COI Report – Part VII
Page
421 of
425 51 RECOMMENDATION #16: A POST-BREACH INDEPENDENT FORENSIC REVIEW OF THE NETWORK, ALL ENDPOINTS, AND THE SCM SYSTEM SHOULD BE CONSIDERED #VIGILANCE
GOVERNANCE 1211. An important post-breach action is that of ensuring that the threat is eradicated –
completely. This means that all breach points must be identified and all attack traces/artefacts must be removed.
120
This includes malware, spyware or any other types of software. This exercise can be complex, lengthy and may require the work of outside experts.
121
Accordingly, IHiS should consider conducting an independent review
of the SingHealth network, all endpoints and the SCM system.
1212. Over the course of the Inquiry, concerns were raised on whether the
SingHealth network was clean post-breach. The concern is areal and urgent
one because in the short-term, IHiS will be proceeding with a pilot deployment of their remote-browser solution for internet access atone PHI and in the long- term, the ISS temporarily in place now maybe lifted. If the attacker is still in the network, it will spring to life when the system goes online.
1213. On whether the
SingHealth network is clean, CSA’s evidence is that the network has been scanned and cleared of the malware or indicators of compromise (“
IOCs”) that were discovered through the course of investigation.
CSA has pointed to the following measures a) All Citrix servers have been reloaded with a clean image on 14 and
15 July 2018; and Alexander Ellrodt
, If a Breach Happens – An Action Plan for Response and Damage Containment” in
Managing Cybersecurity Risk at p.
121
Ibid. 
