#1243111: SingHealth breach review recommends remedies that should already be basic security policies
A culmination of bad system management and undertrained IT staff, among other gaps, resulted in Singapore's most severe cybersecurity breach last July, according to the committee formed to review the events leading up to the SingHealth incident.
It also recommends several steps the healthcare provider should take to plug the gaps and
Several of its suggested remedies, however, already should be standard security practices for an essential services provider, including maintaining "an enhanced security structure", improving staff awareness to detect and respond to cyberattacks, and the need to perform cybersecurity system checks.
The 454-page report published today outlines 16 recommendations the committee said were made in light of its findings, testimonies from witnesses and Singapore's Cyber Security Agency (CSA), public submissions, as well as feedback from the Solicitor-General and key organisations including Ministry of Health, SingHealth, and the IT agency responsible for the local healthcare sector Integrated Health Information System (IHIS).
The review committee was formed shortly after the Health ministry in July 2018 revealed the personal data of 1.5 million SingHealth patients had been compromised, including that of the country's prime minister Lee Hsien Loong. Non-medical personal details, such as name and date of birth, of these patients had been accessed and copied and outpatient medical data of some 160,000 patients were also compromised.
The committee, which sat through 22 days of hearings involving 37 witnesses, noted in its report that the cyberattack had lasted for almost a year. Describing it as "unprecedented [in] scale and sophistication", the report revealed that the attack was carried out between August 23, 2017, and July 20 last year, during which SingHealth's patient database was illegally accessed.
In its findings, the committee found that the IHIS staff lacked adequate levels of cybersecurity awareness, training, and resources to understand the implications of the attack and respond effectively. While its IT administrators were able to identify suspicious attempts to log into the database, the same staff failed to correlate these findings with the tactics and procedures of an advanced cyberattack.
In addition, there was no framework on incident reporting, the committee noted, adding that the IHIS employees were unfamiliar with IT security policies and unaware of the need to escalate the issue to CSA.
The report also noted vulnerabilities, weaknesses, and misconfiguration in SingHealth's network as well as its database, which ran Allscript Healthcare Solutions' Sunrise Clinical Manager (SCM). These factors, it said, enabled the attackers to succeed in breaching the system and exfiltrating the data.
In particular, the attackers had exploited a significant vulnerability in the network connectivity between Citrix servers located at a public general hospital and the SCM database, to make queries to the database. This connectivity had been maintained to support the use of administrative tools and custom applications, which the committee found to be unnecessary.
Furthermore, the Citrix servers were poorly secured against unauthorised access, with two-factor authentication for administrator access unenforced. A coding vulnerability in the SCM application also was likely exploited to obtain credentials for accessing the database.
|Date added||Jan. 11, 2019, 8:01 a.m.|