Women in Cyber: Securing Singapore's patient data

By Shirley Tay

Christine Tan, Assistant Lead Engineer, Infrastructure Services at IHiS discusses her work protecting Singapore's patient data.

Doctor-patient confidentiality is one of the most sacred agreements between individuals. Health data can be sensitive, and particularly harmful in the hands of malicious hackers.

Christine Tan, Assistant Lead Engineer, Infrastructure Services, Integrated Health Information Systems (IHiS) discusses the two roles she's had in defending Singapore's patient data. She shares what it's like to respond to security incidents and the need for constant adaptation to cyberthreats.

Tell us more about your role. How do you protect the digital realm and improve citizens’ lives?

I am currently the Assistant Lead Engineer in the IHiS Security Technologies Department, responsible for a public healthcare institution’s Group’s Cluster Infrastructure Service. Over the past one year plus in IHiS, I had the privilege to take on two different roles.

In the first nine months of my time in IHiS, I oversaw the operations of the security system e.g. Firewall, VPN, Anti-Virus in one of the public healthcare institutions. My role was to ensure that these systems were operating well to protect the institution’s digital asset and infrastructure from malicious attacks as well as to provide a secured platform for users who are working remotely to perform their daily operational tasks during the COVID-19 pandemic.

In my second role, I was given the opportunity to provide advisory on ICT security matters and conduct security assessments to ensure the ICT systems and their security controls adhere to policies, and best practices are in place before any system go-live. This improve the overall security posture by identifying areas of weakness and opportunities for better in security protection.

What sparked your interest in cybersecurity?

It was the high demand for cybersecurity professional and vast opportunities available in this field which first sparked my interest in cybersecurity.

Personally, one of the most exciting and eye-opening area of work in cybersecurity is in incident management. The satisfaction of responding to a security incident in an orderly, time critical manner is paramount to security incident management. Stakeholder management is crucial in such instances. It requires a fine balance of hard and soft skills, including the use of technology, processes, approaches and people management. These are all important elements which contribute to a well-handled incident.

My interest and passion in these factors motivate me to improve and explore the different technology/practices in the cybersecurity field.

What has been the most impactful project of your career?

As an engineer assigned to one of the public healthcare clusters, I have worked with the project team from Central IHiS HQ to deploy various security infrastructure services to the institution. One of the more memorable projects was the deployment of the Healthcare VPN (HVPN) where institution users were migrated to a Centralised VPN platform.

While the readiness of the new back-end infrastructure was taken care of by the central project team, the local team at the institution was responsible for the front-end preparation work, including ensuring seamless user on-boarding and migration experience.

As a reminder of the adage, “if it isn’t broken, don’t fix it”, people have a tendency to stay in their comfort zone and question the need for change. The challenge was to motivate institution users that the new HVPN platform offered better security compared to the original VPN platform.

During the roll-out period, a lot of efforts were dedicated to convince users to get on-board the new platform as part of change management. As with all changes, some users require convincing and further explanation. The efforts paid off eventually and my team managed to increase the take-up rate and eventually fully migrated all users to the new HVPN.

Being in the cybersecurity field is not always all glamorous and full of excitement like what we see in movies. Sometimes the work can be mundane but the satisfaction that comes with accomplishing the job and keeping the systems safe gets me going, especially when the users now appreciate why the change was needed.

What challenges would you like to take on in the next year?

Being relatively new to my current role, my focus is to hone my expertise in security assessment in a complex and multi-faceted environment. To produce thorough and holistic security assessments is a test of an individual’s mettle. It requires time and tenacity to gather substantial information about the system from stakeholders, and perseverance to navigate the web of policies, processes and organisation structure.

To enhance the cybersecurity institutional knowledge of my team members, I hope to embark on developing a set of standard operation procedures and rules of engagement that will help simplify and internalise our security assessment processes. Personally, I am looking to develop “digital” or left brain thinking to help me approach security assessment in a systematic and analytical manner. For instance, by proactively engaging stakeholders early in the process and assessing the security risks objectively would result in a balanced assessment that would help ease the education and deployment processes.

Who or what inspired you this year, and why?

Being in a team with good camaraderie, and working under a leader who is competent and fights together with his staff inspires me. I am happy to be a part of such a good team. Being with supportive colleagues is always a morale booster when the going gets tough!

What advice would you give to women looking to start a career in cybersecurity?

Go for it!

It is definitely not a gender-specific career as there are multiple domains in this field to explore. If you have an interest in this field, start off by building strong security fundamentals and principles. Cybersecurity is not all about technical know-how.

To be successful, it is important to build on your soft skills e.g. the ability to articulate and sell your ideas. Not everybody understands technical jargon. You need to convince your users to adopt your proposal of the new security technology in simple terms that they can appreciate.

To have a feel on what is available in this field, try looking at the short courses provided by WDA (Singapore Workforce Development Agency).

If you could sum up your life motto in one sentence, what would it be?

Aim to do the right thing and persevere!