Full ministerial statement on SingHealth cyberattack by Gan Kim Yong

Estimated read time: 1:20

    Summary

    Gan Kim Yong, Singapore's Minister of Health, addressed a ministerial statement concerning the SingHealth cyberattack, emphasizing patient data protection alongside healthcare. The attack exposed patient information and highlighted cybersecurity shortcomings in IT systems and personnel. Various measures have been implemented to strengthen security, including new technology and stricter governance. These efforts aim to enhance incident responses, secure patient engagement, and guide future cybersecurity improvements. Penalties and commendations were issued to staff and organizations involved, stressing accountability and encouraging improvement.

      Highlights

      • Gan Kim Yong issued an apology on behalf of the healthcare system for the data breach. 🙏
      • Several cybersecurity lapses were identified, leading to stronger measures being implemented. 🔑
      • The implementation of new technologies like virtual browsers is underway to secure internet access. 🌐
      • Specific individuals in IT roles faced penalties for negligence during the cyber attack. 🚨
      • Independent reviews and an advisory committee have been appointed to guide cybersecurity efforts. 🧐

      Key Takeaways

      • Cybersecurity in healthcare is crucial to protect patient data. 🚑
      • SingHealth's cyberattack exposed major vulnerabilities, prompting swift action. 🛡️
      • Enhanced technology and governance structures are now in place to prevent future breaches. 🚀
      • Staff training and awareness are key to strengthening cybersecurity defenses. 🧑‍💻
      • Penalties were imposed on responsible individuals and organizations, underlining accountability. ⚖️

      Overview

      The SingHealth cyberattack was a pivotal moment for Singapore's healthcare system, exposing vulnerabilities in IT infrastructures and the need for enhanced cybersecurity measures. The attack not only compromised the personal data of many patients but also served as a wake-up call for healthcare professionals and administrators to reevaluate their cybersecurity protocols and strategies.

        In response to the breach, Minister Gan Kim Yong outlined an array of corrective and preventive actions taken by the Ministry of Health and healthcare institutions. These include increasing cybersecurity awareness among staff, implementing advanced technological solutions such as virtual browsers, and appointing a cybersecurity advisory committee to oversee improvements.

          Accountability was emphasized throughout the ministerial statement, with penalties imposed on individuals and entities responsible for the breach. Simultaneously, the efforts of those who performed commendably during the crisis were recognized, highlighting a balanced approach to handling the repercussions of the cyberattack. The focus remains on learning from this incident to build a resilient and secure healthcare system.

            Chapters

            • 00:00 - 00:30: Introduction and Overview The chapter titled 'Introduction and Overview' begins with a statement by the Minister of Health regarding a committee of inquiry into a cyber attack on the SingHealth IT system. The minister emphasizes the importance of patient well-being, which extends beyond providing safe and effective care to ensuring the protection of patient information. The statement suggests a focus on addressing the cyber attack and improving security measures within healthcare systems.
            • 00:30 - 01:00: Apology and Initial Findings The chapter titled 'Apology and Initial Findings' addresses a cyberattack on the healthcare IT system SingHealth, in which a large number of patients' data was illegally accessed. An apology is issued to the patients on behalf of the healthcare providers, expressing both regret and a commitment to resolving the situation. Additionally, a summary of initial findings regarding the cyberattack is provided by a figure named Mistress Lauren.
            • 01:00 - 01:30: Acknowledgment of COI Findings The chapter titled 'Acknowledgment of COI Findings' details the speaker's response to the committee of inquiry's findings on a cybersecurity incident. The speaker expresses gratitude for the committee's thorough investigation and admits to shortcomings within the organization. It highlights deficiencies in cybersecurity awareness training and resources among IT personnel and notes failures by key IT staff to take crucial actions, resulting in missed opportunities to prevent the incident.
            • 01:30 - 02:00: Lacking Cybersecurity Awareness and Response The chapter discusses vulnerabilities within IT systems due to a lack of cybersecurity awareness and inadequate response strategies. It highlights how the systems were exploited by attackers due to inadequate server security, weak administrative passwords, and poor compliance with security policies. Additionally, it points out the insufficient remediation of non-system vulnerabilities, which contributed to an overall vulnerability.
            • 02:00 - 02:30: Vulnerabilities and Exploited Areas The chapter titled "Vulnerabilities and Exploited Areas" discusses the response and follow-up actions of the organization to a recent cyberattack. The CEO highlights a set of wide-ranging recommendations made by the organization after evaluating the incident. These recommendations are expected to significantly influence the organization's direction in cybersecurity efforts moving forward. The emphasis is on improving the organization's response to such attacks in the future, although some states had already touched upon these vulnerabilities. The focus remains on the organization's acknowledgment of the findings and improvements in handling cybersecurity threats to protect the health care family better.
            • 02:30 - 03:00: Recommendations from COI In the 'Recommendations from COI' chapter, various measures were implemented to enhance cybersecurity. These measures included creating firewall rules to block communications with suspected command and control servers, reloading servers with clean images to remove any remaining presence of the attacker, disabling the tool used by the attacker to enter the network, and implementing temporary internet surfing separation (ISS) for the public healthcare sector.
            • 03:00 - 03:30: Immediate Measures Taken The chapter titled 'Immediate Measures Taken' discusses the implementation of advanced threat protection (ATP) for public healthcare servers and endpoint devices. ATP enhances threat detection using advanced techniques to identify and counter customized deceptive strategies that can evade traditional security measures. Additionally, improvements have been made in incident response processes and standard operating procedures (SOPs), including clearer channels for reporting and criteria for escalation.
            • 03:30 - 04:00: Data Activity Monitoring and Security Enhancements In November 2018, further measures were announced to enhance security across public healthcare agencies. Data Activity Monitoring (DAM) was implemented for the SingHealth electronic medical record database. DAM provides comprehensive alerts and blocks database inquiries from unauthorized sources. The extension of DAM to other areas is planned for the future.
            • 04:00 - 04:30: Patient Engagement and Data Accuracy Improvement The chapter discusses the improvement of patient engagement and data accuracy through enhanced security measures in electronic medical record databases. By 2019, measures such as limiting login access to domain controllers and requiring two-factor authentication for administrative access were fully implemented. These initiatives were developed with guidance from the Cyber Security Agency (CSE), resulting in strengthened security across healthcare clusters.
            • 04:30 - 05:00: Independent Security Reviews and System-Level Measures The chapter discusses independent security reviews and system-level measures taken to enhance patient engagement and security. Singh Health successfully contacted over two million patients, reaching around 97% of them, to reassure them of their data safety following an attack. This outreach effort included all patients who visited specialist outpatient clinics and polyclinics from the start of 2015 to the time of the attack, even if their data was not accessed. The teamwork with CSS reflects a comprehensive approach to parallel measures for health security.
            • 05:00 - 05:30: Organizational Changes in Cybersecurity Structure The chapter discusses efforts undertaken to enhance patient contact information accuracy within a healthcare organization, labeled 'Sing Healthcare'. It specifies that since November 2018, the organization has been proactively sending SMS reminders to patients on the day of their outpatient appointments. These reminders are aimed at nudging patients to inform the counter staff about any changes in their contact details, hence improving patient engagement and communication accuracy. The initiative is directed at identifying and updating missing or incorrect patient contact details during their visits, signifying a shift towards a more structured and automated engagement with patients.
            • 05:30 - 06:00: Cybersecurity Model with Multiple Lines of Defense Singh Health is collaborating with other clusters to share learning points, leading to improvements across public healthcare institutions.
            • 06:00 - 06:30: Staff Cybersecurity Awareness and Capacity The chapter focuses on the efforts to enhance cybersecurity awareness and capacity among staff in the public healthcare sector. A committee, chaired by Professor Pat Warren and including industry experts, has been set up to conduct a horizontal review of cybersecurity governance structures and processes. The committee is supported by independent consultants from KPMG. An interim update has been presented, outlining findings and recommendations, which are to be studied closely with plans to pursue key proposals shortly.
            • 06:30 - 07:00: Pilot of Tiered Model of Internet Access The chapter outlines a proposed initiative, titled 'Pilot of Tiered Model of Internet Access,' that involves implementing a tiered model for accessing the internet. The transcript mentions the committee's ongoing efforts and the value derived from the COI report's inputs and recommendations. Some of the key responses to the recommendations include improving governance, enhancing security structures, and increasing readiness in internet and public healthcare sectors.
            • 07:00 - 07:30: Impact of Internet Surfing Separation The chapter discusses the need for improved organization and governance of cybersecurity oversight and efforts. It emphasizes the importance of giving more weight to cybersecurity considerations in decision-making processes. The discussion is informed by the input of the cybersecurity Advisory Committee (CAC), which highlights the necessity for clearer ownership and accountability of cybersecurity risks between entities involved, particularly between public healthcare clusters and their partnerships. Establishing strong relationships is essential to effectively manage and mitigate cybersecurity risks.
            • 07:30 - 08:00: Virtual Browser Solution The chapter discusses the necessity of enhancing healthcare IT strategies in the context of improved cybersecurity. It underscores the importance of elevating cybersecurity roles within management to ensure better oversight and the allocation of appropriate resources and expertise. The Ministry of Health (MOH) acknowledges this and plans to implement relevant organizational changes, including appointing a Chief Information Security Officer (CISO) to align with these principles.
            • 08:00 - 08:30: Independent Security Reviews of NHSR This chapter discusses the restructuring of roles related to cybersecurity governance within the healthcare sector, specifically the separation of duties for a director at IES who is also involved in cybersecurity governance. The Ministry of Health (MOH) will support these efforts by establishing a dedicated office to focus on cybersecurity and reporting directly to the permanent secretary. This office will act as the cybersecurity hub for the healthcare sector, coordinating efforts to protect critical information infrastructure within the healthcare industry.
            • 08:30 - 09:00: HR Actions and Penalties This chapter outlines new structural changes in the sector regarding cybersecurity governance. A distinct Director of Cyber Security Governance will be designated at the cluster level. Additionally, the Cluster Group Chief Information Office (CIO) will be fully accountable to cluster management and boards. The Group CIO office will receive adequate resources to perform its functions effectively, and the position of Cluster Information Security Officer will be elevated, ensuring robust cybersecurity compliance and management.
            • 09:00 - 09:30: Financial Penalties and Organizations' Responses This chapter discusses the use of financial penalties as a strategy to enforce compliance and elicit the desired responses from organizations. It focuses on the public healthcare sector, emphasizing the implementation of a cybersecurity model featuring multiple lines of defense. The importance of minimizing potential conflicts of interest between cybersecurity and operational demands is highlighted, with oversight strengthened through new reporting structures and risk management committees.
            • 09:30 - 10:00: Acknowledgement of Diligent Officers The chapter titled 'Acknowledgement of Diligent Officers' discusses the need to enhance the cyber defense systems against advanced threats. It emphasizes the importance of a three lines of defense model in public healthcare. The first line of defense includes units and personnel responsible for developing and operating IT systems. This group is referred to as the delivery group. The chapter highlights the dedication of diligent officers in maintaining and proposing improvements to these systems.
            • 10:00 - 10:30: Conclusion and Future Initiatives This chapter discusses the need to enhance the IT delivery group for better integration of cyber security into IT initiatives. It highlights the necessity of improving management, network security, and focusing on security architecture and monitoring. Furthermore, it points out the role of the second line of defense, which involves personnel tasked with overseeing security strategies, risk management, and compliance. The chapter concludes with a commitment to reinforcing this second line of defense by creating a dedicated cyber defense unit.

            Full ministerial statement on SingHealth cyberattack by Gan Kim Yong Transcription

            • 00:00 - 00:30 the Minister of Health will be making a related ministerial statement I will allow members to raise points of clarification on both statements after this statement mr. Minister Gong mr. speaker sir thank you for allowing me to make this statement on the committee of inquiry into the cyber attack on sing health IT system the healthcare systems foremost priority is our patient's well-being and this encompasses not just safe and effective care but also the
            • 00:30 - 01:00 protection of their personal data we the health care family have a responsibility to our patients to ensure both these aspects the cyberattack on sing health IT system has resulted in the data of a large number of patients being illegally accessed once again I apologize to our patients on behalf of our health care family and we are deep dissolved mistress Lauren has provided a summary of the sea-ice findings and
            • 01:00 - 01:30 recommendations I would like to thank the committee of enquiry for its comprehensive work and detailed findings on the incident I agree with the COI that we were lacking in several areas some of our IT personnel did not have sufficient levels of cybersecurity awareness training and resources to respond to the attack certain staff with key roles in IT security incident response failed to take essential actions resulting in missed opportunities to prevent the attack or
            • 01:30 - 02:00 minimize its impact they were vulnerable our abilities in our IT system that were exploited by the attacker examples include servers they were not adequately secured against unauthorized access and weak passwords an administrative account controls there were gaps in the management of ITSs compliance with security policies as well as indeed inadequate remediation of non system vulnerabilities the public
            • 02:00 - 02:30 health care family needs to do much better I welcome the CEO eyes wide-ranging recommendations these have been touched on by many states Lauren so I will not go through in the I will instead focus on health care families responses and follow-up actions the cui findings and recommendations will play an important role in guiding our actions and our cybersecurity direction going forward following the discovery of the cyberattack I he
            • 02:30 - 03:00 implemented several measures to tighten cyber security this included creating firewall rules to block further militias at callbacks to the suspected command and control servers reloading servers with clean images to eliminate any remaining presence of the attacker disabling the tool used by the attacker enter the network implementing temporary internet surfing separation or ISS for the public healthcare sector
            • 03:00 - 03:30 accelerating the deployment of client advanced threat protection or ATP to public health care servers and endpoint devices ATP identifies threats based on the techniques used by more advanced threat actors and is better able to detect customized hiding tools designed to bypass conventional defenses hiss has also improved Incident Response processes and SOPs with clearer channels of reporting and escalation criteria
            • 03:30 - 04:00 subsequently in November 2018 is announced further measures which are being implemented progressively across public healthcare agencies let me highlight a few key once data activity monitoring or da M has been implemented forced the sing health electronic medical record database da M provides more comprehensive alerts and blocks database enquiries from unauthorized sources DM will be extended to the
            • 04:00 - 04:30 electronic medical record databases of all the other healthcare clusters by me 2019 I he has strengthened the security of domain controllers by limiting login access and requiring two-factor authentication for administrative access this has been fully implemented in assessing and developing the these measures I his had benefited from the inputs and advise of the cyber security agency CSE and I would like to record
            • 04:30 - 05:00 our thanks for CSS support parallel measures were also taken missing health in patient engagement Singh health took steps to contact more than two million patients and successfully reached around 97% of them these include all patients who visit us in health specialist outpatient clinics and polyclinics from the start of 2015 to the attack including those whose data were not accessed in order to reassure them Singh
            • 05:00 - 05:30 health has since also taken steps to improve the accuracy of patients contact information for better patient engagement for example he has identified patients without detail without value contact details so that staff can update patients contact details at their next visit since November 2018 Singh health has been sending SMSs to all patients on the day of the outpatient appointments to remind them to approach counter staff to update contact details if there are
            • 05:30 - 06:00 any changes Singh health will be sharing their learning points with the other clusters and we will be making similar improvements across public healthcare institutions on our part the Minister of Health has initiated independent security reviews on key public healthcare IT systems to identify vulnerabilities and recommend measures to address them at a broader system level level systemic level MOH has appointed a cybersecurity advisory
            • 06:00 - 06:30 committee to conduct a horizontal review of the cybersecurity governance structures and processes across the public healthcare clusters and IHA's the committee is chaired by Professor Pat Warren and comprises industry experts it is supported by independent consultants from KPMG the committee has just amid an interim update to me on the findings and recommendations we will be studying these closely and will start pursuing key interim proposals even as the
            • 06:30 - 07:00 committee continues its work beyond our own plans and efforts the COI report has provide as valuable inputs and useful recommendations we will follow up on them but I will highlight our thinking and plans in response to some of the key recommendations first enhancing governance and organizational structures the COI has recommended that we enhance our security structure and readiness across IES and the public healthcare
            • 07:00 - 07:30 institutions we need to better organize and govern our cybersecurity oversight and efforts and give cybersecurity considerations more weight in decision-making it is an important area that is also being reviewed by the cybersecurity Advisory Committee I mentioned earlier the CAC has highlighted the need for clearer cybersecurity risk ownership and accountability between 'his and the public healthcare clusters underpinned by a strong relationship to avoid
            • 07:30 - 08:00 preventing our healthcare IT strategy it also highlighted the need to elevate cybersecurity roles and functions to strengthen management oversight over cybersecurity supported with appropriate resources and expertise MOH agrees and we will implement the following organizational changes in line with these guiding principles at a ministry the Ministry of Health chief information security officer or CSO
            • 08:00 - 08:30 is currently also the director of cybersecurity governance at IES we will separate these roles the mohe so will be supported by a dedicated office in MOH and report to the permanent secretary the MOH system sister office will be will be the cyber security sector deep for the healthcare sector we will coordinate efforts to come protect critical information infrastructure in the healthcare sector and ensure that a
            • 08:30 - 09:00 sector fulfills its regulatory obligations under the cybersecurity act for its part I hist will have its own separate director of cyber security governance at the clusters the cluster group CIO office will now be made fully accountable to the respective cluster management and boards the Group CIO office will be adequately resourced to carry out its rules the position of the cluster information security officer will be elevated to
            • 09:00 - 09:30 report directly to cluster management and be accountable to the IT and risk management committee of the cluster balls together these moves will strengthen oversight and minimize potential conflicts of interest between cybersecurity and operational demands second will put in place a cyber security model with multiple multiple lines of defense the cor has recommended that the public healthcare sector review
            • 09:30 - 10:00 our cyber stack for adequacy in defending and responding to advanced threats and subject the system to tighter control and monitoring the CAC 2 has highlighted the need for a more robust three lines of defense model we agree and we will establish a more robust three lines of defense structure within the public healthcare the first line comprises units and personnel who develop deliver an operator IT system this is the delivery group we will
            • 10:00 - 10:30 strengthen the IT delivery group to better integrate cyber security into IT delivery initiatives improve the management network security and increase emphasis on security architecture and monitoring the second line of defense comprises units and personnel who have the specific responsibility to oversee security strategy risk management and compliance we will strengthen and elevate this second line of defense by establishing a dedicated cyber defense
            • 10:30 - 11:00 group in 'his headed by a senior leader at equivalent to the deputy executive level the strengthened group will have independent oversight of cybersecurity implementation compliance and risk management and will oversee incident reporting and management this will ensure the cybersecurity is managed at the senior management level and an appropriate balance is struck between service delivery and cybersecurity considerations the third line of defense
            • 11:00 - 11:30 comprises checks assurances independent artists and our healthcare clusters an independent of the first two lines of Defense MOH holding group in the internal audit will continue to play this role we also intend to Commission and tap on independent third parties where appropriate these changes will make our public healthcare system more resilient and robust against emerging and evolving cyber threats third we will improve our
            • 11:30 - 12:00 staffs cybersecurity awareness and capacity the cui has made several recommendations in this area we agree that people the people element is foundational and critical to our cyber defenses every user needs to be trained and equipped to understand the important role that they play in cyber defense for example to raise the competence of our security incident response personnel I his role engaged specialists providers
            • 12:00 - 12:30 to conduct realistic hands on cyber range simulation training starting this year this will augment the classroom discussion style tabletop exercises currently conducted for security incident response personnel we will also tap on the expertise of wider cyber security community to test our system i hate's intends to learn from GAF techs bug bounty and vulnerability disclosure programs and start similar efforts this will be a further step to ensure that
            • 12:30 - 13:00 our systems are tested our people are ready to deal with new challenges and our processes are robust next we will pilot a tiered model of internet access in this report the COI has recommended an internet access strategy which minimizes exposure to external threats should be implemented following the cyber attack temporary internet surfing separation or ISS was implemented across our public healthcare sector this was a
            • 13:00 - 13:30 necessary precaution as suspicious activity continued to be observed on a Singh Health System even after initial containment actions were taken I mentioned in my previous name in this house that we would study the impact of ISS determine whether ISS can be kept as a permanent measure and if long-term mitigation solutions can be developed overcome the operational challenges arising from ISS while the
            • 13:30 - 14:00 implementation of ISS was necessary it has indeed posed challenges in the provision of patient care in some areas such as emergency care care decision support for prescriptions and treatment access to patient education resources and booking of clinical appointments ISS also caused delays to frontline patient management and back-end initiative tasks research and education initiatives in the public health care institutions have
            • 14:00 - 14:30 also been impacted by ISS let me give an example ISS impacted a functionality of internet-based video conferencing software used to conduct tele consultation with the national neuroscience institution for suspected stroke patients this software was used by some of our hospitals which do not have in-house specialists niro neurology capabilities as timely diagnosis is critical for stroke cases a dedicated leased line to support high-resolution
            • 14:30 - 15:00 video conferencing had to be provided to overcome this challenge where possible we are put in place fixes and workarounds like this to reduce the impact to patients and health care staff I thank them for their cooperation and understanding during this period of time while we can continue to operate on this current model of ISS we have also been looking for longer-term solutions that are more efficient and sustainable we also need a solution they will allow us
            • 15:00 - 15:30 to implement new models of care in the future such as telemedicine the leverage on the Internet to improve patient care and services in the community this is why we have been experimenting with a virtual browser solution even before the cyberattack a virtual browser allows access to the Internet through strictly controlled and monitored client service let me explain what a virtual browser means if we imagine loading a mess a webpage or downloading a file from the
            • 15:30 - 16:00 inter net to be like low receiving a letter the client/server is like a decontamination room where the letter is open and only a picture is taken and sent to the recipient the recipient reads the letter only by the picture that was taken and does not touch the letter itself this process makes things safer for for the recipient as malicious material or hidden messages are left behind in the decontamination room although such a solution does not fully
            • 16:00 - 16:30 eliminate cybersecurity risks it reduces the attack surface significantly while minimizing impact on service efficiency and patient care our earlier trial conducted at the healthcare clusters has shown that a virtual browser is technically feasible our next step will be to run a pilot in an operational environment across different settings and healthcare rules so as to assess its effectiveness in meeting both
            • 16:30 - 17:00 operational and cybersecurity needs if the virtual browser is found to be effective we envisage putting in place a tiered model of internet access among our healthcare staff in the longer term for some job rules internet access would not be required for example administrative staff handling certain back-end tasks may not need internet access for the routine work and these staff will not be provided by internet access for a number of job roles internet access is required but can be
            • 17:00 - 17:30 managed through the use of separate internet and non internet facing devices this will likely be the case for the majority eyes as we remain for this group and they will have access to the Internet via a separate device we will further improve our current arrangements so as to make it more convenient for this group of users for some access to internet and intranet systems on the same device is essential this group could include any clinicians who need to
            • 17:30 - 18:00 access the internet for information from clinical reference databases and match them urgently against patients electronic medical records such as information on new and complex drugs obscure toxins the virtual browser may be the best solution for this group the pilot will begin in this quarter and than neh systems national university health system's virtual browsers will be deployed in selected job functions at selected departments and clinics some of
            • 18:00 - 18:30 the job roles participating in the pilot include frontline pharmacists and emergency department clinicians apart from this small group of pilot virtual browser users or other public health care staff remain we will remain on SS for now the conduct an evaluation of the pilot is expected to take about six months we will work closely with CSE to assess the cybersecurity adequacy of the solution we will also evaluate the
            • 18:30 - 19:00 effectiveness of the virtual browser this will enable us to make a more consider decision on our internet access model in public health care earlier I mentioned that we have also started independent security reviews of other key public healthcare IT systems one such system being reviewed is the national electronic health record system or NIH are over the past few months the n HR has been undergoing a series of cyber security assessments conducted by
            • 19:00 - 19:30 the CSA gov track an independent from PwC these covered technical technical architecture design and existing server security measures in addition we are completing a series of penetration tests to uncover any security vulnerabilities against alert X the any HR system will be subject to further testing and reviews including exercises to test its defenses against targeted attacks as
            • 19:30 - 20:00 well as business continuity and disaster recovery plans I inform this house in August that we would be deferring plans for military contribution of patient medical data to the nhr as the n HR is an important large-scale national system we want to be fully assured that all the necessary safeguards are in place to handle the evolving cyber security threat landscape we will therefore proceed with the introduction of health care services build first and
            • 20:00 - 20:30 continue to be further any HR mandatory contributions until we have completed these reviews even as we conduct the reviews I his will implement further enhancements to strengthen cybersecurity of the any HR system these include software and application upgrades additional preventive and detection measures and enhanced process and technical controls mr. speaker sir the COI has identified inadequacies in
            • 20:30 - 21:00 specific individuals employed by Isis in preventing and responding to the cyber attack the are his board has appointed an independent HR panel to examine the roles responsibilities and actions of specific individuals involved and recommend the appropriate actions to be taken the panel has was chaired by the I at by an Isis board member and comprised two other members from the public and private sectors with relevant HR and I
            • 21:00 - 21:30 t's IT expertise in assessing the appropriate HR actions the panel considered whether the offices had acted in accordance with their job responsibilities it also considered whether the offices action or inaction had contributed directly or indirectly to the outcome the panel has submitted its recommendations to the IES board and the ball released its decision on this matter yesterday to recap - I his staff the
            • 21:30 - 22:00 team lead of the Citrix team and the security incident response manager were found to be negligent and non-compliant of orders while the Citrix team lead had the necessary technical competencies his attitude and approach to management of service introduced unnecessary and significant risks to the system he could have mitigated the impact of the attack if he had enforced proper compliance and exercised effective management of the service the security incident response
            • 22:00 - 22:30 manager persistently held a mistaken understanding of what constituted a security incident and when a security incident should be reported specifics even after repeated alerts by his staff resulted in missed opportunities which could have averted or mitigated the impact of the cyber cyber attack their behavior has significant site security implication and contributed to the unprecedented scale of this incident the employment of
            • 22:30 - 23:00 the citrix team lead and the security incident response manager have been terminated financial penalties were imposed on to middle management supervisors who are accountable as supervisors of that staff that were terminated a class the information security officer was found to have a wrong understanding of what constituted a security incident and failed to comply with I his incident reporting procedures the board decided to demote the cluster
            • 23:00 - 23:30 information security officer and reassign him to another role let me now come to the I his senior management team as the senior management team the whole collective leadership responsibilities over the organization and the incident and they know this I he co-wrote a letter to me in December in his letter he expressed disappointment that he and his I his colleagues were not able to prevent a respond better to the cyber
            • 23:30 - 24:00 attack he apologized for the incident he and members of a senior management team acknowledged the collective responsibility the CEO expressed that he would accept whatever the I his board may decide for him by his board has decided to impose a financial penalty higher than that imposed on the middle management supervisors on the CEO and four other members of his eye of the ia senior management team and they have all
            • 24:00 - 24:30 accepted the penalty I have emphasized through the IG CEO and a senior management team to learn from this episode and deed organization and its staff through the recovery and rebuilding I expect them to do their utmost to remedy the shortcomings and help the public health care family emerge stronger so as to win back public trust MOH and the rest of the public health care family will render them our full support the CEO I did not identify
            • 24:30 - 25:00 lapses in specific individuals that are employed by Singh health however Singh health recognizes its duty to its patients and its responsibilities as the owner of the data database system the Singh health senior leadership including the group CEO has volunteered for a financial penalty which are born has accepted sir beyond disciplinary actions
            • 25:00 - 25:30 and penalties on specific individuals penalties have also been imposed at the organizational level earlier ministries Loren had shared that the personal data protection Commission of P P DPC has completed investigation into the incident pdpc has decided to impose financial penalties on 'his and Singh health which comes to 1 million dollars in total this is the highest penalty meted out by PDP C to date ahi sensing
            • 25:30 - 26:00 health have except a PD pcs decision and penalties this is the right response mr. speaker in the COI report several his officers were recommended were commended for their diligence in handling the incident beyond their job scope and responsibilities they were proactive and demonstrated resourcefulness in managing the cyber attack the is born has presented letters of commendation to three aji staff from the database
            • 26:00 - 26:30 management team SEM production support team and security management team respectively each of them showed commitment to serve and had a persistence to get to the bottom of things I'm glad that the contributions have been recognized I would also like to acknowledge members of our public healthcare family who have worked hard together to ensure patient care is not compromised by this incident at the same time I thank Singaporeans for their patience and understanding on the
            • 26:30 - 27:00 inconveniences they may have encountered and our public health care institutions arising from of title cybersecurity measures Mr Speaker I have sketched out the responses of the public health care family to the sing health data breach and the COI report the public health care family will ensure that priority and attention is given to the implementation of COI recommendations as well as a cybersecurity initiatives that the public healthcare system has impact
            • 27:00 - 27:30 on we are organizing our efforts into six key work streams spanning technical measures cyber security policy organizational structures governance enhancements management of critical information infrastructure and patient engagement senior management and key personnel from moh 'his and the hell cares clusters will lead these efforts they will report their progress regularly to the healthcare IT steering
            • 27:30 - 28:00 committee chaired by my permanent secretary the steering committee will oversee the implementation and closely monitor its progress it will also tap on independent auditors to verify the completion of the follow up actions mr. speaker sir this cyber attack has been a regrettable and painful incident for us and for the affected patients we must learn from it but we must not allow it to hold back our push towards using technology to provide better care
            • 28:00 - 28:30 for our patients IT systems have improved the safety and effectiveness of patient care it remains a key enabler we cannot do without for better debris of healthcare to benefit Singaporeans yet we recognize that the cybersecurity landscape has shifted and the threat level has risen so that cyber security posture of the healthcare sector needs to be correspondingly raised this will not be a one of exercise as new and
            • 28:30 - 29:00 evolving threats will continue to target our system we must continually fortify our defenses and we need a strong team working together to achieve this mr. speaker sir to conclude I would like to thank the CEO I once again for its work and the comprehensive findings and recommendations we in the public healthcare family will take guidance from the COI report and strengthen our systems and capabilities we must every role emerged with stronger cyber
            • 29:00 - 29:30 defenses this will be the most fitting way to fulfill our responsibilities to our patients