• About Us
    • Fact Checking Policy
    • Ownership & funding information
    • Volunteer
  • Subscribe
  • Letter submission
    • Submissions Policy
  • Contact Us
The Online Citizen Asia
  • Opinion
    • Editorial
    • Commentaries
    • Letters
    • Comments
  • Current Affairs
    • Singapore
    • Malaysia
    • Indonesia
    • China
    • ASEAN
    • Asia
    • International
  • Finance
    • Economics
    • Labour
    • Property
    • Business
  • Community
    • Arts & Culture
    • Consumer Watch
    • NGO
    • Lifestyle
    • Travel
  • Politics
    • Civil Society
    • Parliament
    • Transport
    • Education
    • Environment
    • Health
    • Housing
  • Law & Order
    • Legislation
    • Court Cases
No Result
View All Result
  • Opinion
    • Editorial
    • Commentaries
    • Letters
    • Comments
  • Current Affairs
    • Singapore
    • Malaysia
    • Indonesia
    • China
    • ASEAN
    • Asia
    • International
  • Finance
    • Economics
    • Labour
    • Property
    • Business
  • Community
    • Arts & Culture
    • Consumer Watch
    • NGO
    • Lifestyle
    • Travel
  • Politics
    • Civil Society
    • Parliament
    • Transport
    • Education
    • Environment
    • Health
    • Housing
  • Law & Order
    • Legislation
    • Court Cases
No Result
View All Result
The Online Citizen Asia
No Result
View All Result

Failure of IHiS staff in key roles to respond promptly to potential security lapses, loopholes in database system setup led to major cybersecurity breach last July: COI on SingHealth cyberattack

by The Online Citizen
11/01/2019
in Current Affairs, Investigations & Inquiries
Reading Time: 8 mins read
0

Inadequate cybersecurity awareness and training, failure of IT staff in significant positions to respond promptly to and report about instances of security-related incidents, and loopholes in the SingHealth IT system’s setup were some of the key findings cited in the Committee of Inquiry (COI) report on the SingHealth cyberattack that took place in July last year.

The COI on the SingHealth cyber attack, which was dubbed as the largest data breach in Singapore’s history, was convened on 24 Jul.

Chaired by former Chief District Judge and current member of the Public Service Commission, Mr Richard Magnus, the COI comprises four members who were tasked to probe into the cybersecurity breach against SingHealth’s patients’ records.

The cyberattack affected personal medical data  – such as outpatient prescriptions – of 1.5 million SingHealth patients, including that of Prime Minister Lee Hsien Loong.

A series of cyberattacks on the public healthcare clusters took place between 23 Aug 2017 and 20 July last year, the report added.

In what the report dubbed as “the crown jewels of the SingHealth network”, it was stated that “Citrix servers”, through which the SingHealth Sunrise Clinical Manager (SCM) could be accessed, “played a critical role in the Cyber Attack”.

“The SCM is an electronic medical records software solution, which allows healthcare staff to access real-time patient data. The SCM system can be seen as comprising front-end workstations, Citrix servers, and the SCM database.

“Users would access the SCM database via Citrix servers, which operate as an intermediary between front-end workstations and the SCM database,” the report read.

Integrated Health Information Systems Private Limited (IHiS), the IT arm of SingHealth, was “responsible for administering and operating the system, including implementing cybersecurity measures”, in addition to being in charge of “security incident response and reporting”, according to the COI report.

The COI report listed several key findings based on the information gathered from the  series of events prior to, during, and following the cybersecurity breach:

Firstly, the COI found that “IHiS staff did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack”.

It elaborated that while “a number of IHiS’ IT administrators are commended by the Committee for their vigilance in noticing suspicious activity” such as unauthorised logins or suspicious attempts at logging into the database, these same IT administrators “could not fully appreciate the security implications of their findings” and were consequently “unable to co-relate these findings with the tactics, techniques, and procedures of an advanced cyber attacker”.

“They were also not familiar with the relevant IT security policy documents and the need to escalate the matter to CSA.

“There was also no incident reporting framework in place for the IT administrators,” added the COI in its report.

It also noted that “Members of the Security Management Department, Computer Emergency Response Team, and senior members of IHiS’ management were similarly unable to fully appreciate the security implications of the findings”.

Secondly, the COI found that “Certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate, effective, or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack”.

The report pinpointed “the Security Incident Response Manager (SIRM) and Cluster Information Security Officer (Cluster ISO) for SingHealth, who were responsible for incident response and reporting”, and said that they “held mistaken understandings of what constituted a ‘security incident’, and when a security incident should be reported”.

Illustrating its point, the COI stated: “The SIRM delayed reporting because he felt that additional pressure would be put on him and his team once the situation became known to management.

“The evidence also suggests that the reluctance to escalate the matter may have come from a belief that it would not reflect well in the eyes of the organisation if the matter turned out to be a false alarm,” it argued.

“The Cluster ISO,” on the other hand, “did not understand the significance of the information provided to him, and did not take any steps to better understand the information”.

“Instead, he effectively abdicated to the SIRM the responsibility of deciding whether to escalate the incident,” said the COI.

Thirdly, the COI found that “there were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth network and SCM system that contributed to the attacker’s success in obtaining and exfiltrating the data, many of which could have been remedied before the attack”.

“A significant vulnerability,” it elaborated, “was the network connectivity … between the SGH Citrix servers and the SCM database, which the attacker exploited to make queries to the database”.

The COI also noted that “the SGH Citrix servers were not adequately secured against unauthorised access” and that “the process requiring 2-factor authentication (2FA) for administrator access was not enforced as the exclusive means of logging in as an administrator”.

“This allowed the attacker to access the server through other routes that did not require 2FA,” said the COI.

It added: “There was a coding vulnerability in the SCM application which was likely exploited by the attacker to obtain credentials for accessing the SCM database.”

“There were a number of other vulnerabilities in the network which were identified in a penetration test in early 2017, and which may have been exploited by the attacker,” stated the report, which “included weak administrator account passwords and the need to improve network segregation for administrative access to critical servers such as the domain controller and the Citrix servers”.

“Unfortunately, the remediation process undertaken by IHiS was mismanaged and inadequate, and a number of vulnerabilities remained at the time of the Cyber Attack,” said the COI.

Cyberattacker was a “stealthy”, “persistent” and “well-resourced group”, but were “not silent”: COI on SingHealth cyberattack

The COI also touched on the motivations of the perpetrator of the cyberattack, which, it believed, was clearly to obtain “the personal and outpatient medication data of the Prime Minister in the main, and also that of other patients”.

The COI noted that while the cyberattacker was a “stealthy”, “persistent” and “well-resourced group”, they were “not silent,” and “signs of the attack were observed by IHiS’ staff” which, had they been properly recognised and dealt with by the IHiS staff members, would have prevented the infiltration in the first place.

“Doing so would have made it more difficult for the attacker to achieve its objectives,” stated the COI.

Steps taken by Integrated Health Information Systems Private Limited (IHiS), the IT arm of SingHealth, to buttress cybersecurity within Singapore’s public healthcare system, Annex B. Source: Report of the Committee of Inquiry (COI) into the Cyber Attack on SingHealth

 

Following its key findings, the COI listed several recommendations regarding ways to buttress cybersecurity within Singapore’s public healthcare clusters.

Firstly, it stated that “an enhanced security structure and readiness must be adopted by IHiS and Public Health Institutions”, as “cybersecurity must be viewed as a risk management issue, and not merely a technical issue”.

“Decisions should be deliberated at the appropriate management level, to balance the trade-offs between security, operational requirements, and cost,” said the COI.

Secondly, the COI stated that “the cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats”.

Such includes the need to “identify gaps in the cyber stack by mapping layers of the IT stack against existing security technologies” and filling “gaps in response technologies” by “acquiring endpoint and network forensics capabilities”.

“The effectiveness of current endpoint security measures must be reviewed to fill the gaps exploited by the attacker,” it added.

Additionally, the COI stated that “network security must be enhanced to disrupt the ‘Command and Control’ and ‘Actions on Objective’ phases of the Cyber Kill Chain”.

“Application security for email,” the report added, “must be heightened”.

Thirdly, the COI urged for an improvement in “staff awareness on cybersecurity” to “enhance capacity to prevent, detect, and respond to security incidents”.

“The level of cyber hygiene among users must continue to be improved,” argued the COI.

It suggested the implementation of a “Security Awareness Programme” to “reduce organisational risk”, and equipping IT staff “with sufficient knowledge to recognise the signs of a security incident in a real-world context”.

Among other recommendations made by the COI include performing regular “enhanced security checks”, greater control over “privileged administrator accounts”, cross-sector partnerships between the IT industry and the government to strengthen collective security, and drawing clearer guidelines for staff in terms of reporting possible cybersecurity breaches.

“A post-breach independent forensic review of the network, all endpoints, and the SCM system should be considered,” said the COI.

“IHiS should consider working with experts to ensure that no traces of the attacker are left behind,” it added.

The findings listed in the COI report with regards to IHiS’s role in preventing the cyberattacks are a contrast to the statement of Commissioner of Cyber Security Agency David Koh, who testified last year that IHiS was “strategically headed in the right direction”, and that the flaws in handling such cybersecurity breaches on the part of its staff members “should not call into question the capabilities or commitment of IHiS management or staff as a whole”.

Minister-in-charge of Cyber Security S Iswaran and Health Minister Gan Kim Yong will be delivering ministerial statements in Parliament next week in response to the report.

The full 450-page report can be accessed here.

For just US$7.50 a month, sign up as a subscriber on The Online Citizen Asia (and enjoy ads-free experience on our site) to support our mission to transform TOC into an alternative mainstream press.

Related Posts

Ministers get away with excuses that ordinary citizens cannot hope to get away with
Opinion

Ministers get away with excuses that ordinary citizens cannot hope to get away with

07/02/2023
Commemorative coin, exhibitions and various activities to mark 100th anniversary of Lee Kuan Yew’s birth
Singapore

Commemorative coin, exhibitions and various activities to mark 100th anniversary of Lee Kuan Yew’s birth

07/02/2023
国会内庆妇女节 女议员获赠鲜花
Labour

15 companies barred from hiring new foreign employees after serious safety lapse found at worksite

07/02/2023
Why is Gautam Adani’s Indian empire in turmoil?
AFP

India’s Adani Enterprises shares rocket 20%, trading suspended

07/02/2023
China’s Baidu says developing AI chatbot
AFP

China’s Baidu says developing AI chatbot

07/02/2023
Thai rescuers dig to free baby trapped down well
AFP

Thai rescuers dig to free baby trapped down well

07/02/2023
Subscribe
Connect withD
Login
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.
DisagreeAgree
Notify of
Connect withD
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.
DisagreeAgree
0 Comments
Inline Feedbacks
View all comments

Latest posts

Ministers get away with excuses that ordinary citizens cannot hope to get away with

Ministers get away with excuses that ordinary citizens cannot hope to get away with

07/02/2023
Commemorative coin, exhibitions and various activities to mark 100th anniversary of Lee Kuan Yew’s birth

Commemorative coin, exhibitions and various activities to mark 100th anniversary of Lee Kuan Yew’s birth

07/02/2023
国会内庆妇女节 女议员获赠鲜花

15 companies barred from hiring new foreign employees after serious safety lapse found at worksite

07/02/2023
Why is Gautam Adani’s Indian empire in turmoil?

India’s Adani Enterprises shares rocket 20%, trading suspended

07/02/2023
China’s Baidu says developing AI chatbot

China’s Baidu says developing AI chatbot

07/02/2023
Thai rescuers dig to free baby trapped down well

Thai rescuers dig to free baby trapped down well

07/02/2023
Desmond Lee says 70% of BTO flats affordable for median household with income of S$8,400 but what about the 10th to 40th percentile?

Desmond Lee says 70% of BTO flats affordable for median household with income of S$8,400 but what about the 10th to 40th percentile?

07/02/2023
Returning Officer to issue corrective directions, overseas Singaporeans allowed to vote by post, among changes to laws tabled to Parliament

Returning Officer to issue corrective directions, overseas Singaporeans allowed to vote by post, among changes to laws tabled to Parliament

07/02/2023

Trending posts

Cognizant India transfers staff to work in Singapore as recently as this year

Local IT grads can’t find jobs while engineers constantly transferred from India to work in SG under CECA

by Correspondent
05/02/2023
106

...

They have done a fine job of confusing us about the jobs situation

They have done a fine job of confusing us about the jobs situation

by Augustine Low
01/02/2023
47

...

Adani’s brother runs SG company and registers as director with local ID

Adani’s brother runs SG company and registers as director with local ID

by Correspondent
03/02/2023
26

...

No response from Josephine Teo on whether Mediacorp has been instructed to stop coverage of SMT circulation scandal

No response from Josephine Teo over alleged blackout of coverage by Mediacorp over SMT circulation scandal

by Terry Xu
06/02/2023
12

...

Former Singaporean shares change of life in Australia with annual pay of S$80,000 as a plumber

Former Singaporean shares change of life in Australia with annual pay of S$80,000 as a plumber

by Yee Loon
30/01/2023
25

...

Japanese-Canadian junior high school girl breaks national record with 3km in 9:02 mins

“I want my normal life back,” Sherry Drury withdraws from National Junior High School Tournament due to overheated public attention

by Yee Loon
06/02/2023
3

...

January 2019
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
28293031  
« Dec   Feb »

The Online Citizen is a regional online publication based in Taiwan and formerly Singapore’s longest-running independent online media platform.

Navigation

  • Editorial
  • Commentaries
  • Opinion
  • Politics
  • Community

Support

  • Contact Us
  • Letter submission
  • Membership subscription

Follow Us

  • Facebook
  • Twitter
  • YouTube
  • Instagram
  • Fact Checking Policy
  • Privacy Policy

© 2022 - 2023 The Online Citizen Asia

No Result
View All Result
  • Opinion
    • Editorial
    • Commentaries
    • Comments
  • Current Affairs
    • Malaysia
    • Indonesia
    • China
    • ASEAN
    • Asia
    • International
  • Finance
    • Economics
    • Labour
    • Property
    • Business
  • Community
    • Civil Society
    • Arts & Culture
    • Consumer Watch
    • NGO
  • Politics
    • Parliament
    • Transport
    • Education
    • Environment
    • Health
    • Housing
  • Law & Order
    • Legislation
    • Court Cases
  • Lifestyle
    • Travel
  • Subscribers login

© 2022 - 2023 The Online Citizen Asia

wpDiscuz