Speech at Panel on Information Technology and Broadcasting

Capital Works Reserve Fund Head 710 Computerization Subhead A007GX (Block Allocation) – New administrative computer systems

Cyber and system security

Noting that the Immunization Record System (“IRS”) under the Clinical Information Management System of the Department of Health (“DH”) was hacked in August 2016 and the hackers intruded into over 16 000 temporary files, Mr CHAN Chun-ying expressed concern over the lack of projects to be initiated in 2017-2018 for improving the security measures of IRS and enquired about measures to be taken by the Administration to prevent further hacking activities into these type of systems. Referring to the report issued by the Hong Kong Computer Emergency Response Team Coordination Centre (“HKCERT”) on the number of hacking incidents into local servers per quarter year, Mr CHAN enquired about the time interval of which the Administration would review the reliability of its system security measures, and the security risk level of the Government computer systems when compared to those systems used by other private institutions, for example, banks.

DGCIO advised that IRS was an existing system under DH which was being maintained and improved on the department’s own financial resources. OGCIO had been in close contact with DH on the hacking incident to improve system security. For example, DH was advised to store patients’ data on the Government intranet instead of in its own external server. DGCIO supplemented that system security measures were monitored daily by the Government and the security risk level of the Government computer systems was not high as indicated in, for example, the reports on ransomware by Kaspersky Lab and Symantec Corporation in 2016. If B/Ds suspected that they were being or had been attacked by ransomware, they should immediately report the incident to OGCIO for assistance. The security risk level of the Government computer systems was comparable to that of banks.