SingHealth data breach reveals several 'inadequate' security measures

Investigation into the July 2018 incident reveals tardiness in raising the alarm, use of weak administrative passwords, and an unpatched workstation that enabled hackers to breach the system as early as August last year.
Written by Eileen Yu, Senior Contributing Editor

Investigation into Singapore's most severe cybersecurity breach has uncovered several poor security practices, including the use of weak administrative passwords and unpatched workstations.

The findings were revealed on the first day of hearings led by the Committee of Inquiry (COI), a team set up to probe a July 2018 security breach that compromised personal data of 1.5 million SingHealth patients. The incident also compromised outpatient medical data of 160,000 patients that visited the healthcare provider's facilities, which included four public hospitals, nine polyclinics, and 42 clinical specialties.

The initial response to the security breach was "piecemeal" and "inadequate", said Solicitor-General Kwek Mean Luck, during his opening statement Friday to kickstart the six-day public hearing.

He said more could have been done to prevent the security incident from escalating, but noted that the breach also bore traits typical of an advanced persistent threat (APT) attack. It had involved the use of highly sophisticated tools, including customised malware that succeeded in penetrating SingHealth's antivirus and security tools.

Pointing to findings from the investigation, which was carried out by Cybersecurity Agency of Singapore (CSA), Kwek said the attackers used a publicly available hacking tool to breach an end-user workstation. They were able to do so because the workstation was running a version of Microsoft Outlook that was not updated with a patch to address the use of the hacking tool.

This provided the hackers access into SingHealth's network as early as August 2017, distributing malware and infecting other workstations after the initial breach, he said.

In addition, one local administrator accounts had used "P@ssw0rd" as a password, which could have been easily deciphered, the COI said. The attackers were found to have used some administrator accounts to remotely log into Citrix servers hosted at Singapore General Hospital, reported local broadcaster Channel NewsAsia.

The attackers, in fact, made repeated failed attempts to gain access to a database running Allscript Healthcare Solutions' Sunrise Clinical Manager (SCM), which was managed by the local healthcare sector's IT agency, Integrated Health Information System (IHIS).

This revealed another inadequacy in the network, which allowed the hackers to run bulk queries because the system lacked rules or controls that could have identified such patterns of behaviour or unauthorised use.

The findings further revealed a coding vulnerability in the SCM software, and this was likely the reason the hackers were able to eventually extract database credentials from a Citrix server hosted on the Healthcare-Cloud.

The SCM software and systems containing the electronic medical records were hosted on Citrix servers at Singapore General Hospital, before these were migrated--in July 2017--to the Healthcare-Cloud, which was the public healthcare sector's private cloud platform.

A network connection between the Citrix server at the hospital and the cloud platform was left open, which likely enabled the hackers to exploit the vulnerability in the SCM database and retrieve the necessary credentials.

According to the COI, a former employee in 2014 had alerted IHIS about the coding vulnerability, but no action was taken by the healthcare IT operator to resolve the issue.

Kwek also noted that IHIS staff became aware of the unauthorised attempts to access the database on June 11. While they tried to address this by changing passwords and shutting down a server, he said these efforts were piecemeal and inadequate.

In addition, he said, having terminated the hackers' access to the patients' record on July 4, the IHIS employees did not notify the senior management team including SingHealth's CIO until the night of July 9.

The hearing will continue with several witnesses including from the Ministry of Health, SingHealth, and IHIS.

The COI is expected to submit its report and recommendations to Singapore's Minister for Communications and Information S. Iswaran by year-end.

Related Coverage

Singapore to offer bug bounty, set up Asean cybersecurity centre

Singapore government will launch a bug bounty initiative by end-2018, when local and international hackers will be invited to test systems for vulnerabilities, as well as a cybersecurity hub next year to facilitate collaboration and training efforts amongst Asean country members.

Singapore moots 'essential' cybersecurity rules for financial firms

Monetary Authority of Singapore has proposed converting current cybersecurity guidelines to mandatory requirements, which financial institutions operating in the country must adopt to safeguard their IT systems and build up their cyber resilience.

Singapore explores virtual browsers following SingHealth data breach

Health Ministry is piloting the use of quarantined servers as part of efforts to "reduce the number of potential attack points", following last month's security breach that compromised the personal data of 1.5 million patients.

Singapore banks told to tighten data verification following SingHealth breach

Monetary Authority of Singapore instructs financial institutions to tighten their customer verification processes following SingHealth's security breach, which compromised personal data of 1.5 million people.

Why 31% of data breaches lead to employees getting fired (TechRepublic)

North America is the region where C-Suite leaders are most likely to be blamed for a breach.

Editorial standards