Cybersecurity professionals and organisation should take note of the fallout from the data breach at the Singapore health provider. In June 2018, a breach that was perpetrated on the database of SingHealth, a premier health provider in Singapore reverberated and shock the nation state.
It is not so much about the data breach but the manner and mode in how it happened and the resultant action post discovery of the breach where;
apparently the hackers were found to have specifically targeted the personal health details of the Prime Minister of Singapore, and
post the discovery, the government took the unprecedented action of taking all government computers off the grid.
Investigation was launched and true to its much lauded efficiency, the results were revealed and made public on 16 January 2019. The Personal Data Protection Commission (PDPC) in their findings, faulted both SingHealth and their vendor, Integrated Health Information Systems (IHIS) for their failure to undertake and implement the necessary protective and mitigative measures to protect patients’ data. For the failure, SingHealth was penalised and fined S$250,000 while IHIS was fined S$750,000.
Apparently prior to the announcement by the PDPC, IHIS had, after conducting their own internal investigations into the breach dismissed two of their employees who were found to be negligent and also imposed financial fines on five of their senior management including the CEO. The punitive actions taken by the Singapore authorities in this case would have far reaching consequences and left a few unanswered questions;
Did IHIS advised SingHealth on the protective and mitigative measures? If yes, and SingHealth did not follow through and or delayed in implementing the recommended measures, shouldn't the fault lies solely with the client rather than the vendor? The vendor can only recommend but has no influence nor has the power to decide. If the recommendations by the vendor necessitates provision of a budget by the client and the client failed or delayed in acting on it, again whose fault would that be?
Even though SingHealth outsource the cybersecurity function to the vendor, the data and its input are based at the client's premises and the vendor has no control over them. If the 'window' for the hackers to penetrate SingHealth was due to the negligence of one of their staff who was targeted in a wide range phishing attempt by the hackers, can the authorities hold the vendor responsible for the breach?
It appears that the actions taken by IHIS against their own staff prior to the announcement of the actions taken by PDPC against SingHealth and the vendor was already an admission of guilt by IHIS for which PDPC based their decision on.
Who did IHIS appoints to undertake the investigation into their own staff? External parties? Internal auditors? External auditors? Reports said five of their senior management were fined as a result of this breach. If these five people are of senior management rank, any investigations should be conducted and undertaken by no less than people of their peer ranking and above.
Far reaching consequences;
Cybersecurity professionals would now be prompted to seek out professional indemnity insurance as part of any future engagement for fear that they could be held responsible for any breach against their clients.
In this instance, insurers would have to reconsider their protective cover on the professional indemnity being sought out by the cybersecurity professionals
Cybersecurity professionals could also possibly seek out and insist that clients adopt and implement a minimum cybersecurity framework for their IT architecture failing which the vendors reserve the rights to terminate and withdraw from the engagements? If this happened, the consequences could be far reaching for all organisations at large. Imagine a scenario whereby a company, despite being told repeatedly to prepare their financial statements in accordance to the International Financial Reporting Standards (IFRS) and yet still fail to do so but expect the external auditors to audit their accounts based on the IFRS standards. Rest assured no auditors in the world would come out and do that for the company.
Be that as it may, we viewed the above developments in a positive light. By being decisive and imposing a financial penalty swiftly, the authorities in Singapore indirectly helps to define and set a benchmark for good practices for all cybersecurity professionals. Policies and procedures to mitigate cyber risks would now be rewritten and organisations would be 'pushed' along to adopt a more proactive and mitigative cyber resilient framework for their organisations.