Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 342 of 425 43.1.3 Risks must be thoughtfully identified and prioritised during each assessment 992. The HITSPS sets out an IT security risk assessment form containing pre- populated threats/risks. The SingHealth Cluster ISO Wee used the same template in 2016 and 2017 to conduct the risk assessment for the SCM system. No thought was given as to whether the same set of threats/risks listed in the template were applicable (at all, or year on year. 993. We recommend that IHiS/SingHealth should proactively identify the applicable threats/risks for each relevant system at each assessment. Risk assessment forms should not come hard-coded with a set of pre-populated threats/risks, such that the same template of fixed threats/risks are reviewed year on year without further thought. In particular, given what IHiS/SingHealth now know about the attacker’s modus operandiin the Cyber Attack, and given that the healthcare sector maybe subject to other APT attacks in future, the threat/risk areas pertaining to each relevant system should be re-looked and identified taking into account the new knowledge gained. As Vivek said, “the way I recommend risk management be done is you apply your controls to the attackers modus operandi and see where you have gaps”. 994. Vivek also proposed rethinking the prevalent practice of using asset classification to prioritise risk. He explained that organisations have to operate within a budget, and that requires prioritising investments based on the risk so as to maximise the benefits derived from the budget. Many factors are considered while assessing risk, and asset classification or asset value is one of them. Most classification models are quite simplistic, in that they mostly ignore the effect of network connectivity between systems. As a result, several systems, and especially endpoints, get classified as low priority assets and consequently receive lesser degree of controls coverage including preventive and detective controls. Attackers know this very well, and exploit it using a simple and highly effective modus operandi involving penetrating lower priority assets which receive less coverage for defensive, preventive and detective controls. Thereafter, attackers would perform lateral movement and privilege escalation. It becomes
