A tiered model of Internet access will be rolled out for the healthcare sector, should a virtual browser solution that is being tested prove effective, Minister for Health Gan Kim Yong said yesterday.
It could be the best solution for staff whose jobs require access to the Internet and the healthcare group's internal network to be provided on the same device, Mr Gan told Parliament.
But those whose jobs do not need Internet access will continue to remain out of it, he said, citing administrative staff doing back-end tasks.
Likewise, staff who can access the Web via a separate device like a mobile phone, he added.
Mr Gan made these points in a ministerial statement on the actions his ministry will take following the cyber attack on the database of Singapore's largest healthcare cluster, SingHealth.
Hackers stole the data of 1.5 million patients and the outpatient prescription details of 160,000 people, including those of Prime Minister Lee Hsien Loong.
The minister said a virtual browser will allow access to the Internet through strictly controlled and monitored client servers, and his ministry had been experimenting with the solution before the cyber attack.
"If we imagine loading a webpage or downloading a file from the Internet to be like receiving a letter, the client server is like a decontamination room, where the letter is opened and only a picture is taken and sent to the recipient," said Mr Gan.
This process, he added, is safer as malicious or hidden material is left behind.
"Our earlier technical trial conducted at the healthcare clusters has shown that a virtual browser is technically feasible," said Mr Gan.
The next step would be to run a pilot of this solution in different settings and healthcare roles to test its effectiveness, he added.
The pilot will begin in the first quarter of this year at the National University Health System. It will be evaluated over six months.
Mr Gan also gave an update on the ongoing review of the safeguards for the National Electronic Health Record (NEHR) system that was triggered by the SingHealth data breach.
The NEHR has been undergoing penetration tests and cyber security assessment by the Cyber Security Agency, GovTech and audit firm PricewaterhouseCoopers.
It will be tested further, he added.
Mr Gan also reiterated that given the importance of having safeguards in place, the Government will not require healthcare institutions to submit data to the NEHR until after the reviews are done.
Earlier, he described to the House his ministry's efforts in beefing up cyber security in the public healthcare sector.
One, on the organisational front, it will separate the roles of the chief information security officer and the director of cyber security governance at the organisation in charge of the IT systems in the healthcare sector.
This technology vendor is the Integrated Health Information Systems (IHiS), which will have its own director of cyber security governance.
Also, the ministry's chief information security officer will be backed by a dedicated team at the ministry and be in charge of cyber security for the healthcare sector.
Two, the healthcare sector will establish a more robust defence structure with three lines of defence.
The first involves staff who develop, deliver and operate IT systems; the second, those who oversee security strategy, risk management and compliance; and the third comprises independent checks.
Three, the sector will strive to improve staff's cyber security awareness and capacity, said Mr Gan, adding that IHiS will engage specialists to conduct realistic hands-on simulation training this year.
This will augment classroom simulation exercises for responders to security incidents.
"We agree that the 'people' element is foundational and critical to our cyber defences. Every user needs to be trained and equipped to understand the important role they play in cyber defence," said Mr Gan.
