Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 362 of 425 1049. IHiS and the PHIs have valid concerns that the implementation of FA will be burdensome and may slowdown or otherwise negatively impact the provision of healthcare services. Vivek recognises that there maybe challenges inpatient care and/or other operational impact with the implementation of FA on corporate user accounts. FA is also not foolproof there are vulnerabilities in FA platform itself which can be exploited, and it needs to be “monitored with a hawk eye”. 1050. Nevertheless, given the importance of security and the effectiveness of FA as a security control, it should still be implemented where patient safety is not affected. For example, while the emergency room may not bean appropriate place for FA, FA might be implementable in normal wards. As Vivek and Gen. Alexander have noted, depending on the exact solution chosen, the disruption to existing workflows can be minimised to a large extent. 1051. IHiS and the PHIs should very carefully consider which roles must be exempted from the requirements of FA. Security cannot be sacrificed simply for the sake of expediency and convenience. Any exception to the normal FA policy creates a weakness that can be exploited. Vivek gave the example of a company where just 13 out of 45,000 users were not required to use FA, and an attacker managed to locate their identities and use their accounts to break into the system. The Cyber Attack cannot be viewed as a one-off. The number of breach incidents in healthcare continues to grow about 10 percent each year according to Symantec. 95 Taken together, it is clear that cyber attacks pose a clear and present danger to PHIs, and it would be foolhardy to forgo security simply for the sake of convenience. 1052. FA should thus be implemented for PHIs. The Committee notes the MOH family’s concerns that the implementation of FA on corporate user accounts will pose patient safety issues. An independent study should be carried out on the jurisdictions that have successfully implemented FA for PHIs, to 95 Symantec 2018 Internet Security Threat Report – Executive Summary for Healthcare Professionals.
