Staff lapses and IT system vulnerabilities are key reasons behind SingHealth cyberattack, according to COI Report

The Committee of Inquiry, which was convened on 24 July 2018, identified five key findings and a total of 16 recommendations for SingHealth and IHiS to improve its cybersecurity defences.
By Dean Koh
09:24 PM
Share

A SingHealth polyclinic in Singapore. (Credit: Heartbeat @ Bedok).

After 22 days of public and private hearings involving 37 witness accounts from August to November 2018, the Committee of Inquiry convened to inquire into the events and contributing factors leading to the cyberattack on Singapore Health Services Private Limited (SingHealth)’s patient database system, has released its 454-page public report today.

Between late June to early July 2018, hackers breached SingHealth’s Sunrise Clinical Management (SCM) database with a “deliberate, targeted and well-planned” cyberattack, accessing the data of about 1.5 million patients, including Prime Minister Lee Hsien Loong.

In the report, the Committee identified five key findings:

  • Integrated Health Information Systems (IHiS)* staff did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack

  • Certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate, effective, or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack

  • There were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth network and SCM system that contributed to the attacker’s success in obtaining and exfiltrating the data, many of which could have been remedied before the attack

  • The attacker was a skilled and sophisticated actor bearing the characteristics of an Advanced Persistent Threat group

  • While cyber defences will never be impregnable, and it may be difficult to prevent an Advanced Persistent Threat from breaching the perimeter of the network, the success of the attacker in obtaining and exfiltrating the data was not inevitable

The Committee also made a total of 16 recommendations, comprising seven Priority Recommendations and nine Additional Recommendations.

The seven Priority Recommendations are:

  • An enhanced security structure and readiness must be adopted by IHiS and Public Health Institutions

  • The cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats

  • Staff awareness on cybersecurity must be improved to enhance capacity to prevent, detect, and respond to security incidents

  • Enhanced security checks must be performed, especially on Critical Information Infrastructure (CII) systems

  • Privileged administrator accounts must be subject to tighter control and greater monitoring

  • Incident response processes must be improved for more effective response to cyber attacks

  • Partnerships between industry and government to achieve a higher level of collective security

Some of the Additional Recommendations include:

  • IT security risk assessments and audit processes must be treated seriously and carried out regularly

  • Enhanced safeguards must be put in place to protect electronic medical records

  • Incident response plans must more clearly state when and how a security incident is to be reported

The report also indicated that the IHiS and SingHealth should give priority to implementing the recommendations, and adequate resources and attention must be devoted to their implementation, and there must be appropriate oversight and verification of their implementation.

The full report can be accessed here.
*IHiS is the Ministry of Health’s IT arm.