Debate Details
- Date: 22 November 2023
- Parliament: 14
- Session: 2
- Sitting: 117
- Topic: Written Answers to Questions
- Question theme: Average number of cyberattacks on public healthcare institutions annually
- Keywords: healthcare, average, public, institutions, number, cyberattacks, annually, (reference to “Kung” as the Member of Parliament)
What Was This Debate About?
This parliamentary record concerns a written answer to a question about the average number of cyberattacks affecting public healthcare institutions in Singapore, and what protective measures are in place. The exchange is framed around operational cybersecurity metrics—such as the volume of malicious communications and the scale of attempts to circumvent perimeter defenses—rather than a narrative of individual incidents. In the excerpt provided, the Minister (Mr Ong Ye Kung) refers to the cybersecurity posture of Synapxe, a system used to support healthcare data and related services, and describes how it handles malicious traffic.
In legislative and regulatory context, the question matters because public healthcare institutions sit at the intersection of essential public services and high-value digital infrastructure. Cyberattacks in this sector can disrupt patient care, compromise sensitive personal data, and undermine trust in public systems. The written answer also situates healthcare cybersecurity within Singapore’s broader statutory framework, including regulation under the Cybersecurity Act for Critical Information Infrastructure (CII). The debate thus functions as a form of “legislative intent” signal: it shows how the Government understands the scope of the Cybersecurity Act’s regulatory regime and how it applies to healthcare.
What Were the Key Points Raised?
First, the written answer provides quantitative indicators of cyber threat activity. The excerpt states that Synapxe “receives and blocks an average of 3,000 malicious emails per day” and that it sees “1.7 million attempts to bypass Internet-facing firewalls per month.” These figures are important for legal research because they demonstrate the Government’s approach to measuring cybersecurity risk: rather than only counting successful breaches, it highlights the volume of hostile attempts and the defensive controls that prevent them from reaching internal systems.
Second, the answer links the healthcare sector’s cybersecurity obligations to the concept of Critical Information Infrastructure. The Minister notes that “critical information infrastructure in the healthcare sector are regulated under the Cybersecurity Act.” This is a key interpretive point. For lawyers, it indicates that the Government treats certain healthcare systems as falling within the statutory category of CII—triggering compliance duties under the Act. While the excerpt does not list every duty, the reference to the Act signals that the regulatory framework is not merely aspirational; it is operational and enforceable.
Third, the answer describes a defence-in-depth approach (“We adopt a layered…”). Although the excerpt truncates before the full explanation, the phrase is legally and policy-relevant. It suggests that the Government’s cybersecurity strategy relies on multiple layers of controls—such as email filtering, firewalling, and other technical and organisational measures—rather than a single perimeter defence. For statutory interpretation, this matters because it informs how the Government reads the Cybersecurity Act’s purpose: the Act is implemented through layered risk management and technical safeguards, consistent with the idea that cybersecurity is a continuous process.
Fourth, the written answer implicitly addresses the relationship between public accountability and operational security. By providing high-level averages and defensive metrics, the Government communicates the scale of threat activity without necessarily disclosing sensitive details that could aid attackers. This balance is relevant to legal research on how regulators communicate compliance and risk information, and how they might interpret confidentiality or security-sensitive exemptions when responding to parliamentary questions.
What Was the Government's Position?
The Government’s position, as reflected in the written answer, is that public healthcare cybersecurity is managed through a combination of (i) measurable defensive operations (e.g., blocking malicious emails and thwarting firewall bypass attempts) and (ii) a statutory regulatory framework under the Cybersecurity Act for systems classified as Critical Information Infrastructure. By stating that healthcare CII is regulated under the Act, the Government indicates that compliance is grounded in law, not only in voluntary best practices.
Additionally, the Government emphasises that cybersecurity is approached through layered controls. This indicates that the Government views the threat environment as persistent and high-volume, and therefore expects institutions to implement multiple safeguards and monitoring mechanisms to reduce both the likelihood and impact of cyber incidents.
Why Are These Proceedings Important for Legal Research?
Although this record is a written answer rather than a full oral debate, it remains valuable for legal research because it can be used to understand legislative intent and administrative interpretation. Courts and practitioners often look to parliamentary materials to clarify how the Government understands statutory terms, the scope of regulatory obligations, and the policy rationale behind legislation. Here, the Minister’s reference to healthcare CII being regulated under the Cybersecurity Act helps confirm that the statutory regime is intended to cover critical healthcare systems.
For lawyers advising healthcare operators, the record supports an interpretive narrative: the Cybersecurity Act’s application to healthcare is not hypothetical. The Government’s mention of Synapxe’s defensive metrics illustrates the kinds of operational measures that may be expected in practice—particularly controls that prevent common attack vectors (such as malicious email and attempts to bypass internet-facing firewalls). While the excerpt does not specify which exact compliance obligations were triggered, it provides context for how regulators may evaluate whether institutions are implementing “layered” cybersecurity measures consistent with statutory objectives.
From a statutory interpretation perspective, the record also helps identify the policy purpose behind cybersecurity regulation in essential services. The Government’s framing—highlighting the volume of malicious activity and the existence of regulatory oversight—supports an argument that Parliament intended the Cybersecurity Act to address real-world threats affecting critical sectors. This can be relevant in disputes about compliance standards, the meaning of “critical information infrastructure,” and the reasonableness of regulatory expectations. Practically, it may also inform how institutions document risk assessments, incident prevention measures, and the effectiveness of technical controls.
Finally, the record is useful for understanding how the Government communicates cybersecurity information to Parliament. The use of averages and defensive statistics suggests a method of reporting that balances transparency with security. That communication approach can matter in legal contexts involving disclosure obligations, confidentiality, and the interpretation of what information is appropriate to share publicly while still demonstrating accountability.
Source Documents
This article summarises parliamentary proceedings for legal research and educational purposes. It does not constitute an official record.