Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page311/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   307   308   309   310   311   312   313   314   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part VII
Page 394 of 425

inconveniences, workarounds, but nothing too major. I think we've continued to be able to deliver the care to patients that we need to. In the long run, Dr Yip’s evidence is that there is nothing in MOH’s healthcare transformation strategy that will be affected by ISS, provided that sufficient time, money, and effort are expanded to find workarounds.
1145. The real issue is how optimal these workarounds are. Dr Yip testified that the workarounds have come at the price of increased time and costs, loss in productivity and new risks, and in the long-term, may have adverse impacts, including manpower constraints and lower staff morale. We recognise these challenges, and note that the healthcare sector will have to balance this challenge against the cybersecurity risks.
48.3 Benefits and drawbacks of internet isolation technology
48.3.1
Benefits
1146. The experts were of the view that if the internet is required for operational purposes, IIT, such as VB or RB should be implemented. IIT isolates and executes all internet content in a secure browser located in sandboxes instead of the host machine, which eliminates the risk malware infection on the organisation’s workstations and network. Risks of phishing are contained as phishing sites are prevented from delivering malware and harvesting private information. Further, even if the IIT platform is compromised, it can be easily restored to its last known proper configuration, which will prevent malware from spreading further and can also be used for intelligence gathering.
1147. When IHiS did a proof of concept of a RB solution, it found that this would be effective and viable as a secure internet access platform. RB is a purpose-built solution for organisations to securely access the internet using the concept of virtualisation.


COI Report – Part VII
Page 395 of 425

1148. Dr Yip’s evidence is that if VB or RB was implemented instead of ISS, this would go a very long way in helping clinicians do their work, depending on how the solution is deployed. Dr Yip noted that there were several permutations to how the solution is operationalised, for instance a) VB or RB could be deployed in either the same or different device from which clinicians access the EMR. b) The content allowed in VB or RB has to be calibrated.
48.3.2
Drawbacks
1149. IIT is arguably less secure than ISS. CSA’s view is that that while the remote browser solution does mitigate some of the risks of internet surfing, there are still risks that ISS mitigates that the RB solution does not. Whether there are any residual risks and what these risks are will depend on how the product implements the solutions. If VB or RB is implemented, there will need to be careful consideration as to what product is chosen, and how to calibrate the particular product.
48.3.3
Mitigating controls to address the residual risks
1150. As explained above, ISS prevents an attacker from gaining direct access into the CII systems that are providing essential services – it provides a high degree of security. At the same time, the evidence of MOH representative Dr Yip highlights the potential drawbacks – increased time and costs, lost productivity and new risks. If ultimately, the considered decision taken is to implement VB or RB instead of ISS, the healthcare sector must ensure that the residual risks of not implementing ISS are adequately addressed by strong mitigating controls. One mitigating control that was put in place before the Cyber Attack was internet-whitelisting. Another mitigating control, the ATP solution, was in the process of being deployed before the Cyber Attack. The containment measures implemented by IHiS after the Cyber Attack may also go someway to address the residual risks. These should be augmented with the other recommendations listed in this Part which the healthcare sector should carefully study.


Download 5.91 Mb.

Share with your friends:
1   ...   307   308   309   310   311   312   313   314   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy