Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 344 of 425 997. The way in which the risk assessments were conducted is unsatisfactory. There was no clear ownership over the identification and assessment of risks and risk controls. While Wee was put in charge of the process, the technical knowledge of the system being assessed resided within the IHiS Delivery Group, over whom Wee exercised no control or oversight. There was no SingHealth management line of sight over the process either, although the SCM system belonged to SingHealth. This resulted in cursory risk assessments, as well as stark errors in the completion of the risk assessment forms. For example, in the 2016 risk assessment, in respect of item 9 concerning threats of malicious software being introduced by the developer programmer, it was stated that the existing risk control included biannual vulnerability assessment and annual penetration testing and code review – which was, as accepted by Kim Chuan, clearly wrong, because there was no penetration testing or code review of the SCM application. This mistake was repeated in the 2017 risk assessment form. 998. It is also unclear if anyone was tracking the risk assessments. Under the Processes for Management of Critical Information Infrastructures (CII) Systems in Health Sector (“PMCII”) policy, CSG was supposed to be tracking the risk assessments of the CII in the healthcare sector, but CSG did not track the completion of the proposed action plans from the 2016 risk assessment, although Kim Chuan has stated that CSG is in the process of doing so for the 2017 risk assessment. 999. We recommend that IHiS/SingHealth set out a clear process and methodology for cybersecurity risk assessment, which should include a) How to identify the threats/risks that the system is subject to, and who is in charge of such identification. For example, Kim Chuan has stated that for the conduct of risk assessments moving forward, there should be a look-back and identification of issues raised in internal audit reports or in other penetration test reports, which should then betaken into account when assessing the risk of a particular threat
