COI Report – Part VII Page 242 of 425 702. This was a security gap that should and could have been plugged. Instead, the evidence led showed that some senior staff were not even aware of the open network connection until after the Cyber Attack. This was a result of IHiS’ current practice of reviewing the network architecture only when there is “a major change in infrastructure or needs” – according to Leong Seng, the SCM migration to H-Cloud was not one such change. A more proactive approach, i.e. one that would have required a security review of the network following the migration, would likely have identified the gap and IHiS would have had the opportunity to address it in time. Woon Lan in her evidence has said that such a proactive approach is now being considered for the SingHealth network – she explained that she will be putting forth a plan whereby the SingHealth network will be reviewed annually and also reviewed each time there is any major upgrade or migration. It is recommended this proactive approach and plan for network review be enshrined in policy for all Clusters (i.e. in the HITSPS). 36.3 Cybersecurity must be viewed as a risk management issue, and not merely a technical issue – decisions should be deliberated at the appropriate management level, to balance the trade-offs between security, operational requirements and cost 703. Effective cybersecurity requires an “acceptance that [cybersecurity] is an organisation-wide problem, not just an IT problem”. 50 As with all high level business risks, cybersecurity should be managed at the senior level of leadership. In any organisation, cybersecurity requires balancing and trade-offs between security, operational requirements, cost and also patient safety in the case of the public healthcare sector. This requires judgment and accordingly, decisions need to be deliberated at the right level within the organisation – not the technical staff Mark Barmby, “Cybersecurity: Moving from Awareness to Understanding” in Managing Cybersecurity Risk (Jonathan Reuvid) (Legend Business Books, 2 nd Ed, 2018) (“Managing Cybersecurity
