Skip to main content

Advertisement

Advertisement

SingHealth cyber attack a result of human lapses, IT system weaknesses: COI report

SINGAPORE — The SingHealth cyber attack happened because of lapses by employees and vulnerabilities with the system. Ultimately, the breach into the public healthcare group’s database was preventable even though the attacker was skilled.

The SingHealth cyber attack happened because of lapses by employees and vulnerabilities with the system.

The SingHealth cyber attack happened because of lapses by employees and vulnerabilities with the system.

Follow TODAY on WhatsApp

SINGAPORE — The SingHealth cyber attack happened because of lapses by employees and vulnerabilities with the system. Ultimately, the breach into the public healthcare group’s database was preventable even though the attacker was skilled.

These were the key findings in a report released on Thursday (Jan 10) by the Committee of Inquiry (COI), which was formed to investigate the cyber attack.

Chaired by retired senior judge Richard Magnus, the four-member committee submitted its full report to Communications and Information Minister S Iswaran at the end of last year.

Besides lapses among employees, the committee repeatedly highlighted that those in charge of network security were not pro-active and did not see the need to conduct frequent security checks.

In the 450-page report, the COI also stressed that “the need” and “mindset” to conduct continuous database monitoring “was not part of the consciousness” of the network designers and operators at the time of the cyber attack.

Between June 27 and July 4 last year, a foreign, persistent and sophisticated threat group broke into SingHealth’s system and gained access to the Sunrise Clinical Manager (SCM) database holding electronic medical records. It stole the personal data of 1.5 million patients and the outpatient medication records of 160,000 of them — including Prime Minister Lee Hsien Loong’s.

Besides the five main findings in the report, the committee also spelt out 16 recommendations for SingHealth and the Integrated Health Information Systems (IHiS) to improve its cyber-security defences. IHiS runs the IT systems of all public healthcare institutions.

Out of the 16 recommendations, seven have been identified as key ones that must be put into use. They relate to certain strategic and operational measures to enhance cyber security at SingHealth and IHiS, such as having training programmes to help staff members be more aware of cyber threats.

The recommendations were accepted by the Ministry of Health (MOH) and SingHealth. SingHealth’s group chief executive officer (CEO) Ivy Ng said in a statement on Thursday that the priority in the coming months will be to work closely with MOH, IHiS and industry experts to “pro-actively implement the recommendations” in the COI report.

IHiS’ CEO Bruce Liang said that the organisation will “carefully study” the recommendations in the COI report. “(We will) do our utmost to drive change throughout our organisation, with patient well-being as our priority,” he added.

Mr Iswaran, who is also Minister-in-charge of Cyber Security, and Health Minister Gan Kim Yong are expected to deliver ministerial statements in Parliament next week, laying out the Government’s response to the report.

FIVE KEY FINDINGS

Certain IHiS employees holding key roles in IT security failed to take appropriate and timely action, resulting in missed opportunities to prevent the stealing of data

  • It was revealed through public hearings late last year that senior executives in charge of reporting security incidents had failed to take timely action to report the cyber attack. One of them, Mr Ernest Tan, did not report suspicious activity despite being informed by his subordinates, for fear of working “non-stop” to answer for it.

  • The cluster information security officer for SingHealth, Mr Wee Jia Huo, abdicated responsibility of initiating alerts and updates on cyber threats to Mr Tan.

IHiS employees did not have adequate cyber-security awareness and training to understand the severity of the attack, and how to respond effectively to the attack

  • Some IHiS staff members, who had detected suspicious activity in the database, were unsure whether to report unusual queries. These included Ms Katherine Tan, a database administrator with IHiS, and her supervisor, Ms Teresa Wu. They testified that while there was a framework in place to report cyber-security incidents, there was insufficient training on what to do.

Vulnerabilities and weaknesses in the SingHealth network and SCM system contributed to the attacker’s success in obtaining and taking the data

  • The SCM database, which is legally owned by SingHealth, functioned on an open network that was linked to the Citrix servers of Singapore General Hospital (SGH), which resulted in a critical vulnerability the attacker exploited.

  • It was found that there was a lack of monitoring of the SCM database for unusual queries and access. For one, there was no existing control to detect or block bulk queries being made to the database. For another, the Citrix servers of SGH were not monitored for real-time analysis and alerts of vulnerabilities and issues arising from these servers.

  • The Citrix servers were not adequately secured against unauthorised access. Notably, the process requiring 2-factor authentication (2FA) for administrator access was not enforced as the exclusive means of logging in as an administrator. This allowed the attacker to access the server through other routes that did not require 2FA.

  • Another weakness which may have been exploited by the attacker included weak administrator account passwords. This was among others discovered during a test but the remediation process undertaken by IHiS was mismanaged and inadequate, and a number of vulnerabilities remained at the time of the cyber attack.

The attacker was skilled, patient and persistent

  • During a Parliament session last year, Mr Iswaran revealed that the attacker was likely to be a state-sponsored actor, bearing the characteristics of an advanced persistent threat group. The COI said that the malware samples analysed by the Cybersecurity Agency of Singapore (CSA) were either “unique variants that were not seen in the wild” and had not been detected by the standard anti-malware solutions deployed by SingHealth, or “a mix of open-source tools that were modified to provide stealth for the attacker”.

  • Such network intrusion techniques with low attack signature are a “hallmark” of an advanced threat actor. It helped the attacker evade detection for almost 10 months from Aug 23, 2017.

  • The attacker was conscientious in erasing logs on compromised workstations and servers, and even re-entered the network after being detected to erase system and programme logs.

  • The report said that the CSA furnished the details of a number of overseas network data to the Criminal Investigation Department for it to probe for more information. Direct requests were made to foreign law enforcement agencies for the relevant information.

While cyber defences will never be impregnable, the success of the attacker in obtaining and exporting the data was not a sure thing

  • The COI report said that the attacker was “stealthy but not silent”. Signs of an attack were observed, but they were not acted upon because of the relevant employees’ inability to recognise that an attack was ongoing, and inaction on the part of staff members responsible for responding to attacks. Had they taken appropriate action, the attacker could have been stopped.

SEVEN PRIORITY RECOMMENDATIONS

IHiS and public healthcare institutions must adopt an enhanced security structure and readiness

  • The COI said that cyber security must be viewed as a risk management issue, and not merely a technical issue. Effective cyber security thus requires an “acceptance that (it) is an organisation-wide problem, not just an IT problem”, it added.

  • Decisions on how to strengthen cyber security should be deliberated at the appropriate management level, to balance the trade-offs among security, operational requirements and cost.

  • IHiS and the healthcare clusters must review their organisational and reporting structure, to ensure that cyber-security considerations and decisions are escalated to the appropriate decision-makers.

  • SingHealth senior management should also be equipped with appropriate cyber-security expertise.

The cyber stack must be reviewed to assess if it is enough to defend and respond to advanced threats

  • The cyber stack, which refers to the layers of security technology that an organisation puts in place to form an integrated defence to cyber attacks, must be improved.

  • The COI noted that attackers are now adept at discovering “weak points” in a system, and endpoints such as laptops and desktops are increasingly being targeted.

  • As the attacker likely gained access through a phishing email, the COI recommended that IHiS and CSA review the efficacy of the email-protection measures that are now in place.

  • The effectiveness of endpoint security measures must also be reviewed.

  • IHiS and SingHealth (as the owner of the patient database) and other critical information infrastructure (CII) operators must provide advanced endpoint security solutions, given the clear evidence of how signature-based systems were thoroughly defeated in the cyber attack.

Cyber-security awareness among employees must be improved, to enhance capacity to prevent, detect and respond to security incidents

  • The COI recommended that a security awareness programme should be rolled out and sharpened to focus on what matters most to an organisation.

  • It should train employees on secure authentication, how to better identify social engineering attacks, handling sensitive data, how to deal with unintentional data exposure, and identifying and reporting incidents.

  • The programme should also aim to use real-life incidents to add realism and legitimacy.

Enhanced security checks must be performed, especially on CII systems

  • The COI said that penetration testing, red teaming — where a group of white-hat hackers attack an organisation's digital infrastructure to test the organisation's defence — must be carried out regularly.

  • Threat hunting, where potential attackers are sought out, must be considered.

  • The CSA recommended that organisations conduct code review of applications that are installed on critical systems and ensure that such reviews have been performed to their satisfaction. This is to verify that there are no instances of insecure programming or security flaws that may present vulnerabilities or backdoors that could be exploited by cyber attackers.

Privileged administrator accounts must be subject to tighter control and greater monitoring

  • This would mean that all administrators must use 2FA when performing administrative tasks. Server local administrator accounts must also be centrally managed across the IT network.

Response to incidents must be improved for a more effective guard against cyber attacks

  • Besides drawing up an incident response plan, it must be put to use. Simulation exercises can be done to test the effectiveness of the plans.

  • Such response plans should also be constantly updated.

  • The COI noted that incident response processes should involve senior management and even members of the board of directors.

  • “This is a basic requirement of corporate risk management. Senior executives and board members should be prepared to respond to major crises caused by cyber attacks,” it said.

Partnerships between the Government and industry to achieve a higher level of collective security

  • Public healthcare groups should seek to apply defence beyond borders. Cross-border and cross-sector partnerships should be strengthened.

  • The COI also urged other organisations responsible for large databases of personal data to build cyber-security competencies and abilities to counter real and constantly evolving threats.

The full public report can be accessed at: www.mci.gov.sg/coireport

Related topics

SingHealth cyber attack data breach

Read more of the latest in

Advertisement

Advertisement

Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.