SINGAPORE: A committee that will review the current policies and processes for managing sensitive data has been set up by the Health Sciences Authority (HSA) Board, Senior Minister of State for Health Edwin Tong said in Parliament on Monday (Apr 1).
The committee, which is chaired by chairman of HSA Board’s Audit and Risk Committee Max Loh and includes members from the Government Technology Organisation (GOVTECH), will also recommend measures, Mr Tong added.
He was responding to seven Members of Parliament who asked for further updates on the preliminary investigation of the data leak of more than 800,000 blood donors’ personal information from the database of the vendor appointed by HSA.
MPs who asked questions on the issue include chairman of Goverment Parliamentary Committee for Health Chia Shi-Lu and Workers’ Party’s Png Eng Huat.
Mr Tong's announcement comes on the back of the convening of a Public Sector Data Security Review Committee, to conduct a comprehensive review of data security practices across the entire Public Service. It will be chaired by Deputy Prime Minister Teo Chee Hean.
Mr Tong added that his ministry and its agencies will also conduct a review on the management of the data being handled by existing IT vendors.
On Mar 13 this year, a foreign cybersecurity expert had informed the Personal Data Protection Commission that the registration-related information of blood donors could be accessed because of a vulnerability in the server used and managed by HSA's vendor, Secur Solutions Group (SSG).
The independent vendor was appointed to maintain and enhance the queue management system for blood donors. HSA then worked with SSG to disable access to the server.
CYBERSECURITY EXPERT HAS DELETED COPY OF DATA
The cybersecurity expert who exposed the vulnerabilities has informed the authorities that he deleted his copy of the data of more than 800,000 blood donors, and has no intention of disclosing its contents, Mr Tong said.
The expert, who works for a company that specialises in identifying and reporting vulnerabilities of IT systems, was not employed or engaged by HSA or the Health Ministry, and had never made any request for compensation or payment, Mr Tong added.
“We will not be taking any legal action against him because he had reported the vulnerability to us straight away, and had no intention to keep, use or expose the contents of the database, and has not done so,” he said.
But on Mar 30, SSG said that its server was also accessed suspiciously from several other IP addresses, with data possibly extracted.
Responding to MPs who asked what additional steps MOH and HSA can take to reduce the risk of data mismanagement, Mr Tong said that the measures to be taken to prevent a similar occurrence will be shaped by what specific findings arise from the ongoing investigations into the incident.
Specifically to Dr Chia’s question on whether the ministry should consider streamlining the procurement of IT services across its departments, statutory boards and public hospitals to reduce personal data access by multiple vendors, Mr Tong said:
“We agree, and have done so progressively in the public healthcare family, where we are able to do so.”