The lessons learned from Singapore’s breach serve as a reality check to U.S. health organizations still failing to educate users, apply patches, and other common security methods.
January 10, 2019 - Singapore’s July 2018 personal data breach of 1.5 million SingHealth patients, including Prime Minister Lee Hsien Loong, was caused by bad system management, a lack of employee training, and other major flaws, according to the 454-page report released today by the investigation committee.
The committee was formed shortly after the 2018 breach, which included the personal information of patients, along with the medical data of about 160,000 patients. They held 22 hearings shortly after, which revealed the breach went on about a year between August 2017 and July 2018.
Among the host of SingHealth failures, the committee found Integrated Health Information System (IHIS), the IT agency responsible for the public health system’s IT and security, lacked adequate cybersecurity awareness, resources, and training to properly respond to the cyberattack.
This was highlighted by their inaction when the properly identified suspicious activity around login attempts on its database, but failed to categorize the attempts as a cyberattack. Further, SingHealth lacked an incident reporting framework, and staff were unfamiliar with security policies, which meant they were unaware that the issue needed to be reported to Singapore’s Cyber Security Agency.
But employee training was not the only issue, the report found weaknesses, flaws, and misconfiguration issues throughout the network that allowed the hackers to successfully breach the system and exfiltrate data.
In fact, the cyberattackers gained access through a significant coding vulnerability in the connection between the Citrix servers at a public general hospital and its Service Control Manager (SCM) database. While the connectivity was used to make database queries and maintained for administrative tool and custom application support.
The committee found it to be unnecessary. Not only that but, according to the report, “the SGH Citrix servers were not adequately secured against unauthorized access.”
“Notably, the process requiring two-factor authentication for administrator access was not enforced as the exclusive means of logging in as an administrator,” the report authors wrote. “This allowed the attacker to access the server through other routes that did not require 2FA.”
What’s worse is that a number of these vulnerabilities were found during a 2017 pen test, such as weak administrator account passwords, and a need for network segmentation, but “the remediation process undertaken by IHIS was mismanaged and inadequate, and a number of vulnerabilities remained at the time of the cyberattack.”
Among the list of recommendations, officials noted the need for partnerships across the private sector and the government to enhance threat intelligence sharing and achieve a higher level of collective security.
Security Structure and Readiness: SingHealth’s IT team and all of its public health facilities need to adopt an enhanced security structure and readiness. Most notably, organizations should employ a defense-in-depth strategy, along with policies and procedures to address security gaps.
Security must be seen as a risk management issue, not just a tech problem, with the managers across the organization working together to “balance the tradeoffs between security, operational requirements, and cost.”
Review Cyber Stack
Officials need to review the cyber stack to determine if it’s adequate to defend and respond to advanced, persistent threats. This can be accomplished by mapping layers of the IT stack against current security tools.
Current gaps can be addressed by acquiring endpoint and network forensics capabilities, along with a review of the effectiveness of current endpoint security measures to secure those flaws.
Vulnerability assessments must be conducted regularly, along with safety reviews, evaluations, and certifications of vendor products. Further, pen testing, read teaming, and threat hunting must be considered.
Like many U.S. health organizations, the report authors noted that “the level of cyber hygiene among users must continue to be improved.”
“IT staff must be equipped with sufficient knowledge to recognize the signs of a security incident in a real-world context,” the report authors wrote.
Access Control Management
Officials recommended the use of two-factor authentication for performing administrator tasks, as well as the use of passphrases instead of passwords “to reduce the risk of account being compromised.”
“An inventory of administrative accounts should be created to facilitate rationalization of such accounts,” the report authors wrote. “Password policies must be implemented and enforced across both domain and local accounts.”
“Server local administrator accounts must be centrally managed across the IT network, they added. “Service accounts with high privileges must be managed and controlled.”