After 22 days of public and private hearings involving 37 witness accounts from August to November 2018, the Committee of Inquiry (COI) convened to inquire into the events and contributing factors leading to the cyberattack on Singapore Health Services Private Limited (SingHealth)’s patient database system, has released its 454-page public report today.
Between late June to early July 2018, hackers breached SingHealth’s Sunrise Clinical Management (SCM) database with a “deliberate, targeted and well-planned” cyberattack, accessing the data of about 1.5 million patients, including Prime Minister Lee Hsien Loong.
In the report, the Committee identified five key findings:
Integrated Health Information Systems (IHiS)* staff did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack
Certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate, effective, or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack
There were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth network and SCM system that contributed to the attacker’s success in obtaining and exfiltrating the data, many of which could have been remedied before the attack
The attacker was a skilled and sophisticated actor bearing the characteristics of an Advanced Persistent Threat group
While cyber defences will never be impregnable, and it may be difficult to prevent an Advanced Persistent Threat from breaching the perimeter of the network, the success of the attacker in obtaining and exfiltrating the data was not inevitable
The Committee also made a total of 16 recommendations, comprising seven Priority Recommendations and nine Additional Recommendations.
The seven Priority Recommendations are:
An enhanced security structure and readiness must be adopted by IHiS and Public Health Institutions
The cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats
Staff awareness on cybersecurity must be improved to enhance capacity to prevent, detect, and respond to security incidents
Enhanced security checks must be performed, especially on Critical Information Infrastructure (CII) systems
Privileged administrator accounts must be subject to tighter control and greater monitoring
Incident response processes must be improved for more effective response to cyber attacks
Partnerships between industry and government to achieve a higher level of collective security
Some of the Additional Recommendations include:
IT security risk assessments and audit processes must be treated seriously and carried out regularly
Enhanced safeguards must be put in place to protect electronic medical records
Incident response plans must more clearly state when and how a security incident is to be reported
The report also indicated that the IHiS and SingHealth should give priority to implementing the recommendations, and adequate resources and attention must be devoted to their implementation, and there must be appropriate oversight and verification of their implementation.
The full report can be accessed here.
*IHiS is the Ministry of Health’s IT arm.