How data security review committee's recommendations could have prevented govt data breaches and leaks

The various data security incidents that occurred in the last few years prompted the Government to set up the high-level Public Sector Data Security Review Committee (PSDSRC), which on Wednesday (Nov 27) announced a host of recommendations to bolster data security.
The Government has accepted these recommendations and will implement them across most of its systems by the end of 2021, with the rest adopting the measures by the end of 2023.
In a press conference on Wednesday, Senior Minister Teo Chee Hean said that had these measures been in place, the impact of the past breaches of government data would have been minimised - and the breaches themselves could even have been prevented.
Here is a look at how some of these incidents could have been prevented with these new recommendations:
In what was Singapore's worst cyber attack, the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong, was stolen by hackers in June.
A skilled attacker managed to enter SingHealth's system, get past its defences and move around in the network without anyone noticing.
Reporting of the incident was also delayed by the IT security team, which gave the attacker more time to steal the data.
How would the measures have helped?
Between 2012 and 2013, a copy of the HIV registry was downloaded onto a thumb drive and then leaked on the Internet this year.
The confidential details of more than 14,000 people on the HIV Registry were illegally made public by American Mikhy K Farrera Brochez.
He had obtained the information that his partner Ler Teck Siang, a doctor who was head of the Ministry of Health's National Public Health Unit, had access to.
How would the measures have helped?
A Microsoft Excel spreadsheet containing students' particulars was mistakenly sent out to some 1,200 parents, as the officer did not check the e-mail recipient list.
This document contained the names and birth certificate numbers of all 1,900 pupils in the school, along with the names, phone numbers and e-mail addresses of their parents.
How would the measures have helped?
Secur Solutions Group (SSG), a Health Sciences Authority (HSA) vendor, had improperly stored the data of more than 800,000 blood donors on an unsecured server for over two months.
There were inadequate safeguards in place to prevent unauthorised access.
How would the measures have helped?
This article was first published in The Straits Times. Permission required for reproduction.