COI on SingHealth cyber attack: 16 recommendations

The Singhealth logo on the Academia building in Singapore General Hospital, on July 20, 2018.
The Singhealth logo on the Academia building in Singapore General Hospital, on July 20, 2018.PHOTO: ST FILE

In addition to the five key findings on the SingHealth data breach, the Committee of Inquiry that investigated Singapore's worst cyber attack made 16 recommendations.

These are aimed at enhancing responses to similar incidents, better protecting SingHealth's database against similar attacks and reducing the risk of such cyber attacks on public sector IT systems with large databases of personal data. They are grouped into two categories: seven priority recommendations and nine additional recommendations.


1 An enhanced security structure and readiness must be adopted by the Integrated Health Information Systems (IHiS) and public health institutions.

  • Cyber security has to be seen as a risk management issue, and not just a technical issue, where decisions are made at the appropriate management level.
  • IHiS, Singapore's central IT agency for the healthcare sector, has to take an approach where security is not dependent on just one line of defence.
  • Gaps between policy and practice must be addressed.

2 Online security processes must be reviewed to assess their ability to defend and respond to advanced threats.

  • Effectiveness of current processes must be reviewed to fill gaps used by the attacker.

3 Staff awareness on cyber security must be improved, to better prevent, detect and respond to security incidents.

  • The level of cyber hygiene among users must improve.
  • A security awareness programme should be implemented to reduce organisational risk.
  • IT staff must be equipped with sufficient knowledge to recognise the signs of a security incident.

4 Enhanced security checks must be performed, especially on critical information infrastructure (CII) systems.

  • Vulnerability assessments, safety reviews and certification of vendor products must be done.

5 Privileged administrator accounts must be subject to tighter control and greater monitoring.

  • An inventory of administrative accounts should be created to keep track of them.
  • All administrators must use two-factor authentication (2FA) when doing administrative tasks.
  • Passphrases, instead of passwords, could be used. Password policies must be implemented and enforced.
  • Server local administrator accounts must be centrally managed.
  • Privileged service accounts must be managed and controlled.

6 Improve incident response processes for a more effective response to cyber attacks.

  • Response plans must be tested frequently to ensure effectiveness.
  • A balance must be struck between containment, remediation and eradication, and the need to monitor an attacker and preserve critical evidence.
  • Information needed to investigate an incident must be available.
  • An Advanced Security Operation Centre or Cyber Defence Centre should be established to improve the ability to detect and respond to intrusions.

7 There should be partnerships between the industry and the Government to achieve a higher level of collective security.

  • Threat intelligence sharing should be enhanced.
  • Partnerships with Internet service providers should be strengthened.
  • Apply behavioural analytics.


8 IT security risk assessments and audit processes must be treated seriously and carried out regularly.

  • IT security risk assessments must be conducted on CII and mission-critical systems annually and upon specified events.
  • Audit action items must be remediated.

9 Enhanced safeguards must be put in place to protect electronic medical records.

A clear policy on measures to secure confidentiality, integrity and accountability of electronic medical records must be formulated.

  • Have real-time monitoring of databases with patient data.
  • End-user access to electronic health records should be made more secure.
  • Controls must be put in place to better protect against data theft.

10 Domain controllers must be better secured against attacks.

  • Operating system for domain controllers must be more regularly updated to protect them against the risk of cyber attack.
  • Limit log-in access and require 2FA for administrative access.

11 A robust patch management process must be implemented to address security vulnerabilities.

  • Formulate and implement a clear policy on patch management.

12 A software upgrade policy with focus on security must be implemented to increase cyber resilience.

  • A proper governance structure must be in place to make sure policy is adhered to.

13 An Internet access strategy that minimises exposure to external threats should be implemented.

  • Internet access strategy should be considered afresh.
  • The healthcare sector should consider the benefits and drawbacks of Internet surfing separation and Internet isolation technology, and put in place mitigating controls to address the residual risks.

14 Incident response plans must more clearly state when and how a security incident is to be reported.

  • It must clearly state that an attempt to compromise a system is a reportable security incident, and include examples as well as indicators of an attack.

15 Competence of computer security incident response personnel must be significantly improved.

  • A competent and qualified security incident response manager, who understands and can execute the required roles and responsibilities, must be appointed.

16 A post-breach independent forensic review of the network, all endpoints and the electronic medical records system should be considered.

  • IHiS should consider working with experts to ensure no traces of the attacker are left behind.
A version of this article appeared in the print edition of The Straits Times on January 10, 2019, with the headline '16 recommendations'. Subscribe