SINGAPORE - A lack of situational awareness and a tardy response were among factors that led to a massive SingHealth cyber attack which compromised the private data of 1.5 million patients.
Solicitor-General Kwek Mean Luck made the summary in his opening statement as he kicked off the first public hearing to investigate the SingHealth cyber-attack on Friday (Sept 21).
The four-member Committee of Inquiry (COI), headed by former chief district judge Richard Magnus, also heard that SingHealth’s cyber attacker first gained entry into the healthcare group’s network as early as August last year by infecting workstations. The attacker then moved laterally in the network from December last year to May this year.
"He made use of malware planted in one of the initially infected workstations to gain remote access to and control of that workstation, and then used commands to distribute malware to infect other computers," said Mr Kwek.
The ultimate target was to reach SingHealth's electronic medical records (EMR) system, a critical information infrastructure (CII) in Singapore.
From May to June this year, the attacker exploited an inactive administrator account to remotely log into a server, which contained a link to another system containing the EMR database. The link should have been decommissioned but it was not. Multiple attempts were made to access the data via this link from June 27 to July 4.
The Cyber Security Agency (CSA), which investigated the attack, also found one administrator account to have contained a weak password, which could be easily decrypted.
Mr Kwek has been designated by the Attorney-General to lead evidence in the inquiry into Singapore's worst cyber breach. The Attorney-General's Chambers has led evidence in past COI hearings, such as the probe into the riot in Little India in December 2013.
Mr Kwek added that the attacker used the compromised administrator accounts to steal more credentials, which were then used to access the database.
Data exfiltration, or the unauthorised transfer of sensitive data, took place between June 27 and July 4 this year and involved 1.5 million SingHealth patients.
The SingHealth attack also led to the leakage of outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.
On July 4, the unauthorised data exfiltration attempts were terminated by Ms Katherine Tan, a database administrator at SingHealth's technology vendor Integrated Health Information Systems (iHiS), an agency which runs the IT systems of public healthcare institutions.
She will be taking the witness stand on Friday afternoon in Court 5A of the Supreme Court.
SingHealth’s EMR database contains the following data of 5 million patients:
- Patient demographic data
- Clinical episode information
- Doctors’, nurses’ and clinicians’ orders
- Clinical documentation
- Vital signs
- Medical alerts and allergies
- Diagnosis and health issues
- Vaccination details
- Discharge summaries
- Medical certificates
- Outpatient medication dispensed
Earlier on the same day, Mr Lum Yuan Woh, assistant director (Infra Services - Systems Management) provided an account of what happened.
The proceedings following them are private, as information affecting national security is expected to be shared.
Mr Kwek said that inadequate situational awareness and response to red flags contributed to the data breach.
Specifically, iHiS staff became aware of unauthorised access attempts on SingHealth's network from mid-June this year. But they did not report the incidents to iHiS senior management until the night of July 9.
Subsequently, SingHealth, the Ministry of Health and the CSA were informed on July 10.
The CSA then looked into the SingHealth attack with support from the Criminal Investigation Department. Singaporeans were told about the breach on July 20.
"The evidence will show that, notwithstanding what the iHiS staff knew from mid-June 2018, they did not fully appreciate that multiple cyber-security incidents culminating in a breach of the database were occurring," said Mr Kwek.
As a result, there was no timely reporting of the incident as required under the CSA's National Cyber Incident Response Framework, which has been effective since February 2016 and requires the CSA to be alerted within two hours.
Mr Kwek said the iHiS staff showed initiative by shutting down the server with the unwanted link to the EMR database and requiring people to change passwords after the incident. But he added that the moves “were nevertheless piecemeal and inadequate”.
Friday's COI hearing comes after the committee convened in private on July 24 to inquire into the events contributing to the breach. The first hearing by the high-level panel took place behind closed doors on Aug 28.
The committee is expected to shed light on what led to the data leak, and how the public healthcare sector can strengthen its responses and defences in future.
Its other members are Mr Lee Fook Sun, executive chairman of Ensign InfoSecurity; Mr T.K. Udairam, group chief operating officer of healthcare technology firm Sheares Healthcare Management; and Ms Cham Hui Fong, assistant secretary-general of the National Trades Union Congress.
Other witnesses expected to appear in the COI hearings, which are expected to last until Oct 5, include:
- iHiS director (delivery group) Ong Leong Seng
- CSA director Dan Yock Hau
- CSA deputy director Douglas Mun
- Former iHiS employee Zhao Hainan
- iHiS group chief information officer Benedict Tan
- iHiS chief executive officer Bruce Liang
- iHiS director (cyber security governance) Chua Kim Chuan
- SingHealth Deputy Group CEO (Organisational Transformation and Informatics) Kenneth Kwek