Minister for Health Gan Kim Yong delivered a ministerial assertion on the Committee of Inquiry (COI) report on the SingHealth cyberattack within the Singapore Parliament on January 15 2019. In the assertion, he stated that the Ministry of Health (MOH) has appointed a Cybersecurity Advisory Committee to conduct a horizontal overview of the cybersecurity governance buildings and processes throughout the general public healthcare clusters and Integrated Health Information Systems (IHiS), the IT company for the Ministry.
He additionally outlined 4 key responses to the COI report’s recommendations. The first is enhancing governance and organisational buildings as there’s a “need for clearer cybersecurity risk ownership and accountability between IHiS and the public healthcare clusters, underpinned by a strong relationship to avoid fragmenting the Ministry’s healthcare IT strategy.”
At MOH, the Chief Information Security Officer (CISO) is at the moment additionally the Director of Cyber Security Governance at IHiS however these roles shall be separated. The MOH CISO shall be supported by a devoted workplace in MOH and report to the Permanent Secretary. The MOH CISO workplace would be the cybersecurity sector lead for the healthcare sector. It will coordinate efforts to defend Critical Information Infrastructure within the healthcare sector, and be certain that the sector fulfils its regulatory obligations beneath the Cybersecurity Act. For its half, IHiS can have its personal separate Director of Cyber Security Governance.
At the clusters, the cluster Group CIO workplace will now be made totally accountable to the respective cluster administration and Boards. The GCIO workplace shall be adequately resourced to perform its function. The place of the Cluster Information Security Officer shall be elevated to report straight to cluster administration, and be accountable to the IT and Risk Management Committees of the cluster Boards.
Secondly, a cybersecurity mannequin with a number of strains of defence shall be put in place. A extra sturdy ‘Three Lines of Defence’ construction throughout the public healthcare:
- The first line includes models and personnel who develop, ship and function the IT methods. This is the Delivery Group. MOH will strengthen the IT supply group to higher combine cybersecurity into IT supply initiatives, enhance the administration of community safety, and enhance emphasis on safety structure and monitoring.
- The second line of defence includes models and personnel who’ve the precise accountability to oversee safety technique, threat administration and compliance. MOH will strengthen and elevate this second line of defence by establishing a devoted Cyber Defence Group in IHiS headed by a senior chief at or equal to the Deputy Chief Executive degree. The strengthened group can have impartial oversight of cybersecurity implementation, compliance and threat administration, and can oversee incident reporting and administration. This will be certain that cybersecurity is managed on the senior administration degree, and an applicable stability is struck between service supply and cybersecurity issues.
- The third line of defence includes checks and assurances impartial of IHiS and our healthcare clusters, and impartial of the primary two strains of defence. MOH Holdings Group Internal Audit will proceed to play this function. MOH additionally intends to fee and faucet on impartial third events the place applicable.
The third facet could be bettering the cybersecurity consciousness and capability of employees. Starting this yr, IHiS will interact specialist suppliers to conduct sensible hands-on “Cyber Range” simulation coaching to increase the competence of their safety incident response personnel. IHiS additionally intends to study from GovTech’s bug bounty and vulnerability disclosure programmes and begin comparable efforts.
Lastly, a tiered mannequin of Internet entry shall be thought of. In its report, the COI has really helpful that an web entry technique which minimises publicity to exterior threats needs to be applied. Following the cyberattack, non permanent Internet Surfing Separation (ISS) was applied throughout Singapore’s public healthcare sector.
However, the implementation of the ISS has posed a number of challenges within the provision of affected person care in some areas corresponding to emergency care, decision-support for prescriptions and coverings, entry to affected person training assets, and reserving of scientific appointments. ISS additionally precipitated delays to frontline affected person administration and backend administrative duties. Research and training initiatives within the public healthcare establishments have additionally been impacted by ISS.
The present mannequin of ISS continues to be workable however there wants to be longer-term options which can be extra environment friendly and sustainable. One such resolution is the “virtual browser”, which permits entry to the Internet by strictly managed and monitored shopper servers. The shopper server acts like a decontamination room by which a file is opened and solely a picture/copy of the file is taken and despatched to the recipient. In this way, any malicious materials or hidden content material is ‘left behind’ within the decontamination room, drastically decreasing cybersecurity dangers.
This “virtual browser” pilot will start within the first quarter in 2019 on the National University Health System. “Virtual browsers” shall be deployed in chosen job capabilities at chosen departments and clinics. Some of the job roles taking part within the pilot embrace frontline pharmacists, and emergency division clinicians.
The conduct and analysis of the pilot is anticipated to take about 6 months and MOH will carefully with the Cybersecurity Agency of Singapore (CSA) to assess the cybersecurity adequacy of the answer. The effectiveness of the Virtual Brower may even be assessed.
Mandatory contributions to the National Electronic Health Record (NEHR) system will proceed to be deferred as it’s present process a collection of cybersecurity assessments performed by the CSA, GovTech, and impartial agency PwC. The NEHR may even be topic to additional testing and opinions, together with workouts to check its defences towards focused assaults, in addition to enterprise continuity and catastrophe restoration plans.