Executive Summary iv
included letters, telephone hotlines, and various online channels. In total,
SingHealth intended to contact 2.16 million patients. At the time of the Inquiry,
2.9% of the patients could not be contacted despite SingHealth’s efforts.
II.
Key findings of the Committee
14. The Committee has made numerous findings in respect of TORs #1 and
#2. From these findings, the Committee has identified five Key Findings.
Key Finding #1: IHiS staff did not have adequate levels of cybersecurity
awareness, training, and resources to appreciate the security implications
of their findings and to respond effectively to the attack
A number of IHiS’ IT administrators are commended by the Committee for their vigilance in noticing suspicious activity, such as unauthorised logins to the Citrix servers, suspicious attempts at logging into the SCM database, presence of unauthorised software, and suspicious queries being run on the SCM database. However, these same IT administrators could not fully appreciate the security implications of their findings, and were unable to co-relate these findings with the tactics, techniques, and procedures (“TTPs”) of an advanced cyber attacker. They were also not familiar with the relevant IT security policy documents and the need to escalate the matter to CSA. There was also no incident reporting framework in place for the IT administrators. Members of the Security Management Department, Computer Emergency Response Team, and senior members of IHiS’ management were similarly unable to fully appreciate the security implications of the findings.
Executive Summary vb Key Finding #2: Certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate, effective, orb btimely action, resulting in missed opportunities to prevent the stealing and Share with your friends: |
