SINGAPORE: Key management figures in Integrated Health Information Services (IHiS) also served important roles in the Ministry of Health (MOH), prompting questions about whether this potentially resulted in conflicts of interest where checks are not done to ensure that directives are complied with.
Those with dual roles include IHiS CEO Bruce Liang, who is also the chief information officer at MOH, the Committee of Inquiry (COI) looking into the SingHealth cyberattack heard on Friday (Nov 2).
IHiS director of cyber security governance Chua Kim Chuan is also MOH’s chief information security officer.
Taking the stand before the four-member COI on Friday, managing director of MOH Holdings Goh Aik Guan acknowledged that there could be a “real possibility” of conflict of interest, because “the one who implements (the policies) is also the one who promulgates it”.
He was responding to questions from Solicitor-General Kwek Mean Luck about whether there were potential conflicts of interest in the “double-hatting” of roles.
The organisations, however, understood that such a risk was present, said Mr Goh, and had therefore put in place mitigation measures.
For example, Mr Liang and Mr Chua had to report back to other MOH officers, there were various measures to ensure that instructions are executed and key directives by the ministry will also be tracked. “It’s not a matter of (IHiS CEO Bruce Liang) not implementing (the directives) … because deadlines are there,” said Mr Goh.
Mr Goh Aik Guan, managing director of MOH Holdings, walking out of the Supreme Court building on Nov 2, 2018.
MOH Holdings is the Government’s holding company for Singapore’s three public healthcare clusters – National University Health System, National Healthcare Group and Singapore Health Services. IHiS runs the IT systems of the three healthcare clusters.
READ: SingHealth COI: IHiS officer’s reluctance to report suspicious IT incidents shown up in court
READ: SingHealth cyberattack: IHiS announces measures to protect healthcare sector against online threats
During the hearing, Mr Goh also pointed out the benefits of “double-hatting”.
Key executives would be able ensure that IHiS’ planning and implementation are aligned with MOH’s IT and cyber security strategy, as well as its policy and programmes, he said. It also allows MOH to have a channel of feedback for how programmes are running on the ground.
Referring specifically to Mr Chua – whose role in IHiS was to help roll out cyber security policies to the various healthcare clusters – Mr Goh said he also needed to be an MOH representative to be able to have sector-wide perspective of cyber security issues.
CONSTRAINTS AND CHALLENGES IN PATCHING IT SYSTEMS
Mr Goh also shared his view that measures taken by owners of IT systems to mitigate risk is “never 100 per cent.” Owners will have to consider for themselves what an acceptable level of risk for the organisation is, taking into account “competing resource demands, infrastructure constraints, and operational imperatives”, he said.
“(You can reach) 99.6 per cent … And we know when you hit a certain number, the remaining 0.4 per cent to cover that gap will (be) disproportionately costly,” said Mr Goh.
READ: COI on SingHealth cyberattack: Exploited server had not been updated for more than a year
READ: SingHealth COI hearing: Former IHiS CEO dismissed staff for ethical breach, didn’t probe alleged vulnerability
Citing software patching as an example, Mr Goh said it may not be technically feasible to patch one system without affecting other layers of application and hardware as most IT infrastructure systems are complex.
“The IT systems in the public healthcare institutions also need to be operated efficiently and 24/7, and there is little room to schedule downtime for IT measures to be implemented,” said Mr Goh.
The COI hearings are expected to continue on Monday. Some hearings will be held behind closed doors iin the interests of national security as the evidence given may be sensitive in nature.
