Inadequate cybersecurity awareness and training, failure of IT staff in significant positions to respond promptly to and report about instances of security-related incidents, and loopholes in the SingHealth IT system’s setup were some of the key findings cited in the Committee of Inquiry (COI) report on the SingHealth cyberattack that took place in July last year.
The COI on the SingHealth cyber attack, which was dubbed as the largest data breach in Singapore’s history, was convened on 24 Jul.
Chaired by former Chief District Judge and current member of the Public Service Commission, Mr Richard Magnus, the COI comprises four members who were tasked to probe into the cybersecurity breach against SingHealth’s patients’ records.
The cyberattack affected personal medical data – such as outpatient prescriptions – of 1.5 million SingHealth patients, including that of Prime Minister Lee Hsien Loong.
A series of cyberattacks on the public healthcare clusters took place between 23 Aug 2017 and 20 July last year, the report added.
In what the report dubbed as “the crown jewels of the SingHealth network”, it was stated that “Citrix servers”, through which the SingHealth Sunrise Clinical Manager (SCM) could be accessed, “played a critical role in the Cyber Attack”.
“The SCM is an electronic medical records software solution, which allows healthcare staff to access real-time patient data. The SCM system can be seen as comprising front-end workstations, Citrix servers, and the SCM database.
“Users would access the SCM database via Citrix servers, which operate as an intermediary between front-end workstations and the SCM database,” the report read.
Integrated Health Information Systems Private Limited (IHiS), the IT arm of SingHealth, was “responsible for administering and operating the system, including implementing cybersecurity measures”, in addition to being in charge of “security incident response and reporting”, according to the COI report.
The COI report listed several key findings based on the information gathered from the series of events prior to, during, and following the cybersecurity breach:
Firstly, the COI found that “IHiS staff did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack”.
It elaborated that while “a number of IHiS’ IT administrators are commended by the Committee for their vigilance in noticing suspicious activity” such as unauthorised logins or suspicious attempts at logging into the database, these same IT administrators “could not fully appreciate the security implications of their findings” and were consequently “unable to co-relate these findings with the tactics, techniques, and procedures of an advanced cyber attacker”.
“They were also not familiar with the relevant IT security policy documents and the need to escalate the matter to CSA.
“There was also no incident reporting framework in place for the IT administrators,” added the COI in its report.
It also noted that “Members of the Security Management Department, Computer Emergency Response Team, and senior members of IHiS’ management were similarly unable to fully appreciate the security implications of the findings”.
Secondly, the COI found that “Certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate, effective, or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack”.
The report pinpointed “the Security Incident Response Manager (SIRM) and Cluster Information Security Officer (Cluster ISO) for SingHealth, who were responsible for incident response and reporting”, and said that they “held mistaken understandings of what constituted a ‘security incident’, and when a security incident should be reported”.
Illustrating its point, the COI stated: “The SIRM delayed reporting because he felt that additional pressure would be put on him and his team once the situation became known to management.
“The evidence also suggests that the reluctance to escalate the matter may have come from a belief that it would not reflect well in the eyes of the organisation if the matter turned out to be a false alarm,” it argued.
“The Cluster ISO,” on the other hand, “did not understand the significance of the information provided to him, and did not take any steps to better understand the information”.
“Instead, he effectively abdicated to the SIRM the responsibility of deciding whether to escalate the incident,” said the COI.
Thirdly, the COI found that “there were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth network and SCM system that contributed to the attacker’s success in obtaining and exfiltrating the data, many of which could have been remedied before the attack”.
“A significant vulnerability,” it elaborated, “was the network connectivity … between the SGH Citrix servers and the SCM database, which the attacker exploited to make queries to the database”.
The COI also noted that “the SGH Citrix servers were not adequately secured against unauthorised access” and that “the process requiring 2-factor authentication (2FA) for administrator access was not enforced as the exclusive means of logging in as an administrator”.
“This allowed the attacker to access the server through other routes that did not require 2FA,” said the COI.
It added: “There was a coding vulnerability in the SCM application which was likely exploited by the attacker to obtain credentials for accessing the SCM database.”
“There were a number of other vulnerabilities in the network which were identified in a penetration test in early 2017, and which may have been exploited by the attacker,” stated the report, which “included weak administrator account passwords and the need to improve network segregation for administrative access to critical servers such as the domain controller and the Citrix servers”.
“Unfortunately, the remediation process undertaken by IHiS was mismanaged and inadequate, and a number of vulnerabilities remained at the time of the Cyber Attack,” said the COI.
Cyberattacker was a “stealthy”, “persistent” and “well-resourced group”, but were “not silent”: COI on SingHealth cyberattack
The COI also touched on the motivations of the perpetrator of the cyberattack, which, it believed, was clearly to obtain “the personal and outpatient medication data of the Prime Minister in the main, and also that of other patients”.
The COI noted that while the cyberattacker was a “stealthy”, “persistent” and “well-resourced group”, they were “not silent,” and “signs of the attack were observed by IHiS’ staff” which, had they been properly recognised and dealt with by the IHiS staff members, would have prevented the infiltration in the first place.
“Doing so would have made it more difficult for the attacker to achieve its objectives,” stated the COI.
Following its key findings, the COI listed several recommendations regarding ways to buttress cybersecurity within Singapore’s public healthcare clusters.
Firstly, it stated that “an enhanced security structure and readiness must be adopted by IHiS and Public Health Institutions”, as “cybersecurity must be viewed as a risk management issue, and not merely a technical issue”.
“Decisions should be deliberated at the appropriate management level, to balance the trade-offs between security, operational requirements, and cost,” said the COI.
Secondly, the COI stated that “the cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats”.
Such includes the need to “identify gaps in the cyber stack by mapping layers of the IT stack against existing security technologies” and filling “gaps in response technologies” by “acquiring endpoint and network forensics capabilities”.
“The effectiveness of current endpoint security measures must be reviewed to fill the gaps exploited by the attacker,” it added.
Additionally, the COI stated that “network security must be enhanced to disrupt the ‘Command and Control’ and ‘Actions on Objective’ phases of the Cyber Kill Chain”.
“Application security for email,” the report added, “must be heightened”.
Thirdly, the COI urged for an improvement in “staff awareness on cybersecurity” to “enhance capacity to prevent, detect, and respond to security incidents”.
“The level of cyber hygiene among users must continue to be improved,” argued the COI.
It suggested the implementation of a “Security Awareness Programme” to “reduce organisational risk”, and equipping IT staff “with sufficient knowledge to recognise the signs of a security incident in a real-world context”.
Among other recommendations made by the COI include performing regular “enhanced security checks”, greater control over “privileged administrator accounts”, cross-sector partnerships between the IT industry and the government to strengthen collective security, and drawing clearer guidelines for staff in terms of reporting possible cybersecurity breaches.
“A post-breach independent forensic review of the network, all endpoints, and the SCM system should be considered,” said the COI.
“IHiS should consider working with experts to ensure that no traces of the attacker are left behind,” it added.
The findings listed in the COI report with regards to IHiS’s role in preventing the cyberattacks are a contrast to the statement of Commissioner of Cyber Security Agency David Koh, who testified last year that IHiS was “strategically headed in the right direction”, and that the flaws in handling such cybersecurity breaches on the part of its staff members “should not call into question the capabilities or commitment of IHiS management or staff as a whole”.
Minister-in-charge of Cyber Security S Iswaran and Health Minister Gan Kim Yong will be delivering ministerial statements in Parliament next week in response to the report.
The full 450-page report can be accessed here.