The results of an investigation into a data breach at SingHealth, Singapore’s largest health network, highlight the importance of even the most basic cybersecurity practices for organisations across the globe.
The data breach at SingHealth occurred in June 2018, when hackers gained access to the records of 1.5 million people, a huge proportion of the Singapore’s 5.6 million residents. The health records of a number of high-profile figures were taken, including the country’s Prime Minister, Lee Hsien Loong. Authorities stated that it was a “deliberate, targeted and well-planned cyber attack”.
The scale of the attack warranted a special breach response. The Committee of Inquiry was created, and an investigation was launched to reveal the causes of the breach and assess its scope.
The results of the committee’s findings were published this week. The results were damning for SingHealth; investigators revealed that the organisation had failed to implement basic cybersecurity measures, and were vulnerable to attack. It is believed that the hackers gained access to the network after one front-end workstation was infected with malware.
The investigation revealed that had SingHealth applied a patch to correct a single vulnerability in their network, the attack avoided. The failure to fix such a simple error was just one of many data security failings detailed in a 453-page report of the investigation.
The cyberattack was believed to have been conducted by nation-state sponsored hacking group. However, the gaps in security were so large that even an unskilled hacker could have gained access to the system and caused an equally large breach of sensitive information.
SingHealth relied solely on a third-party IT management company, Integrated Health Information Systems (IHiS), to assess and manage cyber risk. Numerous failures were detected at the firm.
Although the attack was well-crafted, the signs of a breach were identified by the IT management company. However, no action taken to prevent the hackers from exploiting the vulnerabilities to achieve their main aim; to obtain the health information and prescription details of the Prime Minister.
The failure to stop the hackers was the result of a number of blunders at the IT organisation; a middle manager lacked the correct information about what constituted a reportable cybersecurity incident and failed to report network intrusions out of fear that it would result in additional pressure on his team. A key member of staff at the firm displayed “an alarming lack of concern” about the fact that systems had apparently been breached. As a result of this lack of concern and the firm’s failure to take prompt action over the breach, the hackers had time to compromise the patient data. The data theft occurred between June 27 and July 4. Had the incident been escalated to the Singapore’s Cyber Security Agency, the theft of data could have been prevented.
The investigation revealed training inadequacies at iHiS; staff were largely ignorant of cybersecurity awareness and had not been sufficiently trained to recognise an attack in progress and respond effectively.
At SingHealth, cybersecurity was viewed as an IT management issue rather than a risk management issue and too much reliance was placed on the IT management firm to ensure that its systems were protected.
There was a failure to assess all cybersecurity protections and procedures and ensure they were sufficient to prevent and respond to APT attacks. Routine checks were not performed to assess vulnerabilities and penetration tests had not been conducted.
Other, basic security measures such as two-factor authentication or strong password requirements had not been implemented, and there was a lack of control over administrative accounts. IT security risk assessments were not sufficiently thorough and were not conducted with sufficient regularity. Insufficient safeguards had been implemented to protect the EHR database and incident response procedures were not effective.
In total, 16 recommendations were made by the investigators to improve security, seven of which were rated critical.
The critical recommendations are:
- An enhanced security structure and readiness must be adopted by IHiS and Public Health Institutions
- The cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats
- Staff awareness on cybersecurity must be improved to enhance capacity to prevent, detect, and respond to security incidents
- Enhanced security checks must be performed, especially on Critical Information Infrastructure (CII) systems
- Privileged administrator accounts must be subject to tighter control and greater monitoring
- Incident response processes must be improved for more effective response to cyber attacks
- Partnerships between industry and government to achieve a higher level of collective security
The SingHealth data security breach provides a warning to healthcare companies around the world; not only must you ensure that your own organisation’s security practices are up-to-scratch, but you must be certain that any third-party you rely on for security purposes is fully capable of performing their duties.
In addition to this, the numerous cybersecurity failings within SingHealth highlight the important of basic best practices for a robust cybersecurity framework. Employee training is also essential if the risks of a cyberattack are to be truly minimised.