Security measures of HIV Registry in line with prevailing policies in 2012-2013: Health Minister

SINGAPORE — Data protection measures for the HIV Registry in 2012 and 2013 followed the prevailing government policies on classified information and IT security at the time, Health Minister Gan Kim Yong said.

Those were the years when the Ministry of Health (MOH) was investigating allegations that Ler Teck Siang, then head of the National Public Health Unit (NPHU) here, had revealed to other people an American’s human immunodeficiency virus (HIV) status.

The American, Mikhy Farrera Brochez, was Ler’s boyfriend. In November 2012, Brochez informed the authorities here that Ler had disclosed information about him to others. He later also claimed that Ler had shared screenshots of his HIV status with others.

Before the allegations surfaced, the registry’s database was already moved from a secured network drive to a network-based system.

Mr Gan said: “Staff members were briefed on the policies, systems and processes, and regularly reminded of the sensitivity of the information, which they should access on a need-to-know basis.

“All of them signed an undertaking to observe confidentiality obligations under the Official Secrets Act.”

Mr Gan was on Tuesday (Feb 12) delivering a ministerial statement and responding to questions from Members of Parliament (MPs) on the purpose of having an HIV Registry and the safeguards that were put in place.

This came after it was revealed late last month that Brochez had leaked online the confidential information of Singapore’s HIV patients.

Before 2012, the HIV Registry’s file could only be accessed and downloaded from government-issued computers, and it was password-protected.

Staff members working at NPHU — a “very small” number — were allowed to use their personal thumb-drives to download the file at the time, “subject to adherence to data protection policies”, in order for them to carry out routine work such as data entry, contact tracing and analysis, Mr Gan said.

Ler had access to the registry due to his post at NPHU.

“He is believed to have downloaded the HIV Registry into a thumb-drive, and failed to retain possession of it,” Mr Gan said.

Ler has since been charged under the Official Secrets Act (OSA) with mishandling the information.

When the HIV Registry was moved to the new system such that NPHU employees could call up records they require from the network-based system instead of downloading the file, the audit trail was enhanced, Mr Gan said.

In 2014, alerts of multiple failed login attempts were incorporated into the system.

When Non-Constituency MP Leon Perera asked about this, Mr Gan said that such alerts were also triggered if there was “excessive or unusual access to information”.

“This audit trail was not meant to watch what everyone does… (it) would also allow us to look back if something happens.”

Mr Gan added that MOH continues to follow the security policies from the Singapore Government Instruction Manual for Security of Classified Info. “In tandem with the government guidelines, we implemented several controls to tighten our systems.”

DATA SECURITY REVIEW

Between 2012 and 2013, the investigation into Brochez’s allegations did not make much progress because he was uncooperative and did not provide any evidence, and MOH finally got evidence that Brochez may have access to HIV-related data in May 2016.

Several controls were put in place later to tighten the ministry’s computer systems.

For instance, following a data security review in 2016 by MOH’s chief data officer, Mr Gan said that “enhancements” were made to strengthen the NPHU systems.

These included:

• Elevating the approval authority for downloading and decrypting the registry’s data to the level of the director of the Communicable Diseases Division or higher

• Implementing a two-person approval process to download and decrypt the registry’s data, to ensure it cannot be accessed by a single person

• Designating a specific workstation for the processing of sensitive data from the HIV Registry. The workstation is configured and locked down to prevent unauthorised data removal.

Mr Gan said that the NPHU complied to a government-wide policy in 2017 to disable the use of unauthorised portable storage devices on official computers. Instead, only authorised and encrypted thumb-drives would be allowed.

Mr Gan also said that a Data Analytics Group was formed in April last year to “give greater attention to data usage and safeguards”.

A Data Governance Division was then set up within the group to formulate policies, practices and guidelines for the MOH and its agencies, in accordance with data protection requirements in the Government Instruction Manuals and the Personal Data Protection Act, and other MOH sectoral legislation.

“In light of the recent incident, and the increased prevalence of data use across the healthcare sector, it is important to ensure that data security and governance policies are strictly adhered to on the ground,” he said.

The MOH will expand the role and resourcing of the group, with a “specific mandate” and team to look into compliance and audits of data access and use.

PURPOSE OF THE REGISTRY

As for the purpose of having the HIV Registry, Mr Gan said that it contains information of persons diagnosed with HIV in Singapore, and it is needed to monitor the HIV infection situation, conduct contact tracing, and assess disease prevention and management measures.

“The data needs to be identifiable for purposes such as contact tracing to protect those who are contacts of HIV patients,” he said.

Mr Gan also noted that countries such as the United States and Canada also maintain their own registries.

When Mr Perera asked if the number of people with access to such personal data could be reduced “to the absolute minimum”, Mr Gan said that Ler, in his position as head of the NPHU, would still have been accorded the right to access the HIV Registry.

While many of the new safeguards may not have stopped Ler, Mr Gan stressed that it is important to “take a multi-pronged approach to data security”.

Three levels of security were needed to ensure a “robust system of protecting our information”, namely protection, detection and deterrence.

“Deterrence is an important part, so those who want to try have to be mindful of the penalties that could be imposed if you were ever caught,” he said.

“From our audit (trails) over the last few years, we checked what (Ler) did. Based on our investigations, it was legitimate work he did with the MOH. Whether or not he was careful in protecting the data he was using is a separate issue,” he added.

Mr Png Eng Huat, MP for Hougang Single Member Constituency, asked why more safeguards were put in place only three to four years after MOH was first alerted to Ler possibly misusing information in the HIV Registry.

In response, Mr Gan said that even in 2012, the Government had stipulated data security governance policies through instruction manuals. The NPHU were compliant with these policies then.

He reiterated that employees were only allowed to download data on government-issued computers, not their personal ones. However, Ler did not protect the personal thumb-drive he used to store the data. ADDITIONAL REPORTING BY LOUISA TANG