Meet GI's Cybersecurity Champion: Lee Chee Hwan, Deputy Director, SingHealth CISO Office, Singapore

This interview is part of GovInsider's inaugural Cybersecurity Champions report featuring public sector cybersecurity officials around the world.

Please give a brief description of your job function as a cybersecurity professional, as well as what your organisation does. 

The Cybersecurity Office oversees the cybersecurity programme for SingHealth, and our goal is to ensure the security and resilience of healthcare IT systems, medical technology and devices, and operational technology systems.

We also aim to strengthen cybersecurity awareness amongst our users, making sure that operational security processes across the different teams in SingHealth and our IT partner, Synapxe, are functioning properly. 

What kind of cyber threats does your organisation face on a regular basis? 

Many experts have identified the healthcare sector as one of the most targeted sectors by cybersecurity threat actors. This is because patient data is a highly valuable resource and the level of reliance on IT systems is very extensive amongst hospitals.  

Many of these threats have been successfully defended and neutralised through technical security measures and the vigilance and awareness of our staff. The skills and expertise of our IT partner, Synapxe, and their vendors have also contributed significantly.

These threats could easily have materialised into ransomware attacks leading to IT systems disruptions, theft of patient data and impact to business operations. Ransomware attacks are the top threat faced by healthcare organisations around the world today and has been so for the past five years or so.   

In your view, what are the biggest threats and challenges (be it in the network layer, and/or in areas such as scams, phishing and identity theft) in the public sector cybersecurity scene globally? 

Over the past few years, SingHealth, as part of the public healthcare family, has made significant investments to enhance and strengthen technical measures to protect against cyberattacks.

To subscribe to the GovInsider bulletin, click here. 

Despite these investments, one of the most challenging and difficult threats that we still need to be deal is from social engineering attacks via phishing emails and SMSes, due to its volume and fast evolving nature.

We are extremely mindful and cognizant that a single phishing link on an email could lead to a threat actor getting a foothold on our networks and thus lead to ransomware and other attacks.  

Many say that we are entering an age of AI-driven cyberwarfare where both hackers and cybersecurity professionals use AI tools for attack and defence. What is your view? 

Reports and expert opinions seem to indicate that AI tools have been increasingly used as a supplementary aid to threat actors in helping them carry out cyberattacks.

For example, using GenAI to help craft convincing phishing emails or to help develop scripts for carrying out port scans to identify vulnerabilities.   

But the positive side is that AI can also help strengthen cyber defenses, and many cybersecurity vendors have been working hard to include AI-assisted technology to help with cybersecurity detection, monitoring and response capabilities.

We expect this trend to continue and improve in the near and medium term.   

Cybersecurity is often described as a team sport whereby a network's vulnerability is often defined by its weakest link. In this context, how important is having a whole-of-government or whole-of-country cybersecurity posture? 

In cybersecurity, the attackers are often described as having an asymmetric advantage as they are able to pick their targets, time their attacks and have access to threat intelligence sharing amongst the threat actor community.  

Given the inherent disadvantage of defenders, it is therefore critical to adopt an united approach to cyber defence from all public healthcare institutions. Everyone has a part to play and every institution works as one to defend against threats.    

No one can guarantee that a cyberattack will not happen, but working together helps to reduce the risks, even from the weakest link.

In SingHealth, we place a lot of emphasis and focus on staff education and awareness efforts to ensure that everyone exercises vigilance and actively engages in safe cyber and data security practices.  

An often-repeated point in the cybersecurity sector is what your Plan B is after your network is breached. Can you share your point of view on this aspect? 

Defence, prevention and awareness are important in cyber defence. However, resilience and recovery are also equally important.    

A crucial part of any modern cybersecurity programme includes regular exercises to test readiness and resilience against cyberattacks.

The Plan B is to always be prepared that cyberattacks can and will occur, and to develop contingencies to deal with it, from crisis communications, to data and systems restoration processes, etc.   

If your organisation gave you an unlimited budget for cyber defence, what would you spend it on? 

In reality, there is no such thing as an unlimited budget, especially so in technology and cybersecurity. Regardless of the amount, all IT and cyber practitioners need to adopt a prudent, balanced and practical approach towards cyber defence spending.

The approach needs to be holistic, covering not just technical measures but also including training and awareness, as well as conducting of business continuity exercises to test and practice readiness and response.   

What brought you to this profession and what do you love the most in your job and what would you like to improve? 

I got into this profession by chance after starting in a consulting firm with zero background in cybersecurity. I enjoy meeting different people from various industries to understand their challenges, constraints and attitudes towards cybersecurity, which provides me an indication of how the nature cybersecurity can develop in the future.

I would like to improve the attitudes that many have about cybersecurity by correcting the misconception that cybersecurity is not only the responsibility of cybersecurity professionals but of everyone.  

The lack of qualified cybersecurity professionals is a global problem, how do you think this can be overcome? 

It’s a very complicated issue and we hope that with time, the situation will improve as the job market evolves and suitably skilled IT practitioners make the switch to the cybersecurity domain.

The Cyber Security Agency of Singapore has been working hard to deal with the cyber talent shortage, but it will still take a number of years before we see the results.   

In the meantime, as a public healthcare organization, SingHealth, together with our partner Synapxe, has invested in training to prepare and uplift staff who are keen to make the transition to cybersecurity. This is a win-win situation for both SingHealth and our staff.  

If you had a chance to restart your career from scratch, would you still want to be cybersecurity professional and why? 

Of course. Cybersecurity cuts across all skillsets and all domains, and with the ever-changing digital landscape and more organisations gearing towards digitalisation, it’s a non-stop learning journey!