Report on SingHealth breach condemns poor security practices
A Committee of Inquiry report into Singapore's SingHealth 2018 data breach suggests that IT staff were ill prepared and failed to take appropriate action to prevent the breach. And what's more, the system itself was riddled with vulnerabilities.
SingHealth, which employs a firm called Integrated Health Information Systems (IHiS) to operate its health system and implement cybersecurity protection.
That protection failed in August 2017, when an attacker gained access to SingHealth's IT network through suspected phishing attacks.
In June, July, and August 2018, the attacker compromised databases that eventually led to the leak of personal details belonging to almost 1.5 million patients.
The report, titled Public report of the committee of inquiry into the cyber attack on Singapore Health Services Private Limited's patient database on or around 27 June 2018, presented five key findings in relation to the breach.
The first finding says that IHiS staff “did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack”. It says that although some IT administrators noticed suspicious activity, they did not realise that it was an advanced threat – and did not escalate the matter to the Cyber Security Agency of Singapore.
The second finding claims that some IHiS staff working in IT security, including the security incident response manager and the cluster information security officer, failed to “take appropriate, effective, or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack”.
The security incident response manager failed to report the issue because he thought he and his team would be scrutinised if management found out. The cluster information security officer didn't understand the significance of the breach and looked to the security incident response manager for guidance.
The third finding suggests that there were already a number of issues with the SingHealth network and its Sunnrise Clinical Manager (SCM) database.
“There were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth network and SCM system that contributed to the attacker's success in obtaining and exfiltrating the data, many of which could have been remedied before the attack,” the report says.
These issues include vulnerabilities in network connectivity between SingHealth Citrix servers and the SCM database. The servers themselves were not properly secured and failed to use two-factor authentication.
Other vulnerabilities such as a coding vulnerability in the SCM application and weak administrator passwords ultimately contributed to the attack.
The fourth finding pertains to the attacker themselves, and suggests that the person was not only skilled, but could have been part of an Advanced Persistent Threat group. The attacker had a clear goal – to steal personal and outpatient data belonging to the Prime Minister. The prolonged nature of the attack and the advanced command and control network also support the report's conclusion.
The final finding suggests that the attack could have been prevented if security systems were up to standard.
“While our cyber defences will never be impregnable, and it may be difficult to prevent an Advanced Persistent Threat from breaching the perimeter of the network, the success of the attacker in obtaining and exfiltrating the data was not inevitable,” the report says.
While the attacker was ‘stealthy but not silent', IHiS staff could have stopped the attack if they had been able to recognise the ongoing nature and if they had taken action.
The report recommends that SingHealth must uplift its cybersecurity posture. Its 16 recommendations are as follows:
1. An enhanced security structure and readiness must be adopted by IHiS and Public Health Institutions 2. The cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats 3. Staff awareness on cybersecurity must be improved, to enhance capacity to prevent, detect, and respond to security incidents 4. Enhanced security checks must be performed, especially on CII systems 5. Privileged administrator accounts must be subject to tighter control and greater monitoring 6. Incident response processes must be improved for more effective response to cyber attacks 7. Partnerships between industry and government to achieve a higher level of collective security 8. IT security risk assessments and audit processes must be treated seriously and carried out regularly 9. Enhanced safeguards must be put in place to protect electronic medical records 10. Domain controllers must be better secured against attack 11. A robust patch management process must be implemented to address security vulnerabilities 12. A software upgrade policy with focus on security must be implemented to increase cyber resilience 13. An internet access strategy that minimises exposure to external threats should be implemented 14. Incident response plans must more clearly state when and how a security incident is to be reported 15. Competence of computer security incident response personnel must be significantly improved 16. A post-breach independent forensic review of the network, all endpoints, and the SCM system should be considered.