COI Report – Part IV
Page 179 of 425
SingHealth), informing him that suspicious activities were detected on the
SCM database, but that he was not very sure of the details. Prof. Kenneth asked if the matter was serious, and if they should report the matter to MOH. Benedict replied that it was too early to decide if there was a need to report to MOH. Benedict also stated that he had already informed Bruce, that they were working hard to find out more, and that he would give Prof. Kenneth and Prof. Ivy an update the next day. In view of Benedict’s reply, Prof. Kenneth did not inform Prof. Ivy of the incident that night.
28.6 Assessment of IHiS’ incident response on 9 July 2018
569. The Committee is troubled by the fact, having regard to paragraph 560 above, that even senior members of IHiS’ management, such as Serena and Clarence, did not fully appreciate that there was a security incident and breach of the SCM system, even though the facts they were provided with relating to the events of June and July 2018 would have provided strong indications that they were facing an attack by an APT. Their decision to escalate the matter to Benedict was seen as over communicating (on the part of Serena, and tentative (on the part of Clarence, who had a few possibilities in mind and did not have a firm view. This indicates that the lack of training and security awareness observed by this Committee earlier in respect of the IT administrators was also present in the more senior members of IHiS’ management.
570. Nonetheless, the Committee does note that in spite of their doubts, Clarence and Serena did escalate the matter to Benedict swiftly. Likewise, Benedict immediately informed IHiS CEO Bruce and Kim Chuan, the Sector Lead point-of-contact for the healthcare sector, despite the fact that, in Benedict’s own words, information about the incident at that juncture “was still vague”. This underscores the point, acknowledged by Benedict, that there is value in escalating potential incidents quickly to senior management, even as they are being investigated, so that the right judgment call can be made on how to respond to the incident. This was echoed by Vivek, when he explained that it is critical that incidents are reported to management so that management can “give marching
orders and realign the troops, realign priorities and get everybody else working
|
