COI Report – Part VII Page 389 of 425 data”. 109 To the extent that patient confidence in the confidentiality of patient data is undermined, the ability of the healthcare sector to engage and provide healthcare to patients is correspondingly reduced. The trade-off may thus not be a simplistic one between binary objectives of patient safety versus cybersecurity, as both objectives maybe twinned or interdependent. Third, as is already being considered by the healthcare sector, it would be sensible to make distinctions between different internet use-cases in the healthcare sector to determine where internet usage for work is really needed, where workarounds can be implemented, and what mitigating measures should be put in place where internet connectivity is permitted – a careful balance of all these considerations is needed for the healthcare sector to arrive at an optimal tiered internet access strategy. 1133. In the latter regard, the experts have recommended a tiered internet access strategy as follows a) Where devices or databases do not need to be connected to the internet, they should not be connected. This recommendation should be implemented, as it will reduce the attack surface. b) ISS for all endpoints. While devices connected to internal networks and databases are isolated from the internet, internet usage for operational needs can be carried out on separate internet-surfing devices. Depending on user needs, this separate device can be either the user’s personal device, or enterprise-procured devices. c) If ISS is unsuitable i) where only one-way communication is required, there should be a unidirectional gate (e.g. data diodes) to prevent data leakage and 109 Singapore Parliamentary Debates, Official Report (6 August 2018) vol 94 (Ministerial Statement.
