Table of contents exchange of letters with the minister executive summary


User access to SCM and the SCM database



Download 5.91 Mb.
View original pdf
Page27/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   23   24   25   26   27   28   29   30   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
7.3
User access to SCM and the SCM database
48. A SingHealth user would access the SCM system through a virtualised version of the SCM client application hosted on the Citrix servers located in the
H-Cloud data centre (“HDC”). The Citrix servers operate as an intermediary between user workstations and the SCM security server. Citrix servers allow for application virtualisation as opposed to installing applications locally on client


COI Report – Part II
Page 19 of 425

workstations. This means that only screen images of the SCM application are viewed by users on the client workstation. There is no transactional data that flows directly between user workstations and the SCM servers – the only thing that is passed from the Citrix Receiver installed on the workstation, to the Citrix servers, are the users keystrokes and mouse clicks.
49. When a user launches the virtual SCM client application, the user is required to enter user credentials to login to SCM. The user credentials are then sent through a Citrix server to the SCM security server for authentication. Upon successful authentication, the user will be logged into the SCM system and can access the SCM database with permissions based on the role that the user is associated with.
50. A simplified illustration of the user authentication process is as follows
Figure 3:SingHealth user authentication process to access the SCM Database
51. The SCM allows for the creation of roles in the SCM system (e.g. doctor role, nurse role. Permissions can beset for each role, allowing that particular role access to specific functions and data. For example, when attending to a patient, a nurse assigned the nurse role maybe allowed to retrieve that patient’s


COI Report – Part II
Page 20 of 425

records from the SCM database via the SCM client, but may not be allowed to order a lab test or medication for that patient.
52. The SCM application supports the tagging of Very Important Persons
(“VIPs”) within its system. For these tagged patients, only selected users are allowed access to the medical records. Even when an authorised user seeks to access a VIP’s visit record, a prompt will be displayed for the user to enter the reason for the access before he/she can proceed to view the record. All instances of access to VIP records are logged and an alert is generated daily to both the user and the hospital’s Chief of Medical Board (“CMB”) via email. The user is required to validate his/her access in response to the alert email. If more than a set number of records are accessed at the same time, an alert would be sent to the
IHiS security team, and the cluster IT and Operations teams.
53. The SCM client does not have any functionality which allows for the bulk retrieval of records from the SCM database. There are reporting functions which allow users to print, download, or export data into Microsoft Excel. Reporting tools, or custom applications would be used for generating such reports.

Download 5.91 Mb.

Share with your friends:
1   ...   23   24   25   26   27   28   29   30   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy