COI Report – Part VII Page 401 of 425 communication of potential threat situations should be byway of reference to real-world examples that are easy to absorb the message must be byway of narrative, and not simply an abstract concept. 1165. When deciding on what playbooks should be developed, IHiS should consider the types of incidents that are likely to occur, based on an understanding and evaluation of the relevant risks. The existing IHiS playbooks as at June/July 2018 were geared more towards conventional attacks, including ransomware and website defacement. There was no APT playbook. However, IHiS clearly already had some visibility in this area, as the Cybersecurity Threat Assessment for the healthcare Sector, presented by Kim Chuan to the IHiS Audit and Risk Committee on 5 June 2018, does specifically highlight APTs as a threat to PHIs. Furthermore, the cybersecurity exercises conducted in March 2017 and March 2018 featured APTs as one of the threat scenarios. IHiS should continue to proactively monitor the evolving threat landscape and craft playbooks accordingly. These playbooks should be forward-looking, and should not simply cover areas of past significance. 49.2 The incident response plan must clearly state that an attempt to compromise a system is a reportable security incident 1166. It is absolutely crucial that an unambiguous and easily understandable definition of the term security incident is adopted uniformly across all security documents (including the general IR, and any IR SOPs for security personnel. This is to prevent confusion and to facilitate ease of reporting. It must also be made crystal clear that suspicious attempts to access IT systems are reportable security incidents. 1167. A key stumbling block in the case of the Cyber Attack was that different personnel held different view as to the definition of a security incident, and consequently, reporting was delayed a) Benjamin knew that the definition of a security incident included attempts to compromise a CII.
