COI Report –
Part VIIPage
270 of
425 38.1 The level of cyber hygiene among users must continue to be improved 786. Organisations cannot only focus on external cybersecurity threats – they must also focus on the role their employees may play in exposing vulnerabilities from within.
787. Despite efforts in cyber training and literacy, employees continue to engage in risky cyber behaviour.
As aptly stated by CE, CSA: The Clusters and IHiS must continue to improve the level of cyber hygiene among all front-end users – doctors, nurses, pharmacists and administrators – in the public healthcare clusters. Front-end users are often the weakest link in cybersecurity. Increasingly sophisticated social engineering techniques, combined with human error, give threat actors the means to establish their initial footholds onto a network. The vast majority of cyber-attacks are not
that technically sophisticated, and can be averted by raising the basic level of cyber hygiene throughout the organisation Promulgating basic security practices, such as the use of strong passwords and being able to spot signs of phishing, can greatly improve the level of cybersecurity
in an organisation 788. Empowering people with good cyber defence habits can significantly increase readiness. It is not just IT staff who needs to practise good cyber hygiene habits, it is a responsibility that falls on everyone in an organisation.
789. IHiS’ and SingHealth’s efforts in training their staff in this area can be summarised as follows a) Efforts in relation to SingHealth staff
COI Report – Part VII
Page
271 of
425 (i) IT security training conducted by IHiS for all new staff staff newly
promoted to managerial-level; as well as junior doctors, trainees and personnel on attachment ii) Security alerts from IHiS’ IT security team through email broadcasts to all staff (
e.g. alerts on the Ransomware attack on the National Health Service in the United Kingdom and seasonal threats such as malware infection
via e-greeting
cards during festive periods,
etc.); iii) Memos from management on significant cybersecurity risks and incidents iv) Talks by IHiS’ IT security team and external experts at town halls and healthcare conferences organised by SingHealth; and v) Phishing exercises conducted by IHiS on all SingHealth staff to create awareness and promote vigilance. These phishing exercises have been conducted regularly every year since
2015, and according to SingHealth, the proportion of staff who responded to the test phishing emails decreased significantly from 14% in the first exercise into in the most recent exercise in 2018. Staff who responded to
phishing emails twice or more, are also given additional attention. They are requested to attend IT security briefings to become more aware of the risks and in the recent exercise in February 2018, such staff also received a formal letter, with a copy to their direct report,
signed off by both SingHealth GCIO Benedict and Dy GCEO Prof. Kenneth, to strongly remind them on the need for vigilance. b)
IHiS’ efforts in relation to their own staff
