15-Jan-2019 Strengthening Cybersecurity in Public Healthcare Page Content15 January 2019 – Following the cyberattack on the SingHealth IT System, the Integrated Health Information Systems (IHiS) has taken immediate steps to further strengthen the organisation and the public healthcare sector against the evolving and increasingly sophisticated cyber threat environment, and redefine our cyber defence strategy. 2. To fortify cybersecurity safeguards, IHiS accelerated a wide range of cybersecurity measures which are being progressively implemented. Examples include: (i) Advanced Threat Protection (ATP) that has been fully deployed across all 3 public healthcare clusters in over 6,000 servers and 60,000 endpoint devices.(ii) Restriction of privileged access to dedicated local workstations has been implemented.(iii) Database Activity Monitoring has been implemented in SingHealth’s Sunrise Clinical Manager (SCM) to mitigate the coding vulnerability in the SCM application.(iv) Ongoing pilot on Virtual Browser solution to minimise risks of downloading and executing malicious files from internet(v) Trial deployment for privilege threat analytics has started(vi) Technical solution feasibility design for the Advanced Security Operations Centre is being developed(vii) Proof of concepts for various measures such as Endpoint Detection and Response solution are being conducted. 3. In addition, staff engagement and training have been increased to heighten vigilance and improve staff awareness on cybersecurity. 4. IHiS is also carefully studying the findings and recommendations from the COI in detail. The learnings and critical areas of improvement necessitate a paradigm shift in how we see and manage cybersecurity. Further to the 18 measures announced in November 2018, IHiS has developed additional strengthening measures. These include:Strengthening of the organisational and governance structure in IHiS to better manage cybersecurity risks and improve oversight on compliance. Strengthening operating processes for quicker responses to cybersecurity events, and better facilitate information sharing and incident management. Developing our people and building capabilities through training, reviews, and assessments. Reviewing our IT systems, particularly Critical Information Infrastructure (CII), to better defend and respond to advanced threats. 5. The Personal Data Protection Commission (PDPC) also conducted an investigation related to the incident and we accept the penalty imposed. 6. Healthcare will continue to be a sector targeted by threat actors. The number of security measures implemented has increased rapidly over the years, with a marked increase in manpower and investment on IT and cybersecurity across the public healthcare sector. Even though the Readiness Maturity Index score for the public healthcare sector improved between 2016 and 2018, there are many areas for improvement, as the cyberattack incident has shown. With the conclusion of the COI, IHiS will redouble efforts to recruit individuals with the right expertise to strengthen cybersecurity in the public healthcare sector and meet the tough challenges ahead. 7. Mr Bruce Liang, Chief Executive Officer, IHiS, said: “We would like to apologise again to the patients affected by the SingHealth cyberattack. As leaders of IHiS, my senior colleagues and I have collective responsibilities to defend against advanced cyber threats. With the conclusion of the COI, IHiS will focus on the formidable tasks ahead. We have learnt a lot about advanced cyberattack operation, as well as about our own weaknesses. We are determined to improve as an organisation. We are also resolute in partnering the healthcare family to transform our cyber defence capabilities in order to protect the well-being of our patients.” *** End ***(Further details are shared in Minister’s speech)For media enquiries, please contact:Jean Louise LeeDeputy Director, Communications, Integrated Health Information Systems (IHiS)D: 6594 1697 HP: 9731 3021E: email@example.com About Integrated Health Information Systems (IHiS) IHiS was formed in 2008 for an integrated approach in the development and management of IT systems in public healthcare. Today, IHiS supports the operations of 46 public healthcare institutions including acute hospitals, specialty centres, and polyclinics, as well as over 1,400 partners such as community hospitals, nursing homes, general practitioner clinics and voluntary welfare organisations. IHiS’ objectives are closely aligned to the priorities of the Ministry of Health, to provide our citizens with quality healthcare that is accessible and affordable.