Inadequate cybersecurity awareness and training, failure of IT staff in significant positions to respond promptly to and report about instances of security-related incidents, and loopholes in the SingHealth IT system’s setup were some of the key findings cited in the Committee of Inquiry (COI) report on the SingHealth cyberattack that took place in July last year.

The COI on the SingHealth cyber attack, which was dubbed as the largest data breach in Singapore’s history, was convened on 24 Jul.

Chaired by former Chief District Judge and current member of the Public Service Commission, Mr Richard Magnus, the COI comprises four members who were tasked to probe into the cybersecurity breach against SingHealth’s patients’ records.

The cyberattack affected personal medical data  – such as outpatient prescriptions – of 1.5 million SingHealth patients, including that of Prime Minister Lee Hsien Loong.

A series of cyberattacks on the public healthcare clusters took place between 23 Aug 2017 and 20 July last year, the report added.

In what the report dubbed as “the crown jewels of the SingHealth network”, it was stated that “Citrix servers”, through which the SingHealth Sunrise Clinical Manager (SCM) could be accessed, “played a critical role in the Cyber Attack”.

“The SCM is an electronic medical records software solution, which allows healthcare staff to access real-time patient data. The SCM system can be seen as comprising front-end workstations, Citrix servers, and the SCM database.

“Users would access the SCM database via Citrix servers, which operate as an intermediary between front-end workstations and the SCM database,” the report read.

Integrated Health Information Systems Private Limited (IHiS), the IT arm of SingHealth, was “responsible for administering and operating the system, including implementing cybersecurity measures”, in addition to being in charge of “security incident response and reporting”, according to the COI report.

The COI report listed several key findings based on the information gathered from the  series of events prior to, during, and following the cybersecurity breach:

Firstly, the COI found that “IHiS staff did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack”.

It elaborated that while “a number of IHiS’ IT administrators are commended by the Committee for their vigilance in noticing suspicious activity” such as unauthorised logins or suspicious attempts at logging into the database, these same IT administrators “could not fully appreciate the security implications of their findings” and were consequently “unable to co-relate these findings with the tactics, techniques, and procedures of an advanced cyber attacker”.

“They were also not familiar with the relevant IT security policy documents and the need to escalate the matter to CSA.

“There was also no incident reporting framework in place for the IT administrators,” added the COI in its report.

It also noted that “Members of the Security Management Department, Computer Emergency Response Team, and senior members of IHiS’ management were similarly unable to fully appreciate the security implications of the findings”.

Secondly, the COI found that “Certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate, effective, or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack”.

The report pinpointed “the Security Incident Response Manager (SIRM) and Cluster Information Security Officer (Cluster ISO) for SingHealth, who were responsible for incident response and reporting”, and said that they “held mistaken understandings of what constituted a ‘security incident’, and when a security incident should be reported”.

Illustrating its point, the COI stated: “The SIRM delayed reporting because he felt that additional pressure would be put on him and his team once the situation became known to management.

“The evidence also suggests that the reluctance to escalate the matter may have come from a belief that it would not reflect well in the eyes of the organisation if the matter turned out to be a false alarm,” it argued.

“The Cluster ISO,” on the other hand, “did not understand the significance of the information provided to him, and did not take any steps to better understand the information”.

“Instead, he effectively abdicated to the SIRM the responsibility of deciding whether to escalate the incident,” said the COI.

Thirdly, the COI found that “there were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth network and SCM system that contributed to the attacker’s success in obtaining and exfiltrating the data, many of which could have been remedied before the attack”.

“A significant vulnerability,” it elaborated, “was the network connectivity … between the SGH Citrix servers and the SCM database, which the attacker exploited to make queries to the database”.

The COI also noted that “the SGH Citrix servers were not adequately secured against unauthorised access” and that “the process requiring 2-factor authentication (2FA) for administrator access was not enforced as the exclusive means of logging in as an administrator”.

“This allowed the attacker to access the server through other routes that did not require 2FA,” said the COI.

It added: “There was a coding vulnerability in the SCM application which was likely exploited by the attacker to obtain credentials for accessing the SCM database.”

“There were a number of other vulnerabilities in the network which were identified in a penetration test in early 2017, and which may have been exploited by the attacker,” stated the report, which “included weak administrator account passwords and the need to improve network segregation for administrative access to critical servers such as the domain controller and the Citrix servers”.

“Unfortunately, the remediation process undertaken by IHiS was mismanaged and inadequate, and a number of vulnerabilities remained at the time of the Cyber Attack,” said the COI.

Cyberattacker was a “stealthy”, “persistent” and “well-resourced group”, but were “not silent”: COI on SingHealth cyberattack

The COI also touched on the motivations of the perpetrator of the cyberattack, which, it believed, was clearly to obtain “the personal and outpatient medication data of the Prime Minister in the main, and also that of other patients”.

The COI noted that while the cyberattacker was a “stealthy”, “persistent” and “well-resourced group”, they were “not silent,” and “signs of the attack were observed by IHiS’ staff” which, had they been properly recognised and dealt with by the IHiS staff members, would have prevented the infiltration in the first place.

“Doing so would have made it more difficult for the attacker to achieve its objectives,” stated the COI.

Steps taken by Integrated Health Information Systems Private Limited (IHiS), the IT arm of SingHealth, to buttress cybersecurity within Singapore’s public healthcare system, Annex B. Source: Report of the Committee of Inquiry (COI) into the Cyber Attack on SingHealth

 

Following its key findings, the COI listed several recommendations regarding ways to buttress cybersecurity within Singapore’s public healthcare clusters.

Firstly, it stated that “an enhanced security structure and readiness must be adopted by IHiS and Public Health Institutions”, as “cybersecurity must be viewed as a risk management issue, and not merely a technical issue”.

“Decisions should be deliberated at the appropriate management level, to balance the trade-offs between security, operational requirements, and cost,” said the COI.

Secondly, the COI stated that “the cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats”.

Such includes the need to “identify gaps in the cyber stack by mapping layers of the IT stack against existing security technologies” and filling “gaps in response technologies” by “acquiring endpoint and network forensics capabilities”.

“The effectiveness of current endpoint security measures must be reviewed to fill the gaps exploited by the attacker,” it added.

Additionally, the COI stated that “network security must be enhanced to disrupt the ‘Command and Control’ and ‘Actions on Objective’ phases of the Cyber Kill Chain”.

“Application security for email,” the report added, “must be heightened”.

Thirdly, the COI urged for an improvement in “staff awareness on cybersecurity” to “enhance capacity to prevent, detect, and respond to security incidents”.

“The level of cyber hygiene among users must continue to be improved,” argued the COI.

It suggested the implementation of a “Security Awareness Programme” to “reduce organisational risk”, and equipping IT staff “with sufficient knowledge to recognise the signs of a security incident in a real-world context”.

Among other recommendations made by the COI include performing regular “enhanced security checks”, greater control over “privileged administrator accounts”, cross-sector partnerships between the IT industry and the government to strengthen collective security, and drawing clearer guidelines for staff in terms of reporting possible cybersecurity breaches.

A post-breach independent forensic review of the network, all endpoints, and the SCM system should be considered,” said the COI.

“IHiS should consider working with experts to ensure that no traces of the attacker are left behind,” it added.

The findings listed in the COI report with regards to IHiS’s role in preventing the cyberattacks are a contrast to the statement of Commissioner of Cyber Security Agency David Koh, who testified last year that IHiS was “strategically headed in the right direction”, and that the flaws in handling such cybersecurity breaches on the part of its staff members “should not call into question the capabilities or commitment of IHiS management or staff as a whole”.

Minister-in-charge of Cyber Security S Iswaran and Health Minister Gan Kim Yong will be delivering ministerial statements in Parliament next week in response to the report.

The full 450-page report can be accessed here.

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
You May Also Like

为重新投入服务做准备 飞萤实里达机场试飞

自上周新马就领空纠纷课题达成协议后,我国答应和马来西亚携手开发新的仪表进近程序(Instrument Approach Procedure),马国的飞萤航空(Firefly)也将启动飞往实里达机场的航班服务。 据《海峡时报》报导,飞萤航空的一架试飞飞机昨天在实里达机场着陆后,于一个小时后的中午12时30分飞离。 我国民航局受询及有关的试飞行动时,证实了飞萤航空进行了试飞,为日后的航班服务做准备。 该局并没有透露试飞的次数和启程地点,仅表示应飞萤的要求,会和樟宜机场继续协助试飞行动。 飞萤航空原定于去年12月,将在樟宜机场的航班服务搬迁到实里达机场,但是基于实里达机场启用遭马来西亚政府反对的仪表降陆系统(Instrument Landing System,简称ILS),因此禁止飞萤使用实里达机场,飞萤的搬迁变成了停飞。 随后,实里达机场原定于今年1月取用ILS,但是马国表示这会影响柔佛州发展,涉及主权侵犯,因此将巴西古当上空列为永久限航区。 上周末,两国交通部长就领空纠纷课题达成协议,包括我国民航局于本月6日开始撤销实里达机场的ILS程序,马国民航局无限期暂停永久禁飞区,飞萤航空也将在本月21日恢复新加坡航线。 捷特航空暂停服务…

中国武汉肺炎病例激增,确诊440例、死亡人数九人

中国国家卫生健康委员会表示,截至21日凌晨3点,中国武汉肺炎确诊病例已多达440例,死亡人数也增至九人。 健康委会还指出,目前尚未涨到新型冠状病毒传染源,而且疫情传播途径也尚未完全掌握,所以存在变异的可能,疫情也有进一步扩散的风险。 专家分析认为,病例主要与武汉相关,而且目前已出现人传人和医务人员的感染,并存在在一定范围的社区内传播。 中国国家卫生健康委员会副主任李斌表示,当前正值“春运”,人员流动性激增,客观上加大了疫情的传播风险与防控的难度,因此要高度警惕,决不能掉以轻心。 他指出,当局将会同联防联控工作机制各成员单位,指导各地按照属地化管理原则,采取切实有效措施,确保人民群众度过一个安定祥和的春节。 国外病例增多,美国成首例在亚洲以外确诊的国家 武汉肺炎病例不仅仅在中国境内肆虐,国外也陆续出现相关病例,《BBC中文网》报道,截至目前,日本通报确诊病例1例、泰国通报确诊病例增至3例,韩国通报确诊病例1例。 目前,追踪到的密切接触者2197人,已解除医学观察765人,尚有1394人正在接受医学观察。 而澳门于1月22日亦出现确诊武汉肺炎个案,该名病患为武汉旅客,经过两轮检测后均属阳性。而当局也表示,该名旅客到达澳门时,并未出现任何发烧的痕迹,除了出门吃饭外,一直在赌场上逗留,于1月21日后因咳嗽到医院求诊,目前已接受隔离治疗。 台湾则是在1月21日晚间确诊首例武汉肺炎个案,是一名55岁在大陆从事教育工作的女性台商。 台湾政府表示,该台商从1月11日开始出现发烧、喉咙痛、咳嗽等症状,但因对当地医疗没信心,发病第九天都没有就医,只服用成药,直到1月20日搭乘航班机到台湾桃园机场。 美国疾病控制与预防中心(CDC)21日下午宣布,确诊的患者在1月15日从武汉返回华盛顿州西雅图,随后前往华盛顿州的一家医院就诊。…

MRT doors allegedly fail to remain open after elderly man’s leg stuck between gap at train platform after emergency button is pressed

On Thursday (13 June) a netizen by the name Francesco Mikhail highlighted…

Critique is to spur positive change: Amos Yee

16-year old blogger Amos Yee explained in court documents that his intention…