A Committee of Inquiry (COI) tasked with looking into Singapore’s worst-ever cyberattack said the success of the attacker was “not inevitable”, while highlighting staff lapses and systemic vulnerabilities in the SingHealth network.
“While our cyber defences will never be impregnable…the success of the attacker in obtaining and exfiltrating the data was not inevitable,” said the four-member COI in its final report on the 2018 SingHealth cyberattack, adding that the attacker was “stealthy but not silent”.
The report, a redacted version of which was released to the public on Thursday (10 January), emphasised that “vulnerabilities, weaknesses and misconfigurations” in the SingHealth network contributed to the attacker’s success. It also pointed to lapses by staff at the Integrated Health Information Systems (IHiS), the central IT agency for the healthcare sector.
These were some of the key findings of the COI, alongside its 16 recommendations on improving the Republic’s cybersecurity landscape. It followed 22 days of public hearings in late 2018, in which the COI heard from 37 witnesses. It also assessed 26 written submissions.
The full version of the report was classified “Top Secret” and delivered to Minister-in-Charge of Cybersecurity S. Iswaran, who appointed the COI, on New Year’s Eve. The public report does not include sensitive information such as details of SingHealth’s network architecture, and how agencies identified the attacker.
Both Iswaran and Health Minister Gan Kim Yong will address the report in separate Ministerial Statements during a Parliament sitting on 14 January. The statements are expected to include details of disciplinary measures for staff lapses.
Cyberattack by ‘skilled and sophisticated actor’
The personal particulars of 1,495,364 unique patients – including that of Prime Minister Lee Hsien Loong – were stolen from SingHealth’s database during the cyberattack which occurred between 27 June and 4 July last year. The data comprises the patients’ demographic records and the dispensed medication records of about 159,000 of them.
“The Prime Minister’s personal and outpatient medication data was specifically targeted and repeatedly accessed,” noted the COI. IHiS senior management were only informed of the matter on 9 July. The following day, it was escalated to the Cyber Security Agency and other health agencies.
Due to further malicious activities on 19 July, Internet surfing separation was implemented for SingHealth the next day. No further suspicious activity was detected after 20 July, and the public was notified of the attack on the same day.
At the time, questions were raised as to the 10-day delay in notifying the public of the attack. When queried in Parliament, Minister Gan said it was because authorities were still working to, among others, identify the data that was compromised and to protect it.
Authorities have declined to elaborate on the identity of the attacker. However, the COI noted that the attacker bore the characteristics of an Advanced Persistent Threat group – a clandestine attack in which a person or group gains access to a network and remains undetected for an extended period of time.
The COI established that the attacker first gained access to SingHealth’s IT network around 23 August 2017, infecting front-end workstations before moving laterally in the network several months later.
22 days of public hearings
The four-member committee was chaired by retired chief district judge Richard Magnus. The other three members on the committee were Lee Fook Sun, Executive Chairman of Ensign InfoSecurity; T K Udairam, Group Chief Operating Officer of Sheares Healthcare Management; and Cham Hui Fong, Assistant Secretary-General of the National Trades Union Congress.
Among its terms of reference, the COI was given a fact-finding remit and asked to recommend measures to reduce the risk of such cyberattacks on public sector IT systems which contain large databases of personal data, including in the other public healthcare clusters.
During the COI hearings, which were held from September to November 2018, details of numerous lapses by IHiS staff were revealed. For example, a veteran database administrator did not immediately recognise that the multiple failed attempts to log-in to the SingHealth database she had encountered on 4 July amounted to a “serious security incident”.
The COI also concluded that IHiS staff did not have “adequate levels of cybersecurity awareness, training and resources”, and that some key appointment holders failed to take “appropriate, effective or timely action”. For example, the Security Incident Response manager delayed reporting “because he felt that additional pressure would be put on him and his team once the situation became known to management”.
7 priority recommendations
The COI’s recommendations, seven of which are priority recommendations, include “strategic and operational measures to uplift the cybersecurity posture of SingHealth and IHiS”.
For example, IHiS and public health institutions must adopt an enhanced security structure. Staff awareness on cybersecurity must be improved, while incident response processes must be improved and privileged administrator accounts subject to tighter control.
The government has accepted all the recommendations and some have already been put in place. For example, IHiS has initiated 18 new security measures to be implemented progressively, such as two-factor authentication and automatically updating and protecting administrator accounts.
And while the COI conceded that some of its proposed measures seem “axiomatic”, it pointed out that “these were not implemented effectively by IHiS at the time of the attack”.
When asked about the COI’s proposals, Tin Aung Win, vice-president of Singapore Computer Society Infocomm Security Chapter, noted that they are “basic hygiene recommendations” for managing assets, people and technology.
“It is more of governance than the technical side, and making sure that accountability and responsibility is established. The devil is in the details, and the implementation has to be high level.”
Win stressed that strengthening Singapore’s cybersecurity environment has to be a “prolonged effort” by bureaucrats, politicians and the public. “We need to educate people constantly. Most of the time, it’s due to someone doing misconfigurations, like weak passwords. We need to constantly do this so that it becomes part of working life.”
Reactions from MOH, SingHealth and IHiS
Thanking the COI for its recommendations, the Ministry of Health (MOH) again apologised to the affected patients for the cyberattack incident.
“Patient wellbeing is our top priority. This includes safeguarding the confidentiality of patient data, as well as ensuring safe and effective patient care,” MOH said.
“We welcome the COI’s recommendations to enhance our cybersecurity safeguards, and will work with our healthcare institutions to study and implement the recommendations and strengthen the healthcare sector’s resilience against cyberattacks.”
SingHealth also responded to the COI’s recommendations, saying that it is fully committed to protecting patient data.
“Since the incident, we have reinforced the culture of personal ownership of cyber defence, so that every staff is empowered to identify and report cybersecurity threats,” said SingHealth.
In the coming months, SingHealth added that its priority will be to work closely with MOH, IHiS and industry experts to “proactively implement” the COI recommendations to strengthen its cybersecurity defence.
Bruce Liang, CEO of IHiS, said, “The SingHealth cyberattack has revealed a number of key areas that we need to strengthen – from processes and systems to organisational structure and people. We will carefully study the recommendations in the COI report and do our utmost to drive change throughout our organisation, with patient wellbeing as our priority.”