Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 365 of 425 44.5 Controls must be put in place to better protect against the risk of data exfiltration 1058. In many cases, victims of cyber attacks are not aware that the sensitive data is leaving their systems because their data outflows are not monitored. The movement of data across network boundaries must be carefully scrutinised to minimise its exposure to attackers. 1059. CSA’s analysis of the network logs revealed that the main bulk of the traffic between SingHealth’s network and a malicious IP address was from Workstation A between 27 June to 4 July 2018. 1060. This unusual network activity went undetected until after 10 July 2018. Typical use of workstations does not involve the uploading to the internet of anywhere near as large quantities of data, and constituted a clear red flag that could have been detected, had the right controls been in place at the time. 1061. The Committee accepts CSA’s recommendation that a Data Loss Prevention (“DLP”) solution should be implemented to prevent such occurrences in future. DLP solutions detect potential data breaches/data exfiltration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-motion. DLP helps to prevent end users from sending sensitive or critical information out of the corporate network. 1062. Alerts and/or blocking can beset based on either the volume of data being sent out, or the content. It is possible, for example, to prevent data from being transferred out of the network or even out of endpoints. DLP solutions typically have a degree of machine learning capability and are able to, in conjunction with the rules set manually, determine what constitutes unusual activity and block it, or trigger alerts to relevant personnel fora response. DLP solutions are already used widely among many enterprises. 1063. The Committee notes the MOH family’s concerns about the effectiveness of DLP solutions in the healthcare context, where most parts of its IT network
