Workplace cultural issues need addressing: IHiS chief executive
Even as Integrated Health Information Systems (IHiS) announced new and strengthened cybersecurity measures in the wake of July’s SingHealth cyber attack, its chief executive also acknowledged on Thursday (1 November) that its workplace cultural issues – such as lack of initiative and sharing of information – need addressing.
Bruce Liang told the Committee of Inquiry (COI) looking into the cyber attack that he was dissatisfied with the response of the team in charge of security incidents involving SingHealth.
This comes after Ernest Tan, a senior manager of IHiS’ security management department, testified on Wednesday that, despite knowing about suspicious logins to the patient database, he was reluctant to raise the alarm to his superiors. This was because he feared that he and his subordinates would be working “non-stop” to “deliver answers”.
This had led to a delay in the reporting and detection of the cyber attack, which saw hackers make off with the personal data of 1.5 million SingHealth patients between 27 June and 4 July this year.
‘More initiative across the organisation’
Liang acknowledged that, while there were staff that showed initiative in reporting cyber incidents, he needs “to see more initiative across the organisation”.
When Solicitor-General Kwek Mean Luck, who is leading the COI, asked Liang how improve the systems of detection and reporting, he replied, “There is a certain amount of judgment involved. The culture should be that even if you’re not sure, consult your peers, reports upwards, keep (supervisors) in the loop. At the same time, superiors also have to recognise that people are telling them information without confirmation and should give staff sufficient breathing space.”
On the same day, IHiS said that it has improved its organisational processes and standard operating procedures to “reduce the risks and impact of human errors”. For example, suspicious IT incidents must be reported within 24 hours, even if they cannot be determined during initial investigations.
It said in a media release, “We have also stepped up staff engagement to heighten vigilance against potential threats. This includes increased alerts and reminders to staff, as well as planned roadshows and briefings on cybersecurity. Training for the security team will also be strengthened to enhance their ability to prevent, detect, and respond to advanced and evolving cyber threats.”
18 new security measures
IHiS has also initiated 18 new security measures to be implemented progressively. For example, two-factor authentication will be set up, whereby those who are managing workstations and laptops across all public hospitals have to enter an additional password generated either by a security token or delivered by SMS to log into IHiS’ systems.
Also, to further prevent the use of weak passwords, IHiS will be managing complex passwords centrally, and automatically update and protect administrator accounts.
It is currently working with the Ministry of Health to come up with a long-term approach to Internet access, and is studying the implementation of Internet Surfing Separation – accessing the Internet using separate terminals which are not connected to internal networks – and alternative methods such as using a virtual browser.
Related stories:
Initial responses to SingHealth cyberattack ‘piecemeal and inadequate’: Solicitor-General
1.5m patients’ data, including PM Lee Hsien Loong’s, stolen in major cyberattack
