HealthcareCybersecurity
Bookmark

Meet GI's Cybersecurity Champion: Leonard Ong, Director, Sector Governance - Risk & Sector Governance, Synapxe, Singapore

By Si Ying Thian

Leonard Ong shares his journey as a public sector cybersecurity champion in Synapxe, the national healthtech agency in Singapore.

Meet public sector Cybersecurity Champion, Leonard Ong. Image: Synapxe.

This interview is part of GovInsider's inaugural Cybersecurity Champions report featuring public sector cybersecurity officials around the world.

 

Please give a brief description of your job function as a cybersecurity professional, as well as what your organisation does. 

 

As the Director for Sector Governance in Risk & Sector Governance (RSG) for Singapore’s national HealthTech agency Synapxe, I lead several key areas covering public healthcare sector.

 

This includes Policy, Control and Compliance; Governance and Data Protection; Capability Development and Readiness; and Enterprise Risk Management and GRC System.

 

My team collaborates closely with various key stakeholders across Singapore’s Ministry of Health (MOH), Cyber Security Agency (CSA), Health Science Authority (HSA), public healthcare institutions and the industry ecosystem, to increase cyber risk posture and maturity, drive efficiency and enable innovations in the sector.


For example, in 2024, Cyber Security Labelling Scheme for Medical Device [CLS(MD)] was formally launched during the Singapore International Cyber Week. This “first-in-the-world” multi-levelled CLS(MD) seeks to improve medical device security by incentivising manufacturers to adopt a security-by-design approach.

 

It will enable consumers and healthcare providers to make more informed decisions about the security of such devices prior to purchase and usage.

 
 

What kind of cyber threats does your organisation face on a regular basis? 

 

Generally, the healthcare sector has been one of, if not the most, targeted sector in recent years.

 

Healthcare organisations worldwide are facing similar threats that have been widely reported in recent incidents, such as sophisticated phishing campaigns, ransomware, targeted social engineering, and attempts to exploit vulnerabilities in their systems.

 

The sensitive and valuable nature of healthcare data makes it a prime target for the threat actors, but together, we can strengthen our defences and protect our sector. 

In your view, what are the biggest threats and challenges (be it in the network layer, and/or in areas such as scams, phishing and identity theft) in the public sector cybersecurity scene globally? 

 

Globally, the healthcare sector faces significant threats from increasingly sophisticated, AI-driven cyberattacks like advanced phishing techniques, impersonation, ransomware targeting essential services, and supply chain vulnerabilities.

 

To subscribe to the GovInsider bulletin, click here

 

Challenges include dealing with legacy infrastructure that is inherently vulnerable, budgetary constraints that limit cybersecurity investments, and an expanding digital landscape that broadens the attack surface.

 

Additionally, balancing robust cybersecurity with the delivery of seamless population-centric digital health services adds complexity to governance and risk management practices. 

Many say that we are entering an age of AI-driven cyberwarfare where both hackers and cybersecurity professionals use AI tools for attack and defence. What is your view? 

 

We are undoubtedly entering an era where AI significantly influences both cybersecurity threats and defences.

 

Adversaries increasingly leverage AI to automate and amplify their attacks through sophisticated deepfake campaigns and the rapid exploitation of vulnerabilities.

 

Conversely, defenders are harnessing AI for enhanced threat detection, predictive analytics, and automated response.

 

This dynamic creates a perpetual race that necessitates continual innovation, transparent, ethical use of AI tools, and robust defences that can adapt and respond swiftly. 

An often-repeated point in the cybersecurity sector is what your Plan B is after your network is breached. Can you share your point of view on this aspect?

 

Having a well-articulated post-breach recovery plan is as crucial as preventive measures.

 

Effective cybersecurity requires acknowledging that breaches are possible, and therefore, planning for resilience is paramount.

 

A good approach involves rapid containment measures, eradication, detailed investigations, structured recovery operations, transparent stakeholder communications, and capturing actionable lessons learned.

 

Regular simulations, tabletop exercises, and drills are essential for testing and refining these plans, ensuring the resilience and continuity of critical services. 

If your organisation gave you an unlimited budget for cyber defence, what would you spend it on?

 

In reality, public healthcare organisations will never have an unlimited cybersecurity budget. Hence, it is imperative to ensure the prudent and strategic use of resources.

 

Even if budget constraints were not a concern, our priorities would still focus on critical areas that provide the highest return on investment. This includes:

 
  • Modernising healthcare systems to reduce vulnerabilities
  • Enhancing AI-driven threat detection and response capabilities
  • Strengthening cyber readiness through realistic red-teaming exercises and robust cyber range training environments
  • Promoting cybersecurity workforce development, education, and awareness initiatives
  • Ensuring that secure-by-design principles are embedded across all new technology implementations
 

Ultimately, responsible and targeted investment in cybersecurity protects public trust and enhances the resilience of critical healthcare services. 

The lack of qualified cybersecurity professionals is a global problem, how do you think this can be overcome?

 

The global shortage in cybersecurity talent calls for a multifaceted strategy which includes:

 
  1. Integrating cybersecurity education and awareness initiatives early-on in schools
  2. Implementing robust reskilling programmes aimed at mid-career professionals transitioning into cybersecurity roles
  3. Promoting diversity by encouraging individuals from various backgrounds, including technology, communications, and analytics
  4. Expanding internship programmes, mentorship opportunities, and continuous professional development through pre-defined skill pathways
  5. Creating inclusive, adaptive, and supportive learning environments to cultivate and sustain a capable cybersecurity workforce
  6. Continuously investing in upskilling and reskilling while collaborating with service providers to complement our needs
  7. Automating work to allow the workforce to focus on higher-value activities.  

If you had a chance to restart your career from scratch, would you still want to be cybersecurity professional and why?

 

I would undoubtedly choose the same field again. In this era of Industry 4.0 (the Fourth Industrial Revolution), cybersecurity is essential in enabling digital transformation and preserving digital trust.

 

This makes the profession incredibly rewarding and purpose-driven, which I deeply value and enjoy.

 

Having worked in the healthcare sector for over a decade, I find fulfilment in knowing that we can make a difference by improving health outcomes through better and more modern healthcare services.