COI Report – Part IV
Page 105 of 425
identified
26
, and it was noted that there was “(l)imited protection
against advanced persistent threats” in place. b) Second, at Item 13, the threat of “Cyber Extortion/Ransom e.g.
theft of patient’s medical record” was identified, and it was noted that there was “(l)imited protection against advanced persistent
threats” in place.
295. In response to the above two threats, the proposed control measure was for “(i)nfrastructure Services – Cluster Infrastructure Services to implement
the client APT, advanced persistent threats sic protection, in stages and to be
completed by end FY19”.
296. Wee has informed that the initial draft of FY CII Risk Assessment was sent to Serena Yong, Henry Arianto, Foong Lai Choo, and Clarence Kua. These were all senior members of IHiS’ Infrastructure Services Division or the CIO Office. The FY CII Risk Assessment was also presented at a number of meetings in January 2017, including the SingHealth CITC (Cluster IT Council) meeting which, as described in paragraph d) (pg 42) above, was chaired by
SingHealth GCEO, Prof. Ivy. Subsequently, on 5 April 2017, the CSG also shared the results of the risk assessment with the CSC (Cyber Security Council, which was chaired by MOHH MD, Aik Guan.
297. In end, the next risk assessment was conducted, and a “2017 Risk
Assessment” was published on 31 December 2017. The same threats posed by
APTs and the proposed implementation of ATP by FY were repeated. On
31 January 2018, the CSG updated the CSC on this risk assessment. This threat was described as having a Medium likelihood of occurring if there are no controls in place, and with a High impact to business operations. This threat was described as having a Low likelihood of occurring if there are no controls in place, and with a Medium impact to business operations.
|
