24 January, 2019
Singapore's Personal Data Protection Commission (PDPC) has imposed one of its biggest fines to date against the Integrated Health Information Systems (IHiS) and SingHealth, amounting to S$1 million in total. IHiS and SingHealth have been fined for breaching their data protection obligations, which led to the cyberattack on SingHealth's patient database system in 2018 (please click here to read our article on 5 steps to consider when faced with a cyber attack) and saw data of 1.5 million patients being affected as a result. Following the Committee of Inquiry's (COI) findings and recommendations, we have set out below five key learning points which are applicable to any company in this day and age.
Employees' cybersecurity awareness and training
All employees should have adequate security training to respond effectively to an attack. They should be familiar with the company's IT security policies and processes in order to escalate any potential risks. One of COI findings was that the staff was unable to identify that a sophisticated cyberattack was under way and were not familiar with IT security policies.
Enhanced security processes and regular security checks
Given the rapid technological advancement and an increasing sophisticated attackers, security networks and software need to be regularly reviewed and improved. This is to minimise any vulnerabilities and misconfigurations. In addition, IT security risk assessments and audit processes should be treated seriously and carried out regularly. Audit action items must be remediated.
Enhanced safeguards to protect confidential information
Most or almost all companies now deal with client information. There should be enhanced safeguards and controls such as real-time monitoring of client databases.
Greater emphasis on cyber security
Cybersecurity has to be seen as a risk management issue, and not just a technical issue, where decisions are made at the appropriate management level – security is not dependent on just one line of defence. The Singapore Government stated yesterday that it would fully adopt the COI’s recommendations and aims to ensure its IT and database systems are secure. It further assured the public that personal data collected by public sector systems are well protected. Principles highlighted by the government and COI in its statement include:
- Adopting a multiple layered ‘defence in-depth’ strategy of cyber defences to impede an attacker, including swift detection of a breach and decisive response.
- Enhancing system defences by strengthening people, processes and technology such as a robust response to an incident to ensure a quick recovery and resilience in these systems.
The Singapore Government has accelerated the implementation of the Cybersecurity Act, which came into force on Aug 31 last year.
Tighter control and greater monitoring
High level confidential information should be subjected to tighter control and greater monitoring. A suggestion is to use two-factor authentication (2FA) to access the information.
In Parliament yesterday, Minister for Communications and Information S Iswaran said “this was not the first instance where we were targeted and it will not be the last”.
All companies especially those connected with the 11 designated Critical Information Infrastructure sectors (government, infocomm, energy, aviation, maritime, land transport, healthcare, banking and finance, water, security and emergency), should take note of these recommendations and enhance their own systems and procedures as soon as possible.
For further information, please contact:
Ian Roberts, Partner, Clyde & Co
ian.roberts@clydeco.com