Public service to roll out 13 cyber security measures to protect citizens' personal data following data breaches
SINGAPORE – The entire public service will have to conform to a common cyber security framework to safeguard citizens’ personal data, beginning with 13 new measures developed after a spate of breaches in the past year.
These cyber security measures, some of which are being put in place, aim to make databases unusable if they have been wrongfully extracted, detect unusual data transmissions and limit users’ access rights.
For instance, sensitive files have to be encrypted and highly-sensitive attributes of individuals, such as one’s HIV status, hidden away in a separate system with tighter controls. The personal information of ministers will also be kept in separate systems with more stringent protection.
The technical measures announced on Monday (July 15) are the first of more to come from a new Public Sector Data Security Review Committee convened by Prime Minister Lee Hsien Loong in April this year.
They were issued after a government-wide stock-take of how data was managed at five key government agencies here handling medical and financial data of citizens.
The 13 measures conform to a common definition of what is entailed by sensitive information as outlined in the new Information Sensitivity Framework, and will replace the current practices by public agencies, many of which devised the practices themselves.
More measures, including ways to better manage third-party vendors and train public servants on data security practices to prepare Singapore for a safer digital future, will be revealed later and included in the Committee’s final report due in November this year.
The committee was formed after a spate of cyber security breaches over the past year, with the latest involving the personal data of more than 800,000 blood donors accessed illegally and uploaded on an unauthorised server for more than two months. A Health Sciences Authority technology vendor, Secur Solutions Group, was responsible for the incident.
In January, the Ministry of Health (MOH) revealed the confidential information of 14,200 HIV-positive individuals had been leaked online by an American who had lived in Singapore. He had gained access to the data through his partner, Ler Teck Siang, a Singaporean doctor who once headed MOH’s National Public Health Unit.
And in February, MOH said a computer error had resulted in 7,700 people receiving inaccurate healthcare subsidies when they applied for or renewed their Community Health Assist Scheme cards in September and October last year.
Singapore’s worst cyber attack happened in June last year involving the database of Singapore’s largest public healthcare cluster SingHealth. Hackers made away with the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including PM Lee.
All 13 measures will eventually be deployed to accord the highest level of protection for the most sensitive information. For instance, the database of patients with infectious diseases and individuals who were bankrupt will have the highest form of protection involving the most, if not all, of the 13 measures.
They will supplement current practices including Internet Surfing Separation, rolled out in 2016, and the disabling of USB ports from being accessed by unauthorised devices, implemented in 2017.
Source: Read Full Article