[BreachExchange] Cyber-security exercises needed to better prepare for cyber attacks: Expert at COI on SingHealth cyber attack

[Destry Winant]

https://www.straitstimes.com/singapore/cyber-security-exercises-needed-to-better-prepare-for-cyber-attacks-expert-at-coi-hearing

SINGAPORE - An expert has called for more exercises involving
simulated data breaches to allow professionals in an organisation to
practise responses for a cyber-security incident.

Like counter-terrorism exercises and fire drills, exercises that
simulate data breaches could help turn the tide when a cyber attack
occurs, said Dr Lim Woo Lip.

The executive vice-president of technology and capability at Ensign
Infosecurity was testifying on Friday (Nov 9) before a high-level
panel looking into the SingHealth data breach in June.

The worst cyber attack to hit Singapore compromised the personal data
of 1.5 million patients and the outpatient prescription information of
160,000 people, including Prime Minister Lee Hsien Loong and several
ministers.

Dr Lim was speaking during the third tranche of hearings, which will
run until Nov 15.

The current tranche consists of experts recommending enhancements to
cyber-attack incident response plans, to better protect SingHealth's
patient database system against cyber-security attacks.

Dr Lim said exercises involving simulated cyber breaches will allow
IT, security, legal and corporate communications professionals to be
more familiar with what needs to be done when a cyber attack occurs.

Presenting a report he had prepared for the Committee of Inquiry
(COI), Dr Lim said: "A cyber-security exercise is something not all
organisations are very familiar with yet.

"This exercise also does double up as training, as you go through more
exercises, you are more familiar and you strengthen your standard
operating procedure."

In his report of recommended cyber-security measures, Dr Lim said that
these exercises should expose participants to realistic situations,
with real-time injects that test the knowledge and skills of the
different organisation members.

Besides cyber-security exercises, Dr Lim also recommended data at all
states to be encrypted.

This includes inactive data that is stored physically in any digital
form, otherwise known as data at rest.

Sensitive medical records - such as personal information, medical
reports and doctor's prescriptions - are pieces of information in an
electronic database that cyber criminals are after, said Dr Lim.

Any sensitive data that is not protected would be vulnerable to attack.

"Since the sensitive data are the crown jewels that attackers are
after, encryption should be applied to data at all states," he said.

Dr Lim acknowledged that encryption of all data could hurt the
efficiency of an organisation's systems.

He suggested that should full encryption be impossible due to
operational efficiency, SingHealth and the Integrated Health
Information Systems (IHiS) - which runs the IT systems of all public
healthcare operators in Singapore - could just anonymise all data
containing personal identifiers, which he said is quite a "simple
process".

As an added level of security, the data retrieval process should
include a 2-factor authentication mechanism before data can be
de-anonymised.

These measures would, he said, bolster the data's defences, without
hampering a researcher's access to it.

"Such an approach will also allow the researchers in the healthcare
sector to be able to continue their research and analysis using the
anonymised data as the individual identity should not be required in
their studies," he said.

At the start of the hearings on Friday, Solicitor-General Kwek Mean
Luck said the experts' views will be used to draw up recommended
measures to reduce the risk of such cyber-security attacks on public
sector IT systems, including in the other public healthcare clusters .

Such systems contain large databases of personal data.

Local and foreign experts in the field of cyber security will be
called to testify, including Cyber Security Agency chief David Koh and
representatives from the Health Ministry.

Mr Kwek also gave an update on the written representations that the
COI accepted from the public from Sept 11 to Oct 31.

He said that the COI found many of the 26 submissions from individuals
and organisations to be useful.

The COI's chairman Richard Magnus said that the committee has seen all
the submissions and agreed that there is no need to further hear from
the contributors.

"The submissions speak for themselves," he said.

During the hearing, Mr Magnus also asked Dr Lim if it was possible to
overcome advanced persistent threats, which are stealthy and
continuous hacking processes, just like what happened with the
SingHealth breach.

To this, Dr Lim replied that it is possible, provided the system has a
“sophisticated detections engine”.