Government's Response to the Report of the Committee of Inquiry into the Cyber Attack on SingHealth's IT System

1.30 pm

The Minister for Communications and Information (Mr S Iswaran): Thank you, Mr Speaker. On 6 August last year, I informed this House that I had convened a Committee of Inquiry (COI) into the cyber-attack on SingHealth's database system. The scale of the cyber-attack was unprecedented. The personal particulars of about 1.5 million patients were illegally accessed and copied. It was malicious. Prime Minister Lee Hsien Loong's records were specifically and repeatedly targeted. And there were serious implications for public health and safety, as SingHealth's database system is part of our Critical Information Infrastructure (CII).

Therefore, I convened this COI because the Government wanted a robust and transparent inquiry that would get to the bottom of this cyber-attack and in particular, the COI was asked to, firstly, establish the events and contributing factors and evaluate the incident response by IHiS, which is the Integrated Healthcare Information Systems Private Limited, and SingHealth. And secondly, to recommend measures to safeguard public sector IT systems that contain large databases of personal data against similar cyber-attacks.

The Committee conducted a rigorous and comprehensive inquiry over five months. They examined testimonies from 37 witnesses, including local and foreign experts, as well as 26 written representations from members of the public, professional associations, organisations and companies. The COI conducted 22 days of hearings which were opened to the public except when there were implications for national security or patient confidentiality.

The COI submitted its classified report to me on 31 December 2018. The COI also released a public version of the report on 10 January 2019 which my Ministry has distributed to the Members of this House. The public report contains all recommendations and material findings from the full COI report. It only excludes highly sensitive information heard by the COI in closed-door sessions.

Mr Speaker, with your permission, may I ask the Clerk to distribute the notes on the COI findings and recommendations.

Mr Speaker: Yes, please. [Handouts were distributed to hon Members]

Mr S Iswaran: At this juncture, on behalf of the Government, I would like to place on record our deep gratitude to the Committee for its hard work in undertaking a robust and transparent inquiry. I would also like to thank the Attorney-General's Chambers, investigators from CSA and CID, and MCI officers who supported the COI, witnesses who gave evidence as well as organisations, professionals and members of the public who contributed their views and suggestions in the course of the Inquiry.

Let me now highlight the main findings of the COI.

The COI has been candid in its report, which establishes the sophisticated nature of the attacker; but also gives a detailed and stark account of shortcomings at the staff and system level that contributed to the failure to prevent the attack or limit its impact.

Specifically, the COI found that while SingHealth fell victim to an Advanced Persistent Threat (APT) group, the success of the attacker in obtaining and exfiltrating the data was not inevitable. IHiS and SingHealth should have been better prepared and more robust in their actions. If they had done so, the cyber-attack could have been limited, or even stopped. I will now go into the findings.

First, the COI found significant shortcomings at the staff level. IHiS staff did not have adequate cybersecurity awareness, training and resources to appreciate the security implications of their observations and to respond effectively to the attack.

Also, certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate or timely action, even when there were clear signs of an on-going attack. However, and this is noteworthy, the COI also commended specific IHiS IT administrators who were vigilant, noticed the suspicious activities and took the initiative to follow up.

Second, the COI found a number of vulnerabilities, weaknesses and misconfigurations at the technical level in the SingHealth network and database system which allowed the attacker to obtain and exfiltrate the data. Many of these could have been remedied before the attack.

Third, the COI observed that although SingHealth was ultimately responsible, it had no management line of sight with regard to the assessment of the cybersecurity risks. SingHealth lacked the necessary expertise and resources and was wholly dependent on IHiS, even at the management level.

The COI, having heard evidence from CSA, also established that the cyber-attack was the work of a skilled and sophisticated actor bearing the characteristics of an APT group. This finding was corroborated by international expert witnesses. An APT group is a class of cyber-attackers, typically state-linked, who conduct extended cyber campaigns to steal information or disrupt operations. The COI found that the attacker was well resourced and had used advanced techniques and tools to target the SingHealth patient database, and illegally exfiltrate patient data. The attacker was persistent, evaded detection for a long time and even re-entered the network after being detected.

Appropriate action has been taken, and we know the identity of the attacker. But for national security reasons, I will not comment further.

The detailed evidence for all of the COI's findings are in the public report, but it does not include highly sensitive information – pertaining to SingHealth's network architecture, technical vulnerabilities exploited in the attack, and the identity of the attacker – which is only in the classified COI report.

Turning to the recommendations. The COI has made 16 recommendations to strengthen SingHealth's patient databases, as well as public sector IT systems which contain large databases of personal data. Seven are priority recommendations which should be implemented immediately, and nine are additional recommendations which are to be seriously considered. The recommendations fall into four broad categories – People, Process, Technology, and Partnerships.

On People, the COI notes that front-end- users are often the weakest link targeted by attackers, and that it is line staff who are often the first to notice a security incident and respond. Hence, the recommendations include enhancing cyber hygiene practices, building a culture of cybersecurity across the entire organisation, and ensuring that IT staff are well-trained and equipped to respond to cybersecurity incidents.

The COI also calls for strong institutional Processes. In incident response, for example, there should be clear plans and SOPs, and regular exercises with realistic scenarios to test their effectiveness. There also should be regular and comprehensive checks to identify vulnerabilities and high-risk areas, accompanied by audit and compliance checks to ensure that the identified gaps have been plugged.

On Technology, the COI has proposed various measures to strengthen cybersecurity to better prevent, detect and respond to future attacks. These include stronger encryption for data; heightened monitoring of database activity; and an integrated system to aggregate and analyse threat information in real-time, and rapidly isolate and contain the infected system.

The COI has highlighted the need to build up collective security over our systems given that Singapore is highly connected and a high-value target. This can be achieved by strengthening Partnerships between the Government, industry and international partners, in areas such as threat intelligence sharing.

The COI has emphasised that, ultimately, cybersecurity must be an integral part of a broader risk management framework, and cannot be treated merely as a technical matter. Organisations need to strike a balance between security considerations, operational requirements and cost – and these trade-offs and decisions must be made at the Board and CEO level, and not just by the Chief Information Security Officer (CISO) and technical staff.

Mr Speaker, the Government accepts all of the COI’s findings and recommendations. Cybersecurity is a critical enabler of our Smart Nation ambitions. We will therefore fully adopt the COI’s recommendations and do our utmost to ensure that our IT and database systems are secure, and that personal data collected by Government systems is well protected.

I will now elaborate on the Government’s efforts, on-going and in response to the COI report, to strengthen cybersecurity at both the national level and across the public sector. Minister Gan will cover the public healthcare sector’s efforts.

The Government’s approach to cybersecurity is underpinned by two key principles that have also been highlighted by the COI.

First, we adopt a "defence-in-depth" strategy, with multiple layers of cyber defences to impede an attacker. These layers of defence cascade from the perimeter to within our systems, as we recognise that a sophisticated and determined attacker, given enough time and resources, may find a way through. This is why we also have capabilities in our layered defence that enable swift detection of a breach and a decisive response.

Second, we seek to enhance our system defences by strengthening our people, processes and technology. Our aim is not only to monitor and respond robustly to an incident, but also to ensure a quick recovery and resilience in our system.

The COI emphasised that the battle against today’s cyber threats must be based on networked defence across organisations and sectors. The COI also recognised the Government’s commitment to such collective security, by establishing the Cyber Security Agency of Singapore (CSA) to coordinate our national cybersecurity efforts. CSA leads our national level response to the cyber threat, including by reinforcing cybersecurity in all CII sectors.

Immediately after the cyber-attack, and even as the COI proceedings were underway, CSA instructed all CII sectors to strengthen network security by taking additional prescribed measures, such as removing non-essential connections to unsecured external networks and implementing uni-directional gateways like data diodes to prevent data leakage.

CSA also accelerated the implementation of the Cybersecurity Act, which provides the legislative framework for the oversight and maintenance of national cybersecurity. The Act came into force on 31 August last year and CSA designated all CIIs by 31 December last year. All CII owners must now comply with their obligations under the Act. These include adhering to essential cybersecurity measures set by CSA through the Cybersecurity Code of Practice, reporting cyber incidents to CSA within prescribed timeframes, and conducting regular risk assessments and audits of their CIIs.

In addition, CSA also instructed all CII owners through their sector leads to conduct thorough internal reviews of their cybersecurity posture against the gaps identified during the COI hearings. These included reviews of their people, process and technology measures such as mandating cybersecurity training and awareness programmes, establishing a robust patch management process and implementing access management solutions to manage privileged administrator accounts. CSA has directed CII owners to implement plans to close any identified gaps and report the results.

CSA will continue to actively work with the sector leads and CII owners to reinforce their cyber defences and cyber resilience, and safeguard the cybersecurity of our systems and networks.

I now turn to the cybersecurity of public sector systems, which is a key enabler for our Smart Nation initiatives to improve public services for our citizens and businesses. SNDGG had already started enhancing the cybersecurity of Government systems before the cyber-attack.

Upon discovering the cyber-attack, SNDGG paused the rollout of new Government systems from 20 July to 3 August 2018. During this pause, first, SNDGG checked and confirmed that other systems were not breached by the same attacker, whether through the IHiS system or via a separate breach. Second, SNDGG and CSA reviewed the Government’s cybersecurity posture, and introduced additional measures on critical Government systems to enable us to detect and respond more quickly to cybersecurity threats.

The findings and recommendations of the COI give added impetus to our efforts to continuously review and enhance the cybersecurity of Government systems. In particular, the findings re-affirmed the "defence-in-depth" approach that the public sector had adopted towards cybersecurity. The public sector will also continue to strengthen our defences on all fronts – people, process, technology and partnerships, as informed by the COI recommendations.

In terms of people and processes, SNDGG will strengthen existing processes to prevent lapses and heighten vigilance. The public sector will use technology even more to support its IT staff and automate cybersecurity tasks such as patch management, so as to carry out these tasks more reliably. SNDGG will further tighten internal checks and enhance security audits, for example, by increasing their frequency. We will also instil a stronger cybersecurity culture across the public service. This will be done by conducting more exercises to sharpen our officers' readiness, and train all public servants in cybersecurity. Above all, we expect our officers at all levels to be aware of their responsibilities, to be accountable for their actions, and to perform their duties to the best of their ability.

On the technical front, SNDGG will continue to shore up defences at the perimeter of Government systems, while introducing measures to better detect and respond to intrusions within our systems. Beyond the measures implemented during the pause in the rollout of new Government systems such as monitoring critical Government databases, SNDGG is also looking into improving the architecture of Government systems to enable more extensive monitoring and detection of abnormal activities.

We also recognise that the Government cannot strengthen its cybersecurity alone. Therefore, the Government will enlist the expertise of the larger cybersecurity community, including ethical hackers, to help us surface and detect vulnerabilities in our ICT systems. The Government Technology Agency (GovTech) and CSA have launched a Government Bug Bounty Programme, and have invited local and international white-hat hackers to search for and uncover vulnerabilities on five Internet-facing Government systems and websites. This will help us draw in a wide range of expertise to help identify cyber blind spots and benchmark our defences against skilled global hackers.

In terms of tracking the follow-up, CSA will oversee the follow-up on the COI’s recommendations across all CII sectors, which includes the public sector. To do this, CSA will work through the sector leads of the 11 CII sectors, who are responsible to monitor implementation for their respective sectors and to report progress to CSA as the national cybersecurity authority. SNDGG, as sector lead for the Government sector, will monitor implementation for Government systems. We will then track overall progress via regular updates at the relevant Ministerial committees.

The Personal Data Protection Commission (PDPC) has also completed its investigations of the data breach incident. Both IHiS and SingHealth have been found to be in breach of the Personal Data Protection Act. PDPC has imposed a total financial penalty of S$1 million, comprising S$750,000 and S$250,000 on IHiS and SingHealth respectively. These are the highest penalties meted out by PDPC to date.

The measures recommended by the COI will help us defend ourselves better against malicious cyber activities, including from international attackers. This was not the first instance where we were targeted and it will not be the last. Our networks are continually probed for weaknesses and regularly attacked.

A cyber-attack of the scale and sophistication that was launched against SingHealth could also be mounted on any one of our major IT systems, threatening the safety and security of Singapore and Singaporeans, which are of paramount importance. Singapore is firmly committed to the establishment of a rules-based international order in cyberspace. We condemn all malicious cyber activity that seeks to undermine the integrity of the international political and economic system, and violates the norms of behaviour in cyberspace as set out in the 2015 UN Group of Governmental Experts consensus report. This includes the cyber-enabled theft of sensitive data. Such activities can have a disruptive impact on Singapore, and internationally, in our highly interconnected world.

Singapore has consistently advocated that the international community come together to build consensus and develop a rules- and norms-based international order in cyberspace – a cyberspace that fosters trust and confidence, and one where its users can remain safe and secure. This is consistent with Singapore's fundamental stand that a rules-based multilateral system is indispensable to secure peace and stability in the international arena. To this end, Singapore has been actively hosting and supporting regional and international discussions and cybersecurity programmes aimed at building consensus on the rules of behaviour in cyberspace. Singapore stands ready to work with all parties toward closer international cooperation in the cyber and digital sphere.

Mr Speaker, Sir, to conclude, the Government takes very seriously its responsibility of ensuring the cybersecurity of our systems that are vital to the provision of essential services. The findings and recommendations of the Committee of Inquiry into the SingHealth cyber-attack have helped to sharpen our focus, and given further impetus to our efforts to secure our systems and databases, especially against a sophisticated cyber attacker.

But, there is no permanent fix nor absolute cybersecurity. It is a constant battle against cunning adversaries with advanced capabilities. And we cannot let incidents like this derail our Smart Nation initiatives that can enhance our economic competitiveness and deliver better public services for the benefit of our citizens.

We will do our utmost to strengthen Singapore’s cyber defence capabilities and prevent cybersecurity breaches. However, if a breach occurs despite our best efforts, we must have the capability to detect it quickly and respond robustly to minimise the damage. Our people must stay resilient in the face of such a continuing threat while doing their part for our cyber defence. We will learn from this incident, emerge stronger and uphold the trust of Singaporeans.

Mr Speaker: The Minister of Health will be making a related Ministerial Statement. I will allow Members to raise points of clarification on both statements after this statement. Minister Gan.

1.54 pm

The Minister for Health (Mr Gan Kim Yong): Mr Speaker, Sir, thank you for allowing me to make this statement on the Committee of Inquiry (COI) into the cyber-attack on SingHealth’s IT system.

The healthcare system’s foremost priority is our patient’s well-being. This encompasses not just safe and effective care, but also the protection of their personal data. We, the healthcare family, have a responsibility to our patients to ensure both these aspects.

The cyber-attack on SingHealth’s IT system has resulted in the data of a large number of patients being illegally accessed. Once again, I apologise to our patients on behalf of our healthcare family. We are deeply sorry.

Minister Iswaran has provided a summary of the COI’s findings and recommendations. I would like to thank the Committee of Inquiry for its comprehensive work and detailed findings on the incident.

I agree with the COI that we were lacking in several areas.

Some of our IT personnel did not have sufficient levels of cybersecurity awareness, training and resources to respond to the attack. Certain staff with key roles in IT security incident response failed to take essential actions, resulting in missed opportunities to prevent the attack or minimise its impact.

There were vulnerabilities in our IT system that were exploited by the attacker. Examples include servers that were not adequately secured against unauthorised access, and weak passwords and administrator account controls.

There were gaps in the management of IT assets, compliance with security policies, as well as inadequate remediation of known system vulnerabilities.

The public healthcare family needs to do much better. I welcome the COI’s wide-ranging recommendations. These have been touched on by Minister Iswaran. So, I will not go through in detail.

I will instead focus on healthcare family’s responses and follow-up actions. The COI findings and recommendations will play an important role in guiding our actions, and our cybersecurity direction going forward.

Following the discovery of the cyber-attack. IHiS implemented several measures to tighten cybersecurity. These included:

(a) creating firewall rules to block further malicious callbacks to the suspected command and control servers;

(b) reloading servers with clean images to eliminate any remaining presence of the attacker;

(c) disabling the tool used by the attacker to enter the network;

(d) implementing temporary Internet Surfing Separation (ISS) for the public healthcare sector;

(e) accelerating the deployment of Client Advanced Threat Protection (ATP) to public healthcare servers and endpoint devices. ATP identifies threats based on the techniques used by more advanced threat actors, and is better able to detect customised hacking tools designed to bypass conventional defences; and

(f) IHiS has also improved its incident response processes and SOPs, with clearer channels of reporting and escalation criteria.

Subsequently, in November 2018, IHiS announced further measures which are being implemented progressively across public healthcare agencies. Let me highlight a few key ones.

Database Activity Monitoring (DAM) has been implemented for the SingHealth electronic medical record database. DAM provides more comprehensive alerts and blocks database queries from unauthorised sources. DAM will be extended to the electronic medical record databases of all the other healthcare clusters by mid-2019.

IHiS has strengthened the security of domain controllers, by limiting login access and requiring two-factor authentication for administrative access. This has been fully implemented.

In assessing and developing these measures, IHiS had benefited from the inputs and advice of the Cyber Security Agency (CSA). I would like to record our thanks for CSA's support.

Parallel measures were also taken by SingHealth in patient engagement. SingHealth took steps to contact more than 2 million patients and successfully reached around 97% of them. These include all patients who visited SingHealth Specialist Outpatient Clinics and polyclinics from the start of 2015 to the attack, including those whose data were not accessed, in order to reassure them.

SingHealth has since also taken steps to improve the accuracy of patients’ contact information for better patient engagement. For example, it has identified patients without valid contact details so that staff can update the patients’ contact details at their next visit. Since November 2018, SingHealth has been sending SMSes to all patients on the day of their outpatient appointments, to remind them to approach counter staff to update contact details if there are any changes.

SingHealth will be sharing their learning points with the other clusters and we will be making similar improvements across public healthcare institutions.

On our part, MOH has initiated independent security reviews on key public healthcare IT systems to identify vulnerabilities and recommend measures to address them. At a broader systemic level, MOH has appointed a Cybersecurity Advisory Committee to conduct a horizontal review of the cybersecurity governance structures and processes across the public healthcare clusters and IHiS.

The Committee is chaired by Prof Tan Chorh Chuan and comprises industry experts. It is supported by independent consultants from KPMG. The Committee has just submitted an interim update to me on the findings and recommendations. We will be studying these closely, and will start pursuing key interim proposals even as the Committee continues its work.

Beyond our own plans and efforts, the COI report has provided us valuable inputs and useful recommendations. We will follow up on them, but I will highlight our thinking and plans in response to some of the key recommendations.

First, enhancing governance and organisational structures. The COI has recommended that we enhance our security structure and readiness across IHiS and the public healthcare institutions.

We need to better organise and govern our cybersecurity oversight and efforts, and give cybersecurity considerations more weight in decision making. It is an important area that is also being reviewed by the Cybersecurity Advisory Committee (CAC) I mentioned earlier.

The CAC has highlighted the need for clearer cybersecurity risk ownership and accountability between IHiS and the public healthcare clusters, underpinned by a strong relationship to avoid fragmenting our healthcare IT strategy. It also highlighted the need to elevate cybersecurity roles and functions to strengthen management oversight over cybersecurity, supported with the appropriate resources and expertise.

MOH agrees and we will implement the following organisational changes in line with these guiding principles.

At the Ministry, the MOH Chief Information Security Officer (CISO) is currently also the Director of Cyber Security Governance at IHiS. We will separate these roles. The MOH CISO will be supported by a dedicated office in MOH and report to the Permanent Secretary. The MOH CISO office will be the cybersecurity sector lead for the healthcare sector. It will coordinate efforts to protect Critical Information Infrastructure in the healthcare sector and ensure that the sector fulfils its regulatory obligations under the Cybersecurity Act. For its part, IHiS will have its own separate Director of Cyber Security Governance.

At the clusters, the cluster Group CIO office will now be made fully accountable to the respective cluster management and Boards. The Group CIO office will be adequately resourced to carry out its roles. The position of the Cluster Information Security Officer will be elevated to report directly to cluster management, and be accountable to the IT and Risk Management Committees of the cluster Boards.

Together, these moves will strengthen oversight and minimise potential conflicts of interest between cybersecurity and operational demands.

Second, we will put in place a cybersecurity model with multiple lines of defence. The COI has recommended that the public healthcare sector review our cyber stack for adequacy in defending and responding to advanced threats, and subject the systems to tighter control and monitoring. The CAC too has highlighted the need for a more robust "Three Lines of Defence" model.

We agree and we will establish a more robust "Three Lines of Defence" structure within public healthcare.

The first line comprises units and personnel who develop, deliver and operate the IT systems. This is the Delivery Group. We will strengthen the IT delivery group to better integrate cybersecurity into IT delivery initiatives, improve the management of network security, and increase emphasis on security architecture and monitoring.

The second line of defence comprises units and personnel who have the specific responsibility to oversee security strategy, risk management and compliance. We will strengthen and elevate this second line of defence by establishing a dedicated Cyber Defence Group in IHiS headed by a senior leader at or equivalent to the Deputy Chief Executive level. The strengthened group will have independent oversight of cybersecurity implementation, compliance and risk management, and will oversee incident reporting and management. This will ensure that cybersecurity is managed at the senior management level, and an appropriate balance is struck between service delivery and cybersecurity considerations.

The third line of defence comprises checks and assurances independent of IHiS and our healthcare clusters, and independent of the first two lines of defence. MOH Holdings Group Internal Audit will continue to play this role. We also intend to commission and tap on independent third parties where appropriate.

These changes will make our public healthcare system more resilient and robust against emerging and evolving cyber threats.

Third, we will improve our staff’s cybersecurity awareness and capacity. The COI has made several recommendations in this area. We agree that the "people" element is foundational and critical to our cyber defences. Every user needs to be trained and equipped to understand the important role that they play in cyber defence.

For example, to raise the competence of our security incident response personnel, IHiS will engage specialist providers to conduct realistic hands-on "Cyber Range" simulation training starting this year. This will augment the classroom discussion-style table-top exercises currently conducted for security incident response personnel.

We will also tap on the expertise of the wider cybersecurity community to test our systems. IHiS intends to learn from GovTech's bug bounty and vulnerability disclosure programmes and start similar efforts. This will be a further step to ensure that our systems are tested, our people are ready to deal with new challenges, and our processes are robust.

Next, we will pilot a tiered model of Internet access. In its report, the COI has recommended that an Internet access strategy which minimises exposure to external threats should be implemented.

Following the cyber-attack, temporary Internet Surfing Separation (ISS) was implemented across our public healthcare sector. This was a necessary precaution as suspicious activity continued to be observed on the SingHealth systems, even after initial containment actions were taken. I had mentioned in my previous statement in this House that we would study the impact of ISS, determine whether ISS can be kept as a permanent measure and if long-term mitigation solutions can be developed to overcome the operational challenges arising from ISS.

While the implementation of ISS was necessary, it has indeed posed challenges in the provision of patient care in some areas such as emergency care, decision-support for prescriptions and treatments, access to patient education resources and booking of clinical appointments. ISS also caused delays to frontline patient management and backend administrative tasks. Research and education initiatives in the public healthcare institutions have also been impacted by ISS.

Let me give an example. ISS impacted the functionality of Internet-based video conferencing software used to conduct tele-consultation with the National Neuroscience Institute for suspected stroke patients. This software was used by some of our hospitals which do not have in-house specialist neurology capabilities as timely diagnosis is critical for stroke cases. A dedicated leased line to support high resolution video conferencing had to be provided to overcome this challenge.

Where possible, we have put in place fixes and workarounds like this to reduce the impact to patients and healthcare staff. I thank them for their cooperation and understanding during this period of time.

While we can continue to operate on this current model of ISS, we have also been looking for longer term solutions that are more efficient and sustainable. We also need a solution that will allow us to implement new models of care in the future, such as telemedicine, that leverage on the Internet to improve patient care and services in the community.

This is why we have been experimenting with a "Virtual Browser" solution, even before the cyber-attack. A "Virtual Browser" allows access to the Internet through strictly controlled and monitored client servers. Let me explain what a "Virtual Browser" means. If we imagine loading a webpage or downloading a file from the Internet to be like receiving a letter, the client server is like a decontamination room where the letter is opened and only a picture is taken and sent to the recipient. The recipient reads the letter only via the picture that was taken, and does not touch the letter itself. This process makes things safer for the recipient as malicious material or hidden messages are left behind in the decontamination room. Although such a solution does not fully eliminate cybersecurity risks, it reduces the attack surface significantly, while minimising impact on service efficiency and patient care.

Our earlier trial conducted at the healthcare clusters has shown that a "Virtual Browser" is technically feasible. Our next step will be to run a pilot in an operational environment across different settings and healthcare roles, so as to assess its effectiveness in meeting both operational and cybersecurity needs.

If the Virtual Browser is found to be effective, we envisage putting in place a tiered model of Internet access among our healthcare staff in the longer term.

For some job roles, Internet access would not be required. For example, administrative staff handling certain backend tasks, may not need internet access for their routine work, and these staff will not be provided Internet access.

For a number of job roles, Internet access is required, but can be managed through the use of separate Internet and non-Internet facing devices. This would likely be the case for the majority. ISS will remain for this group and they will have access to the Internet via a separate device. We will further improve our current arrangements so as to make it more convenient for this group of users.

For some, access to the Internet and intranet systems on the same device is essential. This group could include clinicians who need to access the Internet for information from clinical reference databases and match them urgently against patients’ electronic medical records, such as information on new and complex drugs or obscure toxins. The Virtual Browser may be the best solution for this group.

The pilot will begin this quarter at National University Health System (NUHS). "Virtual Browsers" will be deployed in selected job functions at selected departments and clinics. Some of the job roles participating in the pilot include frontline pharmacists and emergency department clinicians.

Apart from this small group of pilot Virtual Browser users, all other public healthcare staff will remain on ISS for now.

The conduct and evaluation of the pilot is expected to take about six months. We will work closely with CSA to assess the cybersecurity adequacy of the solution. We will also evaluate the effectiveness of the Virtual Browser. This will enable us to make a more considered decision on our Internet access model in public healthcare.

Earlier, I mentioned that we have also started independent security reviews of other key public healthcare IT systems. One such system being reviewed is the National Electronic Health Record (NEHR) system.

Over the past few months, the NEHR has been undergoing a series of cybersecurity assessments conducted by CSA, GovTech, and independent firm PWC. These cover technical architecture design and existing cybersecurity measures. In addition, we are completing a series of penetration tests to uncover any security vulnerabilities against cyber-attacks.

The NEHR system will be subject to further testing and reviews, including exercises to test its defences against targeted attacks, as well as business continuity and disaster recovery plans.

I had informed this House in August that we would be deferring plans for mandatory contribution of patient medical data to the NEHR. As the NEHR is an important large-scale national system, we want to be fully assured that all the necessary safeguards are in place to handle the evolving cybersecurity threat landscape. We will therefore proceed with the introduction of the Healthcare Services Bill first, and continue to defer the NEHR mandatory contributions until we have completed these reviews.

Even as we conduct the reviews, IHiS will implement further enhancements to strengthen cybersecurity of the NEHR system. These include software and application upgrades, additional preventive and detection measures, and enhanced process and technical controls.

Mr Speaker, Sir, the COI has identified inadequacies in specific individuals employed by IHiS in preventing and responding to the cyber-attack. The IHiS Board has appointed an independent HR Panel to examine the roles, responsibilities and actions of specific individuals involved and recommend the appropriate actions to be taken. The Panel was chaired by an IHiS Board member and comprised two other members from the public and private sectors with relevant HR and IT expertise.

In assessing the appropriate HR actions, the Panel considered whether the officers had acted in accordance with their job responsibilities. It also considered whether the officers’ action or inaction had contributed directly or indirectly to the outcome.

The panel has submitted its recommendations to the IHiS Board and the Board released its decision on this matter yesterday.

To recap, two IHiS staff – the Team Lead of the Citrix Team and the Security Incident Response Manager – were found to be negligent and non-compliant of orders.

While the Citrix Team Lead had the necessary technical competencies, his attitude and approach to management of the servers introduced unnecessary and significant risks to the system. He could have mitigated the impact of the attack if he had enforced proper compliance and exercised effective management of the servers.

The Security Incident Response Manager persistently held a mistaken understanding of what constituted a "security incident", and when a security incident should be reported. His passiveness even after repeated alerts by his staff resulted in missed opportunities which could have averted or mitigated the impact of the cyber-attack.

Their behaviour had significant security implications and contributed to the unprecedented scale of the incident. The employment of the Citrix Team Lead and the Security Incident Response Manager have been terminated.

Financial penalties were imposed on the two middle management supervisors, who are accountable as supervisors of the staff that were terminated.

A Cluster Information Security Officer was found to have a wrong understanding of what constituted a "security incident" and failed to comply with IHiS’ incident reporting procedures. The Board decided to demote the Cluster Information Security Officer and reassign him to another role.

Let me now come to the IHiS senior management team. As the senior management team, they hold collective leadership responsibility over the organisation and the incident. They know this. IHiS CEO wrote a letter to me in December. In his letter, he expressed disappointment that he and his IHiS colleagues were not able to prevent or respond better to the cyber-attack. He apologised for the incident. He and members of his senior management team acknowledged their collective responsibility. The CEO expressed that he would accept whatever the IHiS Board may decide for him.

The IHiS Board has decided to impose a financial penalty, higher than that imposed on the middle management supervisors, on the CEO and four other members of the IHiS senior management team. They have all accepted the penalty.

I have emphasised to the IHIS CEO and his senior management team to learn from this episode and lead the organisation and its staff through the recovery and rebuilding. I expect them to do their utmost to remedy the shortcomings and help the public healthcare family emerge stronger, so as to win back public trust. MOH and the rest of the public healthcare family will render them our full support.

The COI did not identify lapses in specific individuals that are employed by SingHealth. However, SingHealth recognises its duty to its patients and its responsibility as the owner of the database system. The SingHealth senior leadership, including the Group CEO, has volunteered for a financial penalty which the Board has accepted.

Sir, beyond these disciplinary actions and penalties on specific individuals, penalties have also been imposed at the organisational level. Earlier, Minister Iswaran had shared that the Personal Data Protection Commission (PDPC) has completed its investigations into the incident. PDPC has decided to impose financial penalties on IHiS and SingHealth, which comes to $1 million in total. This is the highest penalty meted out by the PDPC to-date.

IHiS and SingHealth have accepted PDPC’s decision and penalties. This is the right response.

Mr Speaker, Sir, in the COI report, several IHiS officers were commended for their diligence in handling the incident beyond their job scope and responsibilities. They were proactive and demonstrated resourcefulness in managing the cyber-attack.

The IHiS Board has presented Letters of Commendation to three IHiS staff from the Database Management Team, SCM Production Support Team and Security Management Team respectively. Each of them showed commitment to serve and had the persistence to get to the bottom of things. I am glad that their contributions have been recognised. I would also like to acknowledge members of our public healthcare family who have worked hard together to ensure patient care is not compromised by this incident.

At the same time, I thank Singaporeans for their patience and understanding on the inconveniences they may have encountered at our public healthcare institutions arising from the implementation of tighter cybersecurity measures.

Mr Speaker, Sir, I have sketched out the responses of the public healthcare family to the SingHealth data breach and the COI report. The public healthcare family will ensure that priority and attention is given to the implementation of COI’s recommendations as well as the cybersecurity initiatives that the public healthcare system has embarked on.

We are organising our efforts into six key workstreams spanning technical measures, cybersecurity policy, organisational structures, governance enhancements, management of Critical Information Infrastructure (CII) and patient engagement.

Senior management and key personnel from MOH, IHiS and healthcare clusters will lead these efforts. They will report their progress regularly to the Healthcare IT Steering Committee chaired by my Permanent Secretary. The Steering Committee will oversee the implementation and closely monitor its progress. It will also tap on independent auditors to verify the completion of the follow-up actions.

Mr Speaker, Sir, this cyber-attack has been a regrettable and painful incident for us, and for the affected patients. We must learn from it. But we must not allow it to hold back our push towards using technology to provide better care for our patients. IT systems have improved the safety and effectiveness of patient care. It remains a key enabler we cannot do without for better delivery of healthcare to benefit Singaporeans.

Yet, we recognise that the cybersecurity landscape has shifted and the threat level has risen. So, the cybersecurity posture of the healthcare sector needs to be correspondingly raised. This will not be a one-off exercise as new and evolving threats will continue to target our systems. We must continually fortify our defences, and we need a strong team working together to achieve this.

Mr Speaker, Sir, to conclude, I would like to thank the COI once again for its work and the comprehensive findings and recommendations. We in the public healthcare family will take guidance from the COI report and strengthen our systems and capabilities. We must and we will emerge with stronger cyber defences. This will be the most fitting way to fulfil our responsibilities to our patients.

Mr Speaker: Mr Cedric Foo.

2.23 pm

Mr Cedric Foo Chee Keng (Pioneer): Speaker, Sir, I have a supplementary question for the Minister for MCI. I recall that he talked about three parallel investigations: the COI, the Personal Data Protection Commission as well as the Police. Any update on the last of these: whether there are any criminal findings?

Mr S Iswaran: Mr Speaker, the three streams of activity: one is the COI, the report of which has been furnished; second is the independent investigation by the PDPC which took reference from some parts of the public COI report and is now concluded, and penalties have been meted out; and third is the investigation by the CID which has been closed without any further action.

Mr Christopher de Souza (Holland-Bukit Timah): I thank both Ministers for their thorough statements. Recommendation number four of the COI states "enhanced security checks must be performed, especially on Critical Information Infrastructure systems." My question is, what is the accountability mechanism for this? Essentially, who will regulate cybersecurity officers to ensure such checks are up to a professional standard and performed regularly? Further, what is the professional standard we are pegging the expectation to and how regularly will security checks be undertaken?

Mr S Iswaran: Mr Speaker, I thank the Member for his question. The mechanisms and the framework for doing such an audit and compliance is actually set up under the Cybersecurity Act and CSA which has oversight of the overall national cybersecurity effort in particular, the work that is being done by the Critical Information Infrastructure owners in the 11 vertical sectors, who will be the ones that oversees the execution and compliance, if you will, of the processes that are needed to continually strengthen our cybersecurity system. And, in that regard, CSA issues various directives and advisories from time to time. There is a Code of Practice that CII owners are expected to adhere to. There are provisions for regular audits, minimally once in two years but, if not, can be more frequent if mandatorily required by CSA. And also, the audit will be conducted by an auditor that must be approved by CSA.

So, we have the framework in place. As I pointed out, these have all been enabled with the legislation coming into force in August last year and now, in having designated the CII, CSA is operationalising it and we have a mechanism to follow through on the broader imperatives that CSA has mapped out and also on the implementation of some of the COI recommendations.

Mr Speaker: Prof Lim Sun Sun.

Prof Lim Sun Sun (Nominated Member): Thank you, Mr Speaker. I would like to thank the two Ministers for their illuminating statements. On the issue of the Internet Surfing Separation, I think it is encouraging that we are exploring the Virtual Browser option. But, at the same time, I wonder if during the exercise of Internet Surfing Separation, whether there were instances of healthcare workers using their personal devices and data plans to access the internet for work purposes and whether such practices introduced security risks and if, in future, there will be safeguards to caution our healthcare workers against these kinds of actions?

Mr Gan Kim Yong: Thank you very much. Indeed, some of the healthcare professionals have taken the initiatives to use their own personal devices to access Internet for work. Because their personal devices are not connected to the intranet, to our database system and, therefore, they are less risky from the systems point of view. Whereas our own internal intranet system – we have imposed ISS on our own internal system and, therefore, our internal system will have no access to the Internet for surfing purposes.

Mr Speaker: Ms Rahayu Mahzam.

Ms Rahayu Mahzam (Jurong): Speaker, I have a question for the Minister for Communications and Information. I appreciate that the cybersecurity regime and eco-system is a fairly, relatively new frontier. I am just wondering, as part of our review and assessments, whether we look to other practices and systems in other countries and whether we benchmark ourselves against the technological capabilities as well as rigour and practices in those countries?

Mr S Iswaran: Mr Speaker, the answer is yes. Obviously, because it is a highly interconnected world that we live in, in a sense while we do what we can in our own jurisdiction, we also have to take reference from what is happening elsewhere. Indeed, that is why cybersecurity agencies across the world formed these partnerships to share information and also to share best practices because the threat is an evolving one. I think that is the way we continue to ensure that we are plugged in. And so, I think, the short answer to the Member's question is yes, we do – but having said that, I think the onus is on us to ensure that we are up to mark and I would add that many countries look to Singapore for best practices.

Mr Speaker: Mr Vikram Nair.

Mr Vikram Nair (Sembawang): I thank the Ministers for the comprehensive replies and the report which I think has been a very good learning experience for all of us. But the one elephant in the room, of course, is the decision was made not to name the perpetrator. I have two questions related to this.

First of all, what actions, if any, can be taken against the perpetrators of such attacks? And if the answer to this is "none at the moment", can we change our domestic laws at least, so that if any of these perpetrators are within our jurisdiction, we can take action against them?

Mr S Iswaran: Mr Speaker, I thank the Member for his questions. If I may reiterate my earlier response: we know the identity of the perpetrator. We have taken appropriate action. But it is not in our interest to make a public attribution and it is not because we lack the legislative capacity to do so, if indeed it is within our jurisdiction.

Mr Speaker: Dr Chia Shi-Lu.

Dr Chia Shi-Lu (Tanjong Pagar): Thank you. I also want to echo my thanks to both Ministers and also to the COI for their work. Three questions to the Minister for Health. First, while we are trying to strengthen the systems, if we take a leaf from how we manage infectious diseases while we are trying to think of better treatments and so on, I think a key focus would be surveillance, that means detection and containment. So, there were some talk about the advanced threat protection and other systems to detect the systems and, as I know it, our healthcare system has hundreds of computer systems, not just in SingHealth but also the private sector. Could I just ask what is the extent to which these detection systems have been deployed through the national healthcare system, just to get an idea? Because there are other healthcare systems out there that could still be vulnerable and may not have these systems. I just want to have an idea about that.

The second is that there was a point in the COI which merits study, which is the impact on patient care. Can I also find out what has been the work of MOH in looking at the impact that this cyber-attack has had on patient care efficacy and efficiency?

And third, I am also concerned about the impact on the roll-out of NEHR. I think it is something that is very useful. I think it is something that we should all have. It is for the future of Singapore's healthcare. So, in terms of the study on the NEHR, could I get a sense of what sort of goals we are looking at in terms of the assessment of whether or not NEHR will be safe in terms of cybersecurity threats and so on, so that maybe we have an idea how long this may be delayed.

Mr Gan Kim Yong: Sir, as I explained earlier in my speech, Advanced Threat Protection has been implemented in our healthcare system, generally. So, I think it is there to help us detect potential malicious activities. But for the private sector, it is something that we will have to work with them and see what would be applicable for them. But it is also important for us to always remember: whatever system we put in, there will always be the risk of exposure. I think, the greatest risk for us is to assume that after putting in Advanced Threat Protection or ISS, we are quite safe and therefore, we let our guards down. So, we always must remember "道高一尺，魔高一丈". That is, you must always be on alert and assume that we are being attacked all the time and be vigilant and get to know what is the latest development, what is the latest landscape and continually upgrade ourselves to make sure that we are ready for them as best we can. So, I think this is a lesson we learnt from this incident.

Dr Chia also asked about the impact due to this incident. Some patient care, some processes have been slowed down because of additional steps that they have to go through. But by and large, we have not compromised the quality of care. And particularly on patient safety, we have been quite conscious about this. I have always reminded our cluster leadership to make sure that despite all the additional cybersecurity measures, we cannot compromise our patient safety. So far, I think it has been going on all right.

On NEHR, I agree with Dr Chia that we do not want to delay it unnecessarily. But given that it is a very large system and a very important national system, we want to be extra cautious to have it tested and tested again before we make it mandatory. We foresee that we will probably be able to complete our review within this year and then we can make a decision at the end of this year to see when we are ready to implement then. Because the process is still on-going. This is an indicative timeline and we will probably give an update nearer the time.

Mr Speaker: Mr Murali Pillai.

Mr Murali Pillai (Bukit Batok): Speaker, Sir, I have a question for the hon Minister for Health in relation to the relationship between IHiS and SingHealth and for that matter, the other healthcare clusters.

I note that the PDPC had fined SingHealth in its capacity as a data controller. But IHiS, which is owned by MOHH, is a nominated agency to deal with IT matters for all healthcare clusters. So, how would these two entities work to strike a balance between operational needs on one hand and to maintain cybersecurity on the other hand? Do they work as equal partners, or would there be another arbiter to deal with any differences between these agencies?

Mr Gan Kim Yong: Sir, I explained in my speech significant re-organisation of IHiS, the cluster IT organisation, as well as MOH. Let me just quickly focus on the questions that the Member raised. Particularly within the cluster, currently, the Group Chief Information Officer (GCIO) is an IHiS staff and therefore, there is a question: does he have sufficient resources, does he report to IHIS or does he report to the cluster? So, we have made it clear now that the GCIO in the clusters will report to the Board and the management of the cluster. So, he may be a secondee from IHiS, he may be a direct recruit, he may be someone that is loaned to the cluster, but his responsibility and accountability is towards the cluster. So, this provides the cluster some independence from IHiS as a system operator.

Particularly on security, the Cluster Information Security Officer now reports directly to the management, he does not report to the GCIO. So, security and operations now have separate reporting lines and this provides significant independence between security considerations as well as operational requirements.

Within MOH, I mentioned that we are going to set up a separate Chief Information Security Officer (CISCO) which would report directly to the Permanent Secretary. And this will also be quite separate from IHiS Cyber Defence Group.

So, I think the separation of roles between these few key functions will provide greater independence and check and balance between operational needs and cybersecurity needs.

Mr Speaker: Mr Png Eng Huat.

Mr Png Eng Huat (Hougang): Speaker, this is for Minister Iswaran. The public version of the COI report is comprehensive on the technical facts of the cyber-attack and also recommendations to prevent a repeat of such an incident. But it has fallen short on the damage control for the victims of the cyber-attack. Imagine if someone were to receive an email/SMS and now possibly, a hardcopy letter, purportedly from SingHealth or even the Cyber Security Agency, stating his name, NRIC, date of birth, gender, race, to name some of the stolen data, and asking that unsuspecting person to call or to go online to verity some information because someone has given him wrong medication or some innocuous matter, life is going to be hell for this person if he were to make the first contact and fall victim to the scam.

So, my first question is, in the aftermath of the cyber-attack, why did CSA say that there is no strong commercial value for such data when the danger for loss of privacy and financial for our victims of this cyber-attack is clear and present?

To summarise, what is the Government going to do next to assure and alert this group of victims about such danger? Because telling the victim to make a police report is rather moot after they have suffered financial, privacy loss because it is very difficult to investigate cross-border cybercrimes.

Mr S Iswaran: Mr Speaker, I thank the Member for his questions. I think it is a reasonable concern. Let me start by saying that in the aftermath of the incident, we have been monitoring the Dark Web to see whether the data that had been exfiltrated has emerged in any form, and to date, there has been no evidence of that.

Secondly, the kind of scenarios that the Member has highlighted about people being approached for personal data and so on and to verify, these actually have been occurring even before the cyber-attack and they occur in different contexts. Because the way some of these scams, as the Member put it, are being perpetuated, is not just depending on this particular kind of incident. They are approaching it from different angles, using different resources at their disposal.

So, on the one hand, we are doing everything we can in taking it absolutely seriously that this has been an incident that we should not have allowed to happen. But it having happened, we want to contain it and ensure that every measure is put in place to protect the interests of the patients. So, if you recall, SingHealth has made an extensive outreach to all the patients through SMSes and so on, to inform them and also to advise them of the risks and what they need to do and why they can be assured in terms of the security of their data.

The second point I would make is, we have been emphasising, not just CSA, but I think the Government, as a whole, whether it is this incident or any others, we have, each and every one of us, an obligation to exercise appropriate cyber hygiene habits. And that means if you have an unsolicited call seeking personal data, then I think our antenna should go up and we should be taking appropriate steps to ensure that this is a bona fide approach and not something that is a scam, that is trying to take advantage of us.

So, I think, first, and if I can summarise it, overall, the data, we are monitoring the situation. There is no evidence to date, in terms of its use or emergence in the Dark Web.

Secondly, our agencies and specifically, in this case, SingHealth, have reached out to all the patients to inform, advise and also where they have had queries, they have been able to approach SingHealth.

And thirdly, we have in general, an important and repeated advisory on appropriate cyber hygiene habits that should be undertaken by all of us.

Mr Speaker: Mr Patrick Tay.

Mr Patrick Tay Teck Guan (West Coast): I have two questions for the Minister for Health. Firstly, I wish to ask the Minister for Health if IHiS, which is a unionised company of the Healthcare Services Employees' Union, has notified and heard the union before taking action and meting out punishments to the affected employees because this is to be done regardless of whether they are or not union members.

Secondly, with regards to the financial penalty of $1 million imposed by PDPC on SingHealth and IHiS, I urge and appeal that the salaries and bonus of the workers in both organisations will not be affected as a result.

Mr Gan Kim Yong: Sir, I do not know whether they have informed the union. I will inform the management. I agree with Mr Patrick Tay that it is a good practice whenever these incidents happen and we have to take disciplinary action, it is best to keep the unions informed. I do not know whether they are union members. And if there are, it would be useful for the management to keep them informed. And if they have not done so, it is still not too late – better to do now than not to do so at all.

Secondly, the Member asked about the bonuses of IHiS staff and SingHealth staff. I think other than those I mentioned as part of the disciplinary action, the rest of the staff should not be affected. Should they continue to do well, they should continue to get what they deserve. And for those who have done well, their contributions will be recognised at the end of the year.

Mr Speaker: Dr Lily Neo.

Dr Lily Neo (Jalan Besar): Mr Speaker, Sir, I would like to declare that I am a medical practitioner. May I seek clarification from the Minister for Health on the implementation on the recommendations he mentioned earlier. Will MOH also assist private practitioners in coping with this cyber-attack, especially those who are already embarking on the National Electronic Health Record (NEHR)? My concern is that cyber-attacks on the NEHR in the private sector may be linked to the public sector's. So, if there is a soft part in this area, will that affect the whole public sector in the end?

I would also like to echo Dr Chia Shi-Lu's question earlier whether the Minister will ensure that the NEHR is robust before it is widely implemented, to give confidence to patients and doctors.

Mr Gan Kim Yong: Sir, I agree with Dr Neo that it is important for us to ensure that NEHR is robust before we make it mandatory for data submission. Dr Neo also mentioned how we can help private sector doctors, particularly if they are connected to the NEHR. Indeed, we are aware that there is a risk, because we have many private operators which have to tap on to our NEHR in order to submit their data, and that is why we are taking additional precautions to test our NEHR cybersecurity and cyber defences to ensure that they are robust before we require everyone to submit.

At the same time, we will also be developing advisories to help advise our private practitioners how to strengthen their system, how to do audits on their system to ensure that their own systems are protected. We must remember that even without NEHR, many of our doctors have their own data system and keep their own patient records. Of course, these are limited to their own patients, not national data. Nevertheless, it is also important for our private doctors to ensure that the patient data that they collect and maintain are protected from potential cyber-attacks. In the past, our doctors may be using paper and pen, they have paper card records, it is less risky. But still, the sense of responsibility to safekeep these data is there among our medical practitioners. I think it is no different when it comes to electronic records. When doctors have their records kept in an electronic form, they should be quite mindful that they are also responsible to ensure that such electronic records within their own premises where they are kept, they also have to ensure that they are protected to a satisfactory extent.

So, we will help them. We will give them advice from time to time, especially arising from this incident. We will give them general advice on what they ought to do to ensure that their databases are protected.

Ms Irene Quay Siew Ching (Nominated Member): Sir, I thank both Ministers for their detailed Statements. While we understand that there are deficiencies and they will be implementing comprehensive recommendations, we must not forget that our IHiS staff have been working very hard and performing their best over the years as we move towards a Smart Nation. So, can I ask what are the resources – as we are piling them up with more recommendations and more work – as well as emotional support that we are rendering to these ground IHiS staff while they are going through this trying period to boost their morale as we learn and move forward stronger together in this Smart Nation journey?

Mr Gan Kim Yong: Thank you! I would like to thank the Member for her encouragement. Indeed, IHiS has been working very hard over the last few years in reorganising itself, strengthening its governance, as well as rolling out many major systems. But this is an important incident and it is a very critical and regrettable incident and, IHiS' staff morale has, indeed, taken a toll from this incident. We will continue to support them. As I have mentioned in my speech, even as they go through the reorganisation, going through the repositioning, reprioritising, MOH and all our clusters will extend our full support for them and we want to encourage them to soldier on because there are still many important tasks ahead of us, and not the least, the implementation of the recommendations of the COI. On top of that, there are still many systems that they have to deliver and they have to deliver them with strong cybersecurity measures.

So, I would like to thank the Member for her encouragement, and will convey this to the IHiS team and to encourage them to press on with our task. Thank you.

Mr Cedric Foo Chee Keng: Mr Speaker, Sir, I empathise with my colleague's (Mr Vikram Nair) view about the non-attribution of the identity of the perpetrator. It seems that the COI process has been very robust. It has been thorough, rigorous, public, transparent, and open. I think this will go some way to restore public confidence from the incident itself. Howver, even with recommendations on strengthening defences, the "vault" and many other areas, the person who actually "broke into the house" was not revealed? There seems to be a vacuum as far as the sense of justice is concerned. I am sure the Government's position was well-calibrated and considered, but perhaps the Minister can share more on the considerations of the Government for not revealing who the perpetrator is.

Mr S Iswaran: Mr Speaker, I think the Member's question, if I can put it in a broader context, is that, first, this incident has occurred. The basic question we have to ask ourselves is how do we ensure that Singaporeans continue to have trust and confidence in our public sector systems – IT systems and databases – because it is inevitable that when you have an incident like this, it will raise such qualms and questions. And I would say that in deriving a sense of confidence, our citizens should be looking at the totality of our response and not focus on one particular aspect of the response. Let me elaborate on what I mean.

Firstly, why do we collect data and have these IT systems? Because they enable all these services, conveniences that we take for granted, whether it is in our transportation system, our healthcare system, in our dealings with various other Government agencies. The fact that we can transact with ease and convenience is because it is enabled by data and the IT systems that we have. So, firstly, we are doing this because we want to serve the interests of our citizens.

The second point I would make is that directly as a result of this, we should be looking at what has our response been, the Government's response to this. In that regard, I would highlight a few things. Firstly, we made the knowledge of the cyber -attack public within days – if I recall correctly, 10 days after it was brought to the attention of CSA. I think it was 10 July that it was brought to the attention of CSA, and on 20 July, Minister Gan and I had a press conference and we announced it and shared it with members of the public. Why do we do that? Because we want to demonstrate that we are transparent and we want to ensure that all Singaporeans understand that we have nothing to hide here. We want to get to the bottom of it as much as Singaporeans do.

Thirdly, if you look at our response thereafter, we appointed a Committee of Inquiry. Why do we appoint a Committee of Inquiry? Because the Government wants a robust and transparent investigation and inquiry into the matter, not because we want to lay fault, although if there are, those who have been negligent or egregious, then they have to be accountable. But also because we want to learn from this, understand what went wrong and rectify them. So, if you look at the COI Report, we have released all the recommendations and material findings in full in the public version. The only parts that have been held back are those that pertain to sensitive national security matters and also patient confidentiality. Everything else is out there – unvarnished, stark but very clear on what we need to get done. So, again, if you contrast what we have done with the responses in other domains by different parties, I think we can hold ourselves up to the best practices and standards in terms of how we responded.

Finally, what are the actions we have taken? Apart from action against individuals, we have taken actions against the organisations and we have also undertaken a slew of activities and measures in order to further strengthen our cybersecurity system, some informed by the COI, others that our agencies have already been working on.

That is the totality of our response. And I do not think we should reduce whether we have confidence in the sense of justice to just one specific point, that there is no public attribution of the perpetrator. I can understand that Members have a desire, and on behalf of their constituents, to know this, but I think we have to exercise judgement as to what is in our national interests and whether a public attribution serves our best interests. And as I have said, we know who the perpetrator is and appropriate action has been taken.

2.55 pm

Mr Speaker: Order. End of Ministerial Statements. Introduction of Government Bills. Senior Minister of State for the Environment and Water Resources.