Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page306/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   302   303   304   305   306   307   308   309   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part VII
Page 387 of 425

else in Cluster management. Given the importance of ensuring security for software, it is suggested that there be a dual reporting structure to both IHiS and Cluster management, including a) Lead, SMD (IHiS) – to ensure that security considerations are given adequate weight b) Cluster Infrastructure Lead (IHiS) – to ensure that the upgrades are appropriate in the current environment c)
GCIO (Cluster) – for operational concerns and d) Dy GCEO (Cluster) (or equivalent) – to ensure that Cluster management is apprised of and agrees to any upgrades or to forgo said upgrades. Alternatively, this role can be filled by a dedicated Cluster CISO, as we have proposed in Recommendation #1.


COI Report – Part VII
Page 388 of 425

48 RECOMMENDATION #13: AN INTERNET ACCESS
STRATEGY
THAT
MINIMISES
EXPOSURE
TO
EXTERNAL THREATS SHOULD BE IMPLEMENTED
#PREVENTION #VIGILANCE
1130. Temporary Internet Surfing Separation (“ISS”) was implemented in
SingHealth from 20 July 2018, and in the other two clusters from 22 July 2018. In this section, we will consider the expert opinions on (a) whether ISS should be lifted, and if sob) what are the alternatives to ISS, and (c) whether additional mitigating controls are required.
1131. The appropriate internet access strategy is an issue of risk management. It requires consideration of resources, demands, infrastructure constraints, and operational imperatives. It is thus a decision that should be undertaken by the healthcare sector, weighing the full range of considerations. MOH has not come to an official position on the appropriate internet access strategy, and has formed a horizontal committee to look into this issue, and weigh the balance between cybersecurity risks, patient safety, and cost.
1132. While this is an issue for the healthcare sector’s ultimate decision, there are guiding principles that the healthcare sector should apply in determining its internet access strategy. First and foremost, we caution that the operational need for internet usage should not be conflated with the need for internet usage on the
same device which has access to internal networks and databases containing confidential information (including the EMR). If the internet can be accessed on a separate device and/or via separate networks, the costs or operational drawbacks from an efficiency perspective of doing so must be balanced against the security gains. Second, while we accept that patient safety must be the predominant concern for the healthcare sector, it would be apposite for the healthcare sector to also bear in mind that inasmuch as patient safety relates to
treatment, it also entails protection of patients confidential and sensitive medical information and records. As recognised by the Minister for Health (Mr Gan Kim Yong, patient wellbeing “includes safeguarding the confidentiality of patient


Download 5.91 Mb.

Share with your friends:
1   ...   302   303   304   305   306   307   308   309   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy