A culmination of bad system management and undertrained IT staff, among other gaps, resulted in Singapore's most severe cybersecurity breach last July, according to the committee formed to review the events leading up to the SingHealth incident. It also recommends several steps the healthcare provider should take to plug the gaps and better safeguard patient data.
Several of its suggested remedies, however, already should be standard security practices for an essential services provider, including maintaining "an enhanced security structure", improving staff awareness to detect and respond to cyberattacks, and the need to perform cybersecurity system checks.
The 454-page report published today outlines 16 recommendations the committee said were made in light of its findings, testimonies from witnesses and Singapore's Cyber Security Agency (CSA), public submissions, as well as feedback from the Solicitor-General and key organisations including Ministry of Health, SingHealth, and the IT agency responsible for the local healthcare sector Integrated Health Information System (IHIS).
The review committee was formed shortly after the Health ministry in July 2018 revealed the personal data of 1.5 million SingHealth patients had been compromised, including that of the country's prime minister Lee Hsien Loong. Non-medical personal details, such as name and date of birth, of these patients had been accessed and copied and outpatient medical data of some 160,000 patients were also compromised.
The committee, which sat through 22 days of hearings involving 37 witnesses, noted in its report that the cyberattack had lasted for almost a year. Describing it as "unprecedented [in] scale and sophistication", the report revealed that the attack was carried out between August 23, 2017, and July 20 last year, during which SingHealth's patient database was illegally accessed.
In its findings, the committee found that the IHIS staff lacked adequate levels of cybersecurity awareness, training, and resources to understand the implications of the attack and respond effectively. While its IT administrators were able to identify suspicious attempts to log into the database, the same staff failed to correlate these findings with the tactics and procedures of an advanced cyberattack.
In addition, there was no framework on incident reporting, the committee noted, adding that the IHIS employees were unfamiliar with IT security policies and unaware of the need to escalate the issue to CSA.
The report also noted vulnerabilities, weaknesses, and misconfiguration in SingHealth's network as well as its database, which ran Allscript Healthcare Solutions' Sunrise Clinical Manager (SCM). These factors, it said, enabled the attackers to succeed in breaching the system and exfiltrating the data.
In particular, the attackers had exploited a significant vulnerability in the network connectivity between Citrix servers located at a public general hospital and the SCM database, to make queries to the database. This connectivity had been maintained to support the use of administrative tools and custom applications, which the committee found to be unnecessary.
Furthermore, the Citrix servers were poorly secured against unauthorised access, with two-factor authentication for administrator access unenforced. A coding vulnerability in the SCM application also was likely exploited to obtain credentials for accessing the database.
Remedies lay out basic security processes, best practices
In its recommendations on what needs to be done moving forward, the committee detailed steps that seem textbook for any organisation that owns critical information infrastructure (CII).
Topmost, the committee noted that "an enhanced security structure and readiness" must be adopted by IHIS and all public health institutions, including a "defence-in-depth" approach and policies and practices to address existing gaps. "Cybersecurity must be viewed as a risk management issue and not merely a technical issue," it said.
"Decisions should be deliberated at the appropriate management level to balance the tradeoffs between security, operational requirements, and cost."
The committee also noted that the entire "cyber stack" should be reviewed to ensure it is adequate in defending and responding to advanced threats. Gaps should be identified by mapping layers of the IT stack against existing security technologies, and loopholes in response tactics must be plugged with endpoint and network forensics capabilities.
In addition, employees' cybersecurity awareness have to be improved so they can help prevent, detect, and respond to security incidents.
There also should be routine security checks, especially where CII systems are concerned, and these should include regular vulnerability assessments, safety reviews and certification of vendor products, as well as regular penetration testing and threat hunting. Additionally, incident response processes must be improved for more effective responses to cyberattacks, such as establishing pre-defined modes of communication that should be used during any incident responses.
Furthermore, the committee said, privileged administrator accounts must be subject to tighter control and greater monitoring. These should include maintaining an inventory of administrative accounts and the use of two-factor authentication when performing administrative tasks. Password policies also should be implemented, and enforced, for both domain and local accounts.
It added that IT security risk assessments and audit processes must be treated seriously and carried out regularly, and enhanced safeguards should be established to protect electronic medical records.
The committee said: "While some measures may seem axiomatic, the cyberattack has shown that these were not implemented effectively by IHIS at the time of the attack. For IHiS, SingHealth, and other organisations responsible for large databases of personal data, getting the fundamentals right is a necessary and vital step in building cybersecurity competencies and the ability to counter the real, present, and constantly evolving cybersecurity threats."
It noted that implementation of its recommendations required "effective and agile leadership" from senior management, and necessary adjustments to organisational culture, mindset, and structure. "These imperatives apply equally to all organisations responsible for large databases of personal data. We must recognise that cybersecurity threats are here to stay, and will increase in sophistication, intensity, and scale. Collectively, these organisations must do their part in protecting Singapore's cyberspace, and must be resolute in implementing these recommendations."
Investigation into the July 2018 incident reveals tardiness in raising the alarm, use of weak administrative passwords, and an unpatched workstation that enabled hackers to breach the system as early as August last year.
Health Ministry is piloting the use of quarantined servers as part of efforts to "reduce the number of potential attack points", following last month's security breach that compromised the personal data of 1.5 million patients.
Monetary Authority of Singapore instructs financial institutions to tighten their customer verification processes following SingHealth's security breach, which compromised personal data of 1.5 million people.
Singapore healthcare group says it has sent out SMS messages to more than 700.000 patients impacted by the security breach, while warning of fake ones alleging patients' financial data had been leaked.
A major cyberattack on Singapore's government health database compromised 1.5 million people's personal information, including the Prime Minister.