Story image

Report on SingHealth breach condemns poor security practices

15 Jan 2019

A Committee of Inquiry report into Singapore’s SingHealth 2018 data breach suggests that IT staff were ill prepared and failed to take appropriate action to prevent the breach. And what’s more, the system itself was riddled with vulnerabilities.

SingHealth, which employs a firm called Integrated Health Information Systems (IHiS) to operate its health system and implement cybersecurity protection.

That protection failed in August 2017, when an attacker gained access to SingHealth’s IT network through suspected phishing attacks.

In June, July, and August 2018, the attacker compromised databases that eventually led to the leak of personal details belonging to almost 1.5 million patients.

The report, titled Public report of the committee of inquiry into the cyber attack on Singapore Health Services Private Limited’s patient database on or around 27 June 2018, presented five key findings in relation to the breach.

The first finding says that IHiS staff “did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack”.
It says that although some IT administrators noticed suspicious activity, they did not realise that it was an advanced threat – and did not escalate the matter to the Cyber Security Agency of Singapore.

The second finding claims that some IHiS staff working in IT security, including the security incident response manager and the cluster information security officer, failed to “take appropriate, effective, or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack”.

The security incident response manager failed to report the issue because he thought he and his team would be scrutinised if management found out. The cluster information security officer didn’t understand the significance of the breach and looked to the security incident response manager for guidance.

The third finding suggests that there were already a number of issues with the SingHealth network and its Sunnrise Clinical Manager (SCM) database.

“There were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth network and SCM system that contributed to the attacker’s success in obtaining and exfiltrating the data, many of which could have been remedied before the attack,” the report says.

These issues include vulnerabilities in network connectivity between SingHealth Citrix servers and the SCM database. The servers themselves were not properly secured and failed to use two-factor authentication.

Other vulnerabilities such as a coding vulnerability in the SCM application and weak administrator passwords ultimately contributed to the attack.

The fourth finding pertains to the attacker themselves, and suggests that the person was not only skilled, but could have been part of an Advanced Persistent Threat group.
The attacker had a clear goal – to steal personal and outpatient data belonging to the Prime Minister. The prolonged nature of the attack and the advanced command and control network also support the report’s conclusion.

The final finding suggests that the attack could have been prevented if security systems were up to standard.

“While our cyber defences will never be impregnable, and it may be difficult to prevent an Advanced Persistent Threat from breaching the perimeter of the network, the success of the attacker in obtaining and exfiltrating the data was not inevitable,” the report says.

While the attacker was ‘stealthy but not silent’, IHiS staff could have stopped the attack if they had been able to recognise the ongoing nature and if they had taken action.

The report recommends that SingHealth must uplift its cybersecurity posture. Its 16 recommendations are as follows:

1.    An enhanced security structure and readiness must be adopted by IHiS and Public Health Institutions
2.    The cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats
3.    Staff awareness on cybersecurity must be improved, to enhance capacity to prevent, detect, and respond to security incidents 
4.    Enhanced security checks must be performed, especially on CII systems
5.    Privileged administrator accounts must be subject to tighter control and greater monitoring
6.    Incident response processes must be improved for more effective response to cyber attacks
7.    Partnerships between industry and government to achieve a higher level of collective security
8.    IT security risk assessments and audit processes must be treated seriously and carried out regularly
9.    Enhanced safeguards must be put in place to protect electronic medical records
10.    Domain controllers must be better secured against attack
11.    A robust patch management process must be implemented to address security vulnerabilities
12.    A software upgrade policy with focus on security must be implemented to increase cyber resilience
13.    An internet access strategy that minimises exposure to external threats should be implemented
14.    Incident response plans must more clearly state when and how a security incident is to be reported
15.    Competence of computer security incident response personnel must be significantly improved
16.    A post-breach independent forensic review of the network, all endpoints, and the SCM system should be considered.

Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.
D-Link A/NZ launches new home wireless surveillance kit
The Omna Wire-Free Full HD cameras and accompanying Wi-Fi Hub offer a number of new features, including Alexa/Assistant support.
CSOs - are you prepared for cloud cryptojacking?
A recent report found that almost half of the organisations surveyed have malware in one of their cloud applications.
Cryptomining apps discovered on Microsoft’s app store
It is believed that the eight apps were likely developed by the same person or group.
WhatsApp users warned to change voicemail PINs
Attackers are allegedly gaining access to users’ WhatsApp accounts by using the default voicemail PIN to access voice authentication codes.
Swiss Post asks public to hack its e-voting system
Switzerland’s postal service Swiss Post is inviting keen-eyed security experts and white hats to hack its e-voting system.
Spoofs, forgeries, and impersonations plague inboxes
It pays to double check any email that lands in your inbox, because phishing attacks are so advanced that they can now literally originate from a genuine sender’s account – but those emails are far from genuine.