sb-as logo
Story image

Report on SingHealth breach condemns poor security practices

15 Jan 2019

A Committee of Inquiry report into Singapore’s SingHealth 2018 data breach suggests that IT staff were ill prepared and failed to take appropriate action to prevent the breach. And what’s more, the system itself was riddled with vulnerabilities.

SingHealth, which employs a firm called Integrated Health Information Systems (IHiS) to operate its health system and implement cybersecurity protection.

That protection failed in August 2017, when an attacker gained access to SingHealth’s IT network through suspected phishing attacks.

In June, July, and August 2018, the attacker compromised databases that eventually led to the leak of personal details belonging to almost 1.5 million patients.

The report, titled Public report of the committee of inquiry into the cyber attack on Singapore Health Services Private Limited’s patient database on or around 27 June 2018, presented five key findings in relation to the breach.

The first finding says that IHiS staff “did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack”. It says that although some IT administrators noticed suspicious activity, they did not realise that it was an advanced threat – and did not escalate the matter to the Cyber Security Agency of Singapore.

The second finding claims that some IHiS staff working in IT security, including the security incident response manager and the cluster information security officer, failed to “take appropriate, effective, or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack”.

The security incident response manager failed to report the issue because he thought he and his team would be scrutinised if management found out. The cluster information security officer didn’t understand the significance of the breach and looked to the security incident response manager for guidance.

The third finding suggests that there were already a number of issues with the SingHealth network and its Sunnrise Clinical Manager (SCM) database.

“There were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth network and SCM system that contributed to the attacker’s success in obtaining and exfiltrating the data, many of which could have been remedied before the attack,” the report says.

These issues include vulnerabilities in network connectivity between SingHealth Citrix servers and the SCM database. The servers themselves were not properly secured and failed to use two-factor authentication.

Other vulnerabilities such as a coding vulnerability in the SCM application and weak administrator passwords ultimately contributed to the attack.

The fourth finding pertains to the attacker themselves, and suggests that the person was not only skilled, but could have been part of an Advanced Persistent Threat group. The attacker had a clear goal – to steal personal and outpatient data belonging to the Prime Minister. The prolonged nature of the attack and the advanced command and control network also support the report’s conclusion.

The final finding suggests that the attack could have been prevented if security systems were up to standard.

“While our cyber defences will never be impregnable, and it may be difficult to prevent an Advanced Persistent Threat from breaching the perimeter of the network, the success of the attacker in obtaining and exfiltrating the data was not inevitable,” the report says.

While the attacker was ‘stealthy but not silent’, IHiS staff could have stopped the attack if they had been able to recognise the ongoing nature and if they had taken action.

The report recommends that SingHealth must uplift its cybersecurity posture. Its 16 recommendations are as follows:

1.    An enhanced security structure and readiness must be adopted by IHiS and Public Health Institutions 2.    The cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats 3.    Staff awareness on cybersecurity must be improved, to enhance capacity to prevent, detect, and respond to security incidents  4.    Enhanced security checks must be performed, especially on CII systems 5.    Privileged administrator accounts must be subject to tighter control and greater monitoring 6.    Incident response processes must be improved for more effective response to cyber attacks 7.    Partnerships between industry and government to achieve a higher level of collective security 8.    IT security risk assessments and audit processes must be treated seriously and carried out regularly 9.    Enhanced safeguards must be put in place to protect electronic medical records 10.    Domain controllers must be better secured against attack 11.    A robust patch management process must be implemented to address security vulnerabilities 12.    A software upgrade policy with focus on security must be implemented to increase cyber resilience 13.    An internet access strategy that minimises exposure to external threats should be implemented 14.    Incident response plans must more clearly state when and how a security incident is to be reported 15.    Competence of computer security incident response personnel must be significantly improved 16.    A post-breach independent forensic review of the network, all endpoints, and the SCM system should be considered.

Story image
Organisations take cloud-first approach to security, though concerns remain
"While the results of this survey show that some security professionals still have concerns, having visibility into cloud services is vital and many organisations are now taking a cloud-first approach to security.”More
Story image
Interview: ManageEngine's VP says legacy remote solutions aren't cutting it
Techday spoke with ManageEngine vice president Rajesh Ganesan on the company’s solutions to the rapid changes and issues facing workforces around the globe as millions upon millions pack up their offices and work from home.More
Story image
Mentorship key to bringing women into cybersecurity - Microsoft
“Diverse teams make better and faster decisions 87% of the time compared with all male teams, yet the actual number of women in our field fluctuates between 10 and 20%. What ideas have we missed by not including more women?”More
Story image
The top four cloud IT security misconfigurations and how to fix them
Thankfully, there are some effective steps that can be taken to overcome four of the most common security issues, thereby reducing the attack surface. More
Story image
Houseparty denies security breach as users accuse app of hacking accounts
The popular face-to-face video hosting service has been accused of hacking users' other accounts, a claim Houseparty disputes.More
Story image
Guardicore Labs exposes brute force MS-SQL attack campaign
The cyber attack campaign uses password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multifunctional remote access tools (RATs) and cryptominers. More