Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part III Page 92 of 425 Audit Report was sent to Bruce and members of IHiS’ and SingHealth’s senior management. The understanding given at the SingHealth Audit Committee and IHiS’ Audit Risk Committee meetings was also that these audit items had been resolved. No questions were raised at any level about the adequacy of the measures taken. Likewise, no major questions were raised at any level about the adequacy of any other measure which the management of the IHiS Infrastructure Services Division had proposed for the purposes of addressing the other audit findings. 276. As a result, from May 2017 to the time of the attack, organisationally, IHiS and SingHealth held the mistaken belief that some of the audit items had been adequately resolved, and that the remaining items would likewise be adequately resolved. As the findings above show, this was not the case. 277. It also bears mention that similar vulnerabilities were surfaced in further penetration tests conducted by the GIA in FY at three local sites. The IT systems of these three sites are managed by IHiS as well. The repeated findings of similar weaknesses are particularly concerning given that these penetration tests were conducted in FY, after the findings of the FY H-Cloud Pen- Test were published. Evidently, the lessons learnt were not applied. 278. In sum, the internal audit discovered a number of vulnerabilities in the SingHealth network, and several of these vulnerabilities were present during the Cyber Attack, as IHiS had failed to properly implement adequate remediation measures. CSA found that these vulnerabilities could have been exploited by the attacker, and also noted that these were not necessarily the vulnerabilities exploited, given that the attacker could have achieved its ends through other means as well. Nevertheless, the fact remains that the failure to properly remediate these vulnerabilities, gave the attacker these additional opportunities through which it could compromise the SingHealth network. The failure to remediate likely made the attacker’s path through the SingHealth network to its ultimate objective, the SCM database, easier.
