A committee of Inquiry (COI) was set up last July to investigate the events and contributing factors that lead to Singapore’s worst ever cyberattack. It was set up shortly after the Ministry of Health announced that almost 1.5m SingHealth patient records had been compromised including that of Prime Minister Lee Hsien Loong.
The aim of the committee was not only to look at events leading up to the attack, but to establish how IHiS and SingHealth responded. They were tasked with making recommendations to reduce the risk of such attacks on government systems containing large volumes of personal data.
Their findings were passed to Mr Iswaran, Minister in charge of Cybersecurity on New Year’s Eve, and then published yesterday (Thursday 10 January).
It was established the attacker first accessed SingHealths IT network in August 2017, and then moved through the network between December 2017 and June 2018. The cyber attack was first noticed in June 2018 by IHiS IT administrators after unauthorised logins and failed attempts to access the Sunrise Clinical Manager (SCM) database, they thought these attempts had been terminated but they did not realise the hacker had access and had already began exfiltrating patient data.
Unusual activity was also noticed on July 4, but it wasn’t until July 9 that the appropriate management and departments were notified. Investigations into this breach then began on July 10. A public announcement was made on July 20.
Lack of Cybersecurity awareness
Although the suspicious activity had been noticed, the report stated that the seriousness of these incidents was not realised by personnel who also ‘were not familiar with IT security policy and the need to escalate to the CSA.’ Key staff in key roles in IT security response and reporting failed to take timely and appropriate action resulting in missed opportunities to prevent the data breach.
Weaknesses in the SingHealth Network and Sunrise Clinical Manager (SCM) System
The report found that an open network connection between Citrix SGH servers and SCM database was a weakness that allowed the hacker make queries on the database. It also found that servers were not secured well enough against unauthorised access. In early 2017, vulnerabilities in the network had been identified, but the committee discovered that these had not been resolved before the attack which may have been exploited by the attacker.
Recommendations to prevent future public sector cyber attacks
The committee made 16 recommendations of which 7 are priority recommendations to improve incident response plans for similar attacks and suggestions to better protect the SingHealth system and protect other government databases containing large amounts of personal data.
Their first was the IHiS & public health institutions must adopt an enhanced security structure. Systems should be reviewed to ensure it is able to defend and respond to advanced threats, staff knowledge on cybersecurity should be improved. They also recommended that enhanced security checks should be performed on systems with tighter controls on administrator accounts as well as incident response processes to be improved. Collaboration between industry and government was advised to achieve a higher level of collective security.
The report stated that the recommendations outlined should take priority and that they should be given the resources and attention for their implementation. It was advised that this should come from senior management in order to set organisational mindset and culture.
The report noted that ‘these imperatives apply equally to all organisations responsible for large databases of personal data. We must recognise that cybersecurity threats are here to stay, and will increase in sophistication, intensity and scale. Collectively, these organisations must do their part in protecting Singapore’s cyberspace and must be resolute in implementing these recommendations.’
Mr Iswaran and Health Minister Gan Kim Yong will address the report on 14 January during Parliament in ministerial statements. More learning to come shortly…
To read full report click here