asked by Mr Chirstopher De Souza, Member of Parliament (MP) for Holland-Bukit Timah Group Representation Constituency (GRC), how security checks on CII systems will be monitored, Mr Iswaran said that the Cyber Security Act sets out mechanisms for such audits and compliance checks, which are overseen by the CSA.

The authorities take reference from developments overseas when formulating their practices and regulations.

Cyber-security agencies around the world form partnerships to share intelligence and best practices as cyber threats are constantly evolving, Mr Iswaran said in response to Jurong GRC MP Rahayu Mahzam’s question on whether Singapore benchmarks itself against the technological capabilities and practices of other countries.