Executive
Summary viii C. RECOMMENDATIONS BY THE COMMITTEE 15. The Committee’s TORs also include recommending measures to (i) enhance the incident response plans for similar incidents (“
TOR #3”); (ii) better protect SingHealth’s patient database system against similar cyber attacks
(“
TOR #4”); and (iii) reduce the risk of such cyber attacks on public sector IT systems which contain large
databases of personal data, including in the other public healthcare clusters (“
TOR #5”). The Committee’s recommendations on these TORs are set out in Part VII of the main report.
16. The Committee makes sixteen recommendations, comprising seven Priority Recommendations and nine
Additional Recommendations, all of which have been explored and examined in great detail.
17. The seven Priority Recommendations include strategic and operational measures to uplift the cybersecurity posture of SingHealth and IHiS, and steps must betaken to implement these Priority Recommendations immediately. The nine Additional Recommendations relate to other specific concerns raised in the course of this Inquiry, including technical, organisational,
training, and process- related issues. The measures, which are similarly aimed at uplifting the cybersecurity posture of SingHealth and IHiS, must be implemented or seriously considered.
18. All sixteen recommendations are made in respect of TORs #3 and #4, and apply equally to TOR #5. They range from basic cyber hygiene measures to more advanced measures which maybe more relevant after a certain level of cybersecurity maturity has been attained by the organisation.
19. While some measures may seem axiomatic, the Cyber Attack has shown that these were not implemented effectively by IHiS at the time of the attack. For
IHiS, SingHealth, and other organisations responsible for large databases of personal data, getting the fundamentals right is a necessary and vital step in building cybersecurity competencies and the ability to counter the real, present, and constantly evolving cybersecurity threats.
