Probe report on SingHealth data breach points to basic failings

COI releases key findings on cyber attack, and makes 16 recommendations with priority for 7

One key recommendation is that SingHealth appoint its own cyber-security "risk man" rather than rely solely on its IT management vendor, Integrated Health Information Systems (IHiS), for such oversight. PHOTO: ST FILE

Staff who fell prey to phishing attacks. Weak administrator passwords. Not applying a patch that could have stopped the hacking. And an IT cyber-security team that could not even recognise a security incident.

These were among the basic failings that opened the door to Singapore's worst data breach, according to the public report by a high-level panel tasked to probe last June's cyber attack on SingHealth.

And such lax cyber-security practices were no match for the sophisticated cyber attackers, believed to be state-linked. In fact, the Singapore authorities contacted foreign law enforcement agencies for information on the users behind servers linked to the attack.

The 453-page report also offers 16 recommendations - seven of them classified as "priority" - to shore up defences at organisations responsible for critical information infrastructure (CII) systems.

Among other things, CII owners including SingHealth must set rules, to be reviewed at least once a year, to protect their systems against cyber-security threats.

All administrators must use two-factor authentication, and the use of passphrases instead of passwords should be considered. The industry and the Government should also share threat intelligence.

One key recommendation is that SingHealth appoint its own cyber-security "risk man" rather than rely solely on its IT management vendor, Integrated Health Information Systems (IHiS), for such oversight.

At present, all the domain expertise and resources to detect and manage cyber-security risks lie with IHiS, which the Committee of Inquiry (COI) said is "difficult to sustain" in the long run.

The report also provides a blow-by-blow account of the events that led to the cyber attack.

Despite the attackers being sophisticated, the COI said, the data breach could have been averted if not for "a blanket of middle-management mistakes" at IHiS, Singapore's central IT agency for the healthcare sector.

For instance, a middle manager of cyber security at IHiS had misconceptions of what constitutes a cyber-security incident, and delayed reporting the network intrusions for fear that additional pressure would be put on him and his team.

Also, the key technology "risk man" at IHiS - cluster information security officer Wee Jia Huo - displayed "an alarming lack of concern" when it was clear that a critical system had been potentially breached.

These lapses contributed to successful data exfiltration from SingHealth's electronic medical records system from June 27 to July 4 last year. Hackers stole the personal data of 1.5 million patients and the outpatient prescription details of 160,000 people, including Prime Minister Lee Hsien Loong.

"The attacker had a clear goal in mind, namely, the personal and outpatient medication data of the Prime Minister in the main, and also that of other patients," the report said.

But it also noted: "The attacker was stealthy but not silent, and signs of the attack were observed by IHiS' staff. Had IHiS' staff been able to recognise that an attack was ongoing and take appropriate action, the attacker could have been stopped before it achieved its objectives."

Organisational culture was to blame for some of the missteps.

"One must not lose sight of the fact that the treatment of cyber-security issues and incidents by staff and middle management is very much shaped by organisational culture," wrote the COI, chaired by retired judge Richard Magnus.

This public report follows the submission of a fuller "top secret" report - detailing the attacker's identity and methods, and SingHealth's system vulnerabilities - to Minister-in-charge of Cyber Security S. Iswaran on Dec 31 last year. The fuller report is not published for national security reasons.

Responding to the public report, Professor Ivy Ng, SingHealth group chief executive officer, said: "Since the incident, we have reinforced the culture of personal ownership of cyber defence so that every staff is empowered to identify and report cyber-security threats."

Mr Bruce Liang, IHiS chief executive officer, said: "We will... do our utmost to drive change throughout our organisation, with patient well-being as our priority."

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Straits Times on January 10, 2019, with the headline Probe report on SingHealth data breach points to basic failings. Subscribe