COI Report – Part VII Page 239 of 425 692. As regards the principle that more valuable assets should be protected behind more layers of defence, it is imperative that stronger, multilayered security mechanisms should have been in place around SingHealth network’s crown jewels – the electronic medical records of all SingHealth patients. This includes safeguards in the system to trigger alarms when abnormal activities are attempted or executed on the crown jewels. 693. An issue was raised in the Inquiry on whether it is realistic to expect a legacy system such as the SCM to have such inbuilt safeguards. The experts view on this issue is clear for legacy systems, there should be a regular process to constantly review such systems and penetration testing should be builtin as part of safety review. CE, CSA is also of the same view. 694. Hence, all legacy systems in the public healthcare sector must be reviewed as a matter of priority. This must involve a thorough review and assessment of legacy systems/applications, including penetration testing and consideration of whether such systems/applications should be isolated or decommissioned (if hardening them is not possible. In this regard, IHiS can consider commissioning an independent external expert to conduct an initial review of all the legacy systems in the public healthcare sector. This will ensure that the review will be objective and provides assurance that the systems have been thoroughly reviewed. Thereafter, subsequent regular reviews can be conducted internally. 36.2.2 Reviewing all assets including lower-priority assets 695. While the defence-in-depth strategy envisages that more valuable assets are protected behind more layers of defence, this is not to say that lower-priority assets are ignored. Vivek’s expert opinion is that ignoring such lower-priority assets would be a mistake as such assets are targeted and regularly exploited by APTs. As regards the Cyber Attack, two instances of this were seen: (a) NCC server This is a server located at the National Cancer Centre (“NCC”). The Committee heard evidence that although the server was an IHiS asset, it was not being managed by IHiS in practice
