Inadequate cybersecurity awareness and training, failure of IT staff in significant positions to respond promptly to and report about instances of security-related incidents, and loopholes in the SingHealth IT system’s setup were some of the key findings cited in the Committee of Inquiry (COI) report on the SingHealth cyberattack that took place in July last year.

The COI on the SingHealth cyber attack, which was dubbed as the largest data breach in Singapore’s history, was convened on 24 Jul.

Chaired by former Chief District Judge and current member of the Public Service Commission, Mr Richard Magnus, the COI comprises four members who were tasked to probe into the cybersecurity breach against SingHealth’s patients’ records.

The cyberattack affected personal medical data  – such as outpatient prescriptions – of 1.5 million SingHealth patients, including that of Prime Minister Lee Hsien Loong.

A series of cyberattacks on the public healthcare clusters took place between 23 Aug 2017 and 20 July last year, the report added.

In what the report dubbed as “the crown jewels of the SingHealth network”, it was stated that “Citrix servers”, through which the SingHealth Sunrise Clinical Manager (SCM) could be accessed, “played a critical role in the Cyber Attack”.

“The SCM is an electronic medical records software solution, which allows healthcare staff to access real-time patient data. The SCM system can be seen as comprising front-end workstations, Citrix servers, and the SCM database.

“Users would access the SCM database via Citrix servers, which operate as an intermediary between front-end workstations and the SCM database,” the report read.

Integrated Health Information Systems Private Limited (IHiS), the IT arm of SingHealth, was “responsible for administering and operating the system, including implementing cybersecurity measures”, in addition to being in charge of “security incident response and reporting”, according to the COI report.

The COI report listed several key findings based on the information gathered from the  series of events prior to, during, and following the cybersecurity breach:

Firstly, the COI found that “IHiS staff did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack”.

It elaborated that while “a number of IHiS’ IT administrators are commended by the Committee for their vigilance in noticing suspicious activity” such as unauthorised logins or suspicious attempts at logging into the database, these same IT administrators “could not fully appreciate the security implications of their findings” and were consequently “unable to co-relate these findings with the tactics, techniques, and procedures of an advanced cyber attacker”.

“They were also not familiar with the relevant IT security policy documents and the need to escalate the matter to CSA.

“There was also no incident reporting framework in place for the IT administrators,” added the COI in its report.

It also noted that “Members of the Security Management Department, Computer Emergency Response Team, and senior members of IHiS’ management were similarly unable to fully appreciate the security implications of the findings”.

Secondly, the COI found that “Certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate, effective, or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack”.

The report pinpointed “the Security Incident Response Manager (SIRM) and Cluster Information Security Officer (Cluster ISO) for SingHealth, who were responsible for incident response and reporting”, and said that they “held mistaken understandings of what constituted a ‘security incident’, and when a security incident should be reported”.

Illustrating its point, the COI stated: “The SIRM delayed reporting because he felt that additional pressure would be put on him and his team once the situation became known to management.

“The evidence also suggests that the reluctance to escalate the matter may have come from a belief that it would not reflect well in the eyes of the organisation if the matter turned out to be a false alarm,” it argued.

“The Cluster ISO,” on the other hand, “did not understand the significance of the information provided to him, and did not take any steps to better understand the information”.

“Instead, he effectively abdicated to the SIRM the responsibility of deciding whether to escalate the incident,” said the COI.

Thirdly, the COI found that “there were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth network and SCM system that contributed to the attacker’s success in obtaining and exfiltrating the data, many of which could have been remedied before the attack”.

“A significant vulnerability,” it elaborated, “was the network connectivity … between the SGH Citrix servers and the SCM database, which the attacker exploited to make queries to the database”.

The COI also noted that “the SGH Citrix servers were not adequately secured against unauthorised access” and that “the process requiring 2-factor authentication (2FA) for administrator access was not enforced as the exclusive means of logging in as an administrator”.

“This allowed the attacker to access the server through other routes that did not require 2FA,” said the COI.

It added: “There was a coding vulnerability in the SCM application which was likely exploited by the attacker to obtain credentials for accessing the SCM database.”

“There were a number of other vulnerabilities in the network which were identified in a penetration test in early 2017, and which may have been exploited by the attacker,” stated the report, which “included weak administrator account passwords and the need to improve network segregation for administrative access to critical servers such as the domain controller and the Citrix servers”.

“Unfortunately, the remediation process undertaken by IHiS was mismanaged and inadequate, and a number of vulnerabilities remained at the time of the Cyber Attack,” said the COI.

Cyberattacker was a “stealthy”, “persistent” and “well-resourced group”, but were “not silent”: COI on SingHealth cyberattack

The COI also touched on the motivations of the perpetrator of the cyberattack, which, it believed, was clearly to obtain “the personal and outpatient medication data of the Prime Minister in the main, and also that of other patients”.

The COI noted that while the cyberattacker was a “stealthy”, “persistent” and “well-resourced group”, they were “not silent,” and “signs of the attack were observed by IHiS’ staff” which, had they been properly recognised and dealt with by the IHiS staff members, would have prevented the infiltration in the first place.

“Doing so would have made it more difficult for the attacker to achieve its objectives,” stated the COI.

Steps taken by Integrated Health Information Systems Private Limited (IHiS), the IT arm of SingHealth, to buttress cybersecurity within Singapore’s public healthcare system, Annex B. Source: Report of the Committee of Inquiry (COI) into the Cyber Attack on SingHealth

 

Following its key findings, the COI listed several recommendations regarding ways to buttress cybersecurity within Singapore’s public healthcare clusters.

Firstly, it stated that “an enhanced security structure and readiness must be adopted by IHiS and Public Health Institutions”, as “cybersecurity must be viewed as a risk management issue, and not merely a technical issue”.

“Decisions should be deliberated at the appropriate management level, to balance the trade-offs between security, operational requirements, and cost,” said the COI.

Secondly, the COI stated that “the cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats”.

Such includes the need to “identify gaps in the cyber stack by mapping layers of the IT stack against existing security technologies” and filling “gaps in response technologies” by “acquiring endpoint and network forensics capabilities”.

“The effectiveness of current endpoint security measures must be reviewed to fill the gaps exploited by the attacker,” it added.

Additionally, the COI stated that “network security must be enhanced to disrupt the ‘Command and Control’ and ‘Actions on Objective’ phases of the Cyber Kill Chain”.

“Application security for email,” the report added, “must be heightened”.

Thirdly, the COI urged for an improvement in “staff awareness on cybersecurity” to “enhance capacity to prevent, detect, and respond to security incidents”.

“The level of cyber hygiene among users must continue to be improved,” argued the COI.

It suggested the implementation of a “Security Awareness Programme” to “reduce organisational risk”, and equipping IT staff “with sufficient knowledge to recognise the signs of a security incident in a real-world context”.

Among other recommendations made by the COI include performing regular “enhanced security checks”, greater control over “privileged administrator accounts”, cross-sector partnerships between the IT industry and the government to strengthen collective security, and drawing clearer guidelines for staff in terms of reporting possible cybersecurity breaches.

A post-breach independent forensic review of the network, all endpoints, and the SCM system should be considered,” said the COI.

“IHiS should consider working with experts to ensure that no traces of the attacker are left behind,” it added.

The findings listed in the COI report with regards to IHiS’s role in preventing the cyberattacks are a contrast to the statement of Commissioner of Cyber Security Agency David Koh, who testified last year that IHiS was “strategically headed in the right direction”, and that the flaws in handling such cybersecurity breaches on the part of its staff members “should not call into question the capabilities or commitment of IHiS management or staff as a whole”.

Minister-in-charge of Cyber Security S Iswaran and Health Minister Gan Kim Yong will be delivering ministerial statements in Parliament next week in response to the report.

The full 450-page report can be accessed here.

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
You May Also Like

剩两名患者接受治疗 马国卫长叹“可能是最后以卫长身份发文”

马国卫生部长祖基菲里今日(24日)发文,称马国再有两名武汉冠状病毒确诊病患出院,迄今马国未有新增病例,累计确诊仍是22宗。 出院病例为第14和第19位病例,来自中国。 根据马国卫生部文告,目前该国累计出院病例20人,剩下两名病患仍在接受治疗,情况稳定。 马国政局目前仍处在动荡不安局势,随着敦马宣布辞去首相一职、土著团结党也宣布退出执政政府希盟,使得原本执政议席128席的希盟,顿时失去26席,恐怕失去执政优势。 有鉴于此,祖基菲里发文似乎也意有所指,先是感谢卫生部上下职员的无私付出,但也表示“可能是我作为卫生部长身份最后一次发文。” 至于马国卫生部的脸书也发文表示:“我们代表卫生部全体同仁,对祖基菲里和李文材(卫生部副部长),执掌卫部表达谢意。”

Full-time serviceman dies after Bionix vehicle reversed into the Land Rover he was in

Ministry of Defence announced on Saturday (3 Nov) that a Singapore Armed…

不丹下议院压倒性通过同性恋除罪化,仅一议员反对

不丹下议院于上周五(7日)以压倒性票数,几乎全数通过同性恋除罪化。 根据当地媒体《昆色爾报》(Kuensel)与《不丹人報》(Bhutanese)报道,法典第213及214条,被广泛理解为同性恋或将“不自然性行为”定为犯罪,而修正案旨在废除其二项条例。周五(7日)由44人组成的国民会议中,仅有一位议员投下反对票。 然而,修正案必须经过上议院的批准,再经过王室的核准,最终方能通过执行。 少数族群(LGBT)兼维权组织《彩虹不丹》的负责人切藤(Tashi Tsheten)告诉《路透社》“目前最大的优势是我们与现任政府合作,而且对我们的需求也相当了解,这是我国通往人权平等的第一步。” 切藤认为虽然少数群体LGBT普遍能够被不丹社群所接受,但他们仍在落后地区备受歧视。 “要打破其刻板印象仍面临各种困难,而且我们的教育系统并不允许我们了解少数群体LGBT。” 《法新社》引述切藤的说法,“我们是弱势切被边缘化的群体,当我们的权益在国会中被讨论时,我们相当开心。“ 虽然不丹当局从未动用该两项条文,但提出废除法条的财政部长南杰(Namgay Tshering)表示,这些充满歧视性的恶法,已是该国声誉的“污点。” “我们的社会对于少数群体LGBT是非常宽容的。”南杰说道。他认为不丹自2008年君主立宪制以来,这些条文变得多余,社会对于少数群体LGBT是高度接受。 去年,不丹邻国印度也裁定废除将同性恋定为犯罪的殖民地时期的条例,推翻了157年的禁令。虽然曾经历恢复条文,但在2018年最终裁定推翻,不得再被挑战;另外,台湾在今年5月通过同性婚姻专法。由此证明,少数群体LGBT在亚洲国家逐渐走向平等。…

WP Png asks for number of foreign student defaulters but scholar Ong replies with percentage

On Monday (5 Aug), Workers’ Party MP for Hougang SMC, Png Eng…