COI Report – Part IV
Page
186 of
425 North
office at around pm that night, and Douglas recommended setting up a War Room to coordinate investigations and recovery efforts. The War Room was setup at ConnectionOne on the night of 10 July 2018 itself.
30 CONCLUDING OBSERVATIONS FOR THIS PART 593. IHiS’ incident response up until 10 July 2018 was
commendable in some respects, but was inadequate on the whole in preventing the attacker from stealing and exfiltrating the patient data. Two aspects standout in particular a) First, IHiS staff did not have adequate levels of cybersecurity awareness,
training, and resources to appreciate the security implications of their findings and to respond effectively to the attack. b) Second, certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate,
effective, or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack. Ernest delayed reporting because he felt that additional pressure would be put on him and his team once the situation became known to management The evidence also suggests that the reluctance to report may have come from a belief that it would not reflect well in the eyes of the organisation if the matter turned out to be a false alarm.
594.
Ina similar vein, the Committee recalls the discussion in Part III regarding the mismangement and inadequacies in remediating the vulnerabilities,
weaknesses, and misconfigurations in the SingHealth IT network that had been identified prior to the Cyber Attack.
595. Taken together, it can be seen that there were multiple gaps and deficiencies in IHiS’ cybersecurity posture and readiness. IHiS would have benefitted
from better training for staff, and more effective processes that would ensure that senior management had better oversight of security incidents and
