The 453-page report on last year’s cyber attack on SingHealth shows a number of basic mistakes that could have prevented the breach from occurring, including the failure of an IT cyber-security team to discern a security incident, administrator passwords that were simply not strong enough, phishing attacks on the staff, and others.
These errors led to the most severe data breach that Singapore has ever experienced, the Straits Times (ST) reported on January 10, based on the findings of a high-level panel that looked into the matter.
Because weak cyber-security methods were practiced, advanced cyber-attackers, who are believed to be state-linked, were able to penetrate security measures. Singapore has officially reached out to law enforcement agencies overseas to obtain information concerning the users of the servers connected to the data breach.
There are 16 recommendations from the high-level panel report to strengthen the country’s defenses and to keep critical information infrastructure (CII) systems safe.
These include CII owners such as SingHealth setting rules for protection against cyber-security threats, to be reviewed at least yearly.
Another recommendation is for systems administrators to use two-factor authentication and passphrases in lieu of passwords.
Threat intelligence should also be shared between the industry and the national government.
A particular recommendation is for SingHealth to have a sole cyber-security “risk man” instead of just the IT management vendor, Integrated Health Information Systems (IHiS), to take care of cybersecurity as a whole. To date, IHiS oversees all the domain expertise and resources to detect and manage cyber-security risks, which the Committee of Inquiry (COI) fears could be unsustainable over time.
The COI pointed out that the attack could have been prevented had it not been for “a blanket of middle-management mistakes” from IHiS, the central IT agency for Singapore’s healthcare sector. These include misconceptions concerning cyber-security incident from one middle manager, who put off telling about network intrusions because he was afraid it would put more pressure on him and his team.
Additionally, cluster information security officer Wee Jia Huo, the key technology “risk man” at IHiS, showed “an alarming lack of concern” at the realization of a possible breach in a critical system.
These mistakes led to hackers accessing and stealing the personal data of 1.5 million patients and the outpatient prescription details of 160,000 people, which included that of Prime Minister Lee Hsien Loong himself, between June 27 to July 4, 2018.
According to the report, “The attacker had a clear goal in mind, namely, the personal and outpatient medication data of the Prime Minister in the main, and also that of other patients.
The attacker was stealthy but not silent, and signs of the attack were observed by IHiS’ staff. Had IHiS’ staff been able to recognize that an attack was ongoing and take appropriate action, the attacker could have been stopped before it achieved its objectives.”
The report also pointed out how the organizational culture was also at fault. “One must not lose sight of the fact that the treatment of cyber-security issues and incidents by staff and middle management is very much shaped by organizational culture.”
There is also a more complete “top secret” report, unpublished in the interest of national security, which shows the attacker’s identity and methods, as well as SingHealth’s system vulnerabilities. This was submitted on December 31 to Minister-in-charge of Cyber Security S. Iswaran.
The public report also states “Since the incident, we have reinforced the culture of personal ownership of cyber defense so that every staff is empowered to identify and report cyber-security threats.”
The CEO of IHiS, Bruce Liang has said, “We will… do our utmost to drive change throughout our organization, with patient well-being as our priority.”
https://theindependent.sg.sg/coi-unearths-severe-management-inaction-and-ineptitude-that-could-have-led-to-how-easily-singhealth-was-hacked/