COI Report – Part VII
Page 224 of 425
673. The nine Additional Recommendations relate to the specific issues raised in the course of this Inquiry, including technical, organisational, training, and process-related issues. The measures, which are similarly aimed at uplifting the cybersecurity posture of SingHealth and IHiS, must be implemented or seriously considered.
674. Collectively, the 16 recommendations serve to (i) build a culture of security (ii) secure particular aspects of the system (iii) improve incident response capabilities (iv) improve post-incident recovery capabilities and (v) promote collective security.
675. All 16 recommendations are made in respect of TORs #3 and #4, and apply equally to TOR #5 45
. In this regard, the experts confirmed to the Committee that their recommendations were not limited to IHiS or SingHealth and were applicable generally to all organisations responsible for large databases of personal data. Some of the recommendations also relate to enhanced measures for CII systems (i.e. recommendations #2, #4, #7, and #8).
676. How the recommendations should be adopted in practice by organisations responsible for large databases of personal data will depend on the existing policies, processes and personnel in each of these organisations.
677. Cybersecurity threats are constantly evolving, and will continue to increase in sophistication, intensity, and scale. Similarly, while implementing the recommendations is a necessary and vital first step, organisations must constantly renew, review, and refresh their security structures, technology, and readiness.
45
TOR #5 reads “In light of the cybersecurity attack and the findings above, recommend measures to
reduce the risk of such cybersecurity attacks on public sector IT systems which contain large databases
of personal data, including in the other public healthcare clusters.”
|
