Vulnerabilities, missed opportunities and 16 recommendations: COI hearings on SingHealth cyber attack wrap up

SINGAPORE — Beginning June 11, there were at least seven points when malicious activities in the SingHealth IT network should have been reported to the Cyber Security Agency (CSA), said Solicitor-General Kwek Mean Luck on Friday (Nov 30).

In reality, the CSA was informed on July 10, after a massive cyber attack had occurred.

And while some actions taken by frontline employees at the Integrated Health Information Systems (IHiS) were commendable, the same cannot be said of its middle management.

IHiS, the Health Ministry’s IT arm, runs the computer systems of the three public healthcare clusters in Singapore, including SingHealth.

In his closing statement after leading evidence in the 21-day hearing before a four-member Committee of Inquiry (COI), Mr Kwek also provided 16 recommendations to enhance responses to similar incidents and beef up protection of databases containing patients’ medical records.

Among his proposals: Tighter control of privileged administrator accounts, which give users unparalleled access to systems and are prime targets for malicious hackers.

Mr Kwek encouraged the use of passphrases (passwords that consist of phrases), which are easier for users to remember and “less susceptible to brute force attacks”.

Testing staff members for cyber-security awareness and the pro-active search for security vulnerabilities were among other recommendations.

The COI, led by retired judge Richard Magnus, will submit its findings and recommendations by Dec 31 to Mr S Iswaran, Minister-in-charge of Cybersecurity and Minister for Communications and Information.

A sophisticated advance persistent threat group breached SingHealth’s systems and stole the personal data of 1.5 million patients between June 27 and July 4 this year. They also stole the outpatient medication records of 160,000 of them — including Prime Minister Lee Hsien Loong.

Mr Magnus said responses following the cyber attack must go beyond technical measures and include solutions to tackle human errors.

“It must also include the human dimension of cyber hygiene and cyber security such as proper governance, processes and situational awareness. And this human dimension has to pervade organisations down to the last soldier,” he said.

Organisations should arm themselves with security solutions that enable them to detect and respond early to threats, he added.

IHiS' lawyer, Senior Counsel Philip Jeyaretnam, said that the organisation has stepped up staff engagement to heighten vigilance against potential threats. It will also work on its organisational culture, a factor hampering response to cyber-security incidents earlier acknowledged by IHiS' chief executive officer Bruce Liang.

“In this respect, IHiS senior management is committed to creating an information-sharing culture with the assurance that IHiS staff will be provided with all necessary support to investigate uncertain or suspected security incidents,” said Mr Jeyaretnam.

The COI hearings began on Aug 28 and took place in three tranches. The committee heard evidence from 37 witnesses, with the majority from IHiS and SingHealth, while three were independent experts.

HOW DATA BREACH HAPPENED

The attackers exploited vulnerabilities in the SingHealth network. They used a dormant local administrative account and an inactive local service account to access the Citrix servers of Singapore General Hospital (SGH). The password for the dormant local administrator account, P@ssw0rd, was easily decrypted.

Passwords were required to be changed every three to six months, but the account had had the same password for six years, since 2012.

The Sunrise Clinical Manager database containing patient records did not provide solutions for the monitoring of bulk queries, and this allowed the attacker to run such queries undetected.

Its software also contained a vulnerability that exposed the database credentials in unencrypted form. In the CSA’s view, this is likely to have played a “pivotal role in allowing the attacker to cross the last mile to gain access into the Sunrise Clinical Manager database”, said Mr Kwek.

The attacker exploited a known vulnerability in Microsoft Outlook, for which a patch was not applied at a workstation.

The Citrix servers in SGH had no physical firewall and remote access was not restricted.

Delayed reporting by IHiS staff members was also a key contributing factor to the incident.

Malicious activities that culminated in the cyber attack should have been reported to the CSA as early as June 11 — a month before IHiS informed the CSA of the attack.

In one “missed opportunity”, senior manager Ernest Tan at IHiS decided not to report the incident to higher management despite repeated warnings from junior staff members, for fear of working “day and night” to investigate the matter.

IHiS’ cluster information security officer Wee Jia Huo also delayed reporting the incident, because he wanted to get a confirmation that a breach had indeed occurred.

“Early reporting would have enabled CSA to step in and commence investigations earlier,” said Mr Kwek.

TIGHTER CONTROLS, PRO-ACTIVE STRATEGY RECOMMENDED

Mr Kwek flagged five top-priority recommendations among the 16 put forward, and said that IHiS and public healthcare institutions will have to make time and free up resources to implement them.

Future cyber attacks “may not follow the same attack pattern” as the SingHealth breach, he noted.

Among the top-priority recommendations:

1. Enhancing cyber-security approach, adopting pro-active defence strategy

• Regular audits and compliance checks should be conducted

• Checks should be done to make sure that all accounts adhere to password policies

• Security management department at IHiS should have a direct reporting line to the chief executive officer, instead of being part of the infrastructure division

• Vulnerability assessments, safety reviews, evaluation and certification of vendor products, penetration testing, red teaming and threat hunting could be put in place

2. Improving awareness on cyber security

• All staff members should be trained to practise good cyber hygiene

• They can be tested through mock-phishing exercises

• Such training should be institutionalised in a security awareness programme, rather than in an ad-hoc manner

3. Privileged administrator accounts to be subject to tighter control

• The number of IT staff members who have administrator privilege should be reviewed

• Passphrases could be used instead of passwords, since they may be easier to remember for the user and are less susceptible to brute force attacks

4. Improve incident-response processes

• All relevant parties should be drilled on the response plan through regular exercises and simulations

• Information and data needed to investigate an incident must be readily available to responders. This can be accomplished through a single Advanced Security Operations Centre