Tardy responses owing to a lack of awareness of how critical the situation was and multiple security inadequacies contributed to the factors that led to a massive SingHealth cyber attack compromising the personal data of 1.5 million patients.
For instance, one administrator account for the healthcare group's server that was linked to the electronic medical records (EMR) system had the password, P@ssw0rd, and was breached easily, Solicitor-General Kwek Mean Luck said yesterday.
He was delivering his opening statement at the first public hearing to investigate the SingHealth cyber attack, the extent of which was discovered and reported only after occurring for months.
Database administrators at the Integrated Health Information Systems (IHiS), which manages the IT system for all public hospitals, also testified that they had scant or no training on how to report security incidents.
The four-member Committee of Inquiry (COI), headed by former chief district judge Richard Magnus, will determine what led to the data leak and how the public healthcare sector can strengthen its responses and defences in future.
It heard yesterday that SingHealth's cyber attacker first gained entry into the healthcare group's network as early as August last year.
The attacker infected workstations with malware and moved laterally in the network between December and May this year, escaping detection by using techniques typical of a "skilled and sophisticated threat actor", said Mr Kwek, a Senior Counsel.
More witnesses to come
Other witnesses expected to appear at the Committee of Inquiry hearings, which are set to continue until Oct 5, include:
• IHiS director (delivery group) Ong Leong Seng
• Cyber Security Agency (CSA) National Cyber Incident Response Centre director Dan Yock Hau
• CSA National Cyber Incident Response Centre deputy director Douglas Mun
• Former IHiS employee Zhao Hainan
• IHiS group chief information officer Benedict Tan
• Ministry of Health chief information officer and IHiS chief executive officer Bruce Liang
• Ministry of Health chief information security officer and IHiS director (cyber security governance) Chua Kim Chuan
• SingHealth deputy group CEO (organisational transformation and informatics) Kenneth Kwek
The ultimate target was the critical information infrastructure of SingHealth's EMR system.
"IHiS' security measures were sufficient to prevent a conventional attack, but the nature of the cyber attack was far from conventional," noted Mr Kwek.
Between May and June, the attacker exploited inactive administrator accounts to remotely log in to a server that was linked to another system containing the EMR database. The attacker also made multiple failed attempts to log in to the database.
The open link, which had been set up temporarily for database migration to a new cloud-based system, was slated to be disconnected only this month. Multiple attempts at accessing the EMR database to transfer information from June 27 to July 4 were then possible using this link.
These attempts, which began undetected on June 27, were eventually discovered on July 4 and terminated by Ms Katherine Tan, a database administrator at IHiS. She highlighted the breaches to her colleagues and Mr Lum Yuan Woh, IHiS' assistant director (infra services - systems management).
The Cyber Security Agency of Singapore (CSA), which was informed of the attack on July 10 and began its own investigations, also found one administrator account to have contained a weak password, which could be decrypted easily.
That and other inactive administrator accounts were exploited to steal more credentials, which were eventually used to access and extract data from the EMR database.
The SingHealth attack led to the leakage of the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.
Taking the witness stand yesterday at the hearing held in Court 5A of the Supreme Court, Ms Tan told the COI she did not realise that the multiple failed attempts at accessing SingHealth's systems over the two months were related. Had she made the association, she added, "it would have been apparent to me that IHiS was dealing with a serious security incident".
Mr Kwek said the lack of situational awareness of IHiS staff contributed to the data breach. Specifically, the CSA requires such unauthorised access to be reported to it within two hours under its National Cyber Incident Response Framework, which has been effective since February 2016.
Although IHiS staff detected unauthorised failed attempts to access SingHealth's critical systems as early as June 11 this year, they did not alert IHiS senior management until the night of July 9.
Subsequently, SingHealth, the Ministry of Health and the CSA were informed on July 10.
Singaporeans were told about the breach on July 20.
"They did not fully appreciate that multiple cyber security incidents, culminating in a breach of the database, were occurring," said Mr Kwek.
Earlier yesterday, Mr Lum said he and his team members received no training in reporting cyber incidents. "No training or briefing was provided to me or my team on the IHiS Sirf (Security Incident Reporting Framework)," he said.
Mr Kwek said the IHiS staff showed initiative by changing the passwords of all administrators on July 5, and also by shutting down the server with the unwanted link to the EMR database. But he added that the moves "were nevertheless piecemeal and inadequate".