It was without a doubt Defence Minister Ng Eng Hen’s show. Whether in explaining why footballer Ben Davies was not allowed to defer his National Service obligation so that he can play in the prestigious English Premier League or in revealing the lapses and breaches by the men in green that led to the death of national serviceman Dave Lee, the Minister was uncompromising, stout and open.
His performance was in stark contrast to those of his Cabinet colleagues, Health Minister Gan Kim Yong and Communications and Information Minister S Iswaran. Like Ng, the two addressed Parliament on Monday (6 August) to explain the cybertheft of 1.5 million medical records of public hospital patients, including those of the Prime Minister. And did the two add to a better understanding and appreciation of the biggest cyberattack in Singapore’s history? Sad to say, no.
It was made worse when Gan tried to dance around opposition MP Sylvia Lim’s question as to why there was a 10-day delay in telling the public about the hacking of their records. We didn’t have enough information, he said. Public Relations 101 tells you that staying silent during a crisis is just not on, especially in a world where social media can go to town with half-baked stories. It must have left many wondering why there was a need for the ministerial statements, which are used by ministers to bring an important matter to the attention of the House.
The cyberattack was the most serious breach of personal information in Singapore’s history and was carried out by those who used sophisticated tools to remain undetected before stealing the patients’ information. It was serious enough for Gan and Iswaran to release ministerial statements but the worrying part of this exercise was that there was no real attempt to zero in on the vital question: Why didn’t SingHealth, under whose watch the data was stolen, follow the civil service practice of separating internal computer systems from the Internet?
Nineteen parliamentary questions were asked on the cyberattack but none went to the core of the issue. One question did try but it elicited a non-answer. “While SingHealth and Integrated Health Information System are private companies, their information databases are part of Singapore’s critical information system infrastructure,” said Iswaran. He failed to explain why SingHealth didn’t delink the two computer systems
Hidden in Iswaran’s response is the brewing issue of leadership. As the government allows more of its organisations to become semi-autonomous, how ministers and permanent secretaries deal with the CEOs of these outfits takes on added meaning. In the case of SingHealth, which was incorporated as a private company, top government leadership has been found wanting as there doesn’t seem to have been clear instructions given to those under their purview.
Only three years ago, leaders at the Singapore General Hospital and the Health Ministry had to grapple with a Hepatitis C outbreak that killed four patients. Again, the lackadaisical approach by SGH in informing its bosses at the Ministry and the public was highlighted by many. The information flow to the Ministry came two months after the first few cases were detected and the Minister was told one month after that.
In light of recent events, it appears that the lessons of the SGH scandal were not fully understood and learnt. It is now up to the Committee of Inquiry looking into the circumstances that led to the SingHealth debacle to identify the leadership weaknesses that the cyberattack has exposed.