SINGAPORE: A potent mix of pre-existing system vulnerabilities, staff lapses and extremely skilled hackers led to the cyberattack on SingHealth’s patient database last year, said a report from the Committee of Inquiry (COI) into the breach.



The voluminous 424-page public version of the report was released on Thursday (Jan 10).



The report, with sensitive information preserved and classified “Top Secret”, was submitted earlier to the Minister-in-charge of Cybersecurity S Iswaran in December.



It includes a detailed account of how the cyberattack happened, the responses, the key findings and 16 recommendations made by the four-member COI chaired by former chief district judge Richard Magnus.



The COI was appointed by Mr Iswaran, who is also Minister for Communication and Information.



In total, the COI heard from 37 witnesses in private and public hearings held over 22 days. It also received 26 written submissions from individuals, organisations and industry associations.





WHAT HAPPENED



In July last year, the Government said during a press conference that an attack of “unprecedented scale” and the “most serious breach of personal data” in Singapore’s history had taken place.



The attacker, believed to be state-sponsored, got away with SingHealth’s “crown jewels” – personal information of 1.5 million patients including their names, NRIC numbers and addresses. Among them, close to 159,000 patients had their outpatient medication records taken over a one-week period between Jun 26 and Jul 4.



This included the personal information and outpatient dispensed medicine of Prime Minister Lee Hsien Loong which were "specifically targeted and repeatedly accessed".



The attacker had gained initial access into SingHealth’s IT network a year earlier in August 2017 by infecting front-end workstations through a successful phishing attack, the report said.



Evidence suggests that this allowed malware to be installed and executed from one of the affected workstations with outdated security patches, and provided password credentials to the attacker, the report added.



The attacker had then laid dormant in the system for several months, which, according to the report, is a sign of a “skilled and sophisticated attacker”. The attacker then moved laterally in the network, gained control and compromised a large number of user and administrator accounts.



The earliest signs of compromise only popped up in June 2018 when the attacker began requesting for information from the patient database managed by the central public healthcare IT agency, Integrated Health Information System (IHiS).



The attacker showed signs of “technical competence and mission-orientation” and targeted the system’s “crown jewels” with clear goals, persistence and advanced tactics, the report said. The attacker was able to exploit vulnerabilities such as weak passwords and loopholes like lapsed security updates and vague incident escalation procedures in the system.



The massive exploitation came to light on Jul 4 when an IHiS member of staff, whose role was to ensure operational efficiency instead of cybersecurity management, came across unusual activity in the patient database.



Worried that the activity was unauthorised, the matter was brought to the cybersecurity team but the cybersecurity manager disagreed that the attack was severe. The report said that the manager’s response to the attack was “severely inadequate”.



Similarly, a senior information security officer whose job is to decide when to report a security incident to management did not carry out his duties. The report described his response as “clearly lacking” and displayed an “alarming lack of concern”.



From that evening, several IHiS administrators worked together to end the suspicious activity by blocking the attacker’s repeated requests for information and changing the passwords of the accounts used to access patient data.



From Jul 5 through to Jul 9, the IT administrators attempted to isolate, contain and defend the attack, such as by performing scans and securing user accounts to limit access. The manager was also insistent on not escalating the incident to upper management.



“To sum up, considerable initiative was shown by officers on the front line … It is a shame that such initiative was then smothered by a blanket of middle management mistakes,” the report said.



A “war room” was later set up on Jul 10 with the matter escalated to upper management, MOH, the SingHealth Board, and the Cyber Security Agency (CSA).



Just when they thought the attack was over when no more malicious activity was detected after Jul 4, the attacker re-entered the system a week later on Jul 18 through another pathway and tried to re-establish control over the network, the report added.



“Apart from evading detection for almost 10 months from August 2017, the attacker was conscientious in erasing logs on compromised workstations and servers. Notably, the attacker even re-entered the network after being detected, to erase system and program logs,” the report said.



Following the detection of the cyberattack, containment measures including Internet Surfing Separation (ISS) were put in place on Jul 20 to contain the threat and prevent further compromise. After this, no further suspicious activity was detected in SingHealth’s network thereafter, the report said.



FIVE KEY FINDINGS



The COI made five key findings.



The first two relate to the competencies of and resources available to IHiS staff in responding to cyberattacks. Those in key positions in IT security incident response were found to have failed to take “appropriate, effective, or timely action” resulting in missed opportunities to prevent the cyberattack.



The COI also found that there were a number of vulnerabilities, weaknesses and misconfigurations in the SingHealth network that contributed to the attacker’s success.



Fourth, the attacker was found to be a “skilled and sophisticated” actor with the characteristics of an Advanced Persistent Threat (APT) group. Such groups are usually state-linked, and they conduct extended and carefully planned cyber campaigns to steal information or disrupt operations, the report said.



Lastly, while Singapore’s cyber defences will never be “impregnable” coupled with the advanced skills of an APT group, the success of the attack in obtaining and exfiltrating the data was ultimately “not inevitable”.



The report said it would have made it more difficult for the attacker to achieve its objectives if the number of vulnerabilities, weaknesses and misconfigurations were remedied before the attack.



‘AXIOMATIC’ MEASURES RECOMMENDED



The COI made 16 recommendations. These recommendations have three broad aims: To enhance the incident response plans for similar incidents, to better protect SingHealth’s patient database system against similar cybersecurity attacks, and to reduce the risk of such cybersecurity attacks on public sector IT systems which contain large databases of personal data.



They fall into five broad areas ranging from basic cyber hygiene measures to more advanced measures. Among the 16, seven are “priority recommendations” and must be implemented. The remaining nine are additional recommendations that should be implemented if possible.

The first six priority recommendations focus on improving cybersecurity policies and capabilities as well as embedding cybersecurity awareness into daily operations.



“The senior management of SingHealth and IHiS must provide effective and agile leadership for the timely and effective implementation of these recommendations, allocating adequate resources, and keeping a close and careful watch,” the report said.



“There must also be appropriate oversight over and verification of their implementation, including by external entities where appropriate,” it added.



The seventh priority recommendation relates to collective security which the report said is “imperative” due to the high degree of digitalisation and interconnectivity in Singapore.



The nine additional recommendations address specific issues raised in the course of the Inquiry, including technical, organisational, training, and process-related issues.



The measures, which are similarly aimed at uplifting the cybersecurity posture of SingHealth and IHiS, must be implemented or seriously considered, the report said.



“While some measures may seem axiomatic, the cyberattack has shown that these were not implemented effectively by IHiS at the time of the attack,” it added.



The report said the recommendations made are not just for IHiS or SingHealth and are equally applicable to all organisations responsible for large databases of personal data.



“For IHiS, SingHealth, and other organisations responsible for large databases of personal data, getting the fundamentals right is a necessary and vital step in building cybersecurity competencies and the ability to counter the real, present and constantly evolving cybersecurity threats,” it added.



MOH, SINGHEALTH, IHiS TO IMPLEMENT RECOMMENDATIONS



SingHealth’s group CEO Professor Ivy Ng, in a media statement, said that SingHealth has reinforced the culture of ownership of cyber defence since the incident. This is so that every staff is empowered to identify and report cybersecurity threats.



Regular broadcasts on cybersecurity threats to educate, and phishing exercises to test and heighten awareness will continue, in addition to table top exercises to test response to cyber threats, she said.



“In the coming months, our priority will be to work closely with the MOH, IHiS and industry experts to proactively implement the recommendations in the COI report to strengthen our cybersecurity defence,” Prof Ng added.

In its response to the report, the Ministry of Health (MOH) said it welcomes “the COI’s recommendations to enhance our cybersecurity safeguards, and will work with our healthcare institutions to study and implement the recommendations and strengthen the healthcare sector’s resilience against cyberattacks.”

“We are committed to safeguarding patient data, and will work towards improving our systems and processes to emerge stronger from this incident.”

Similarly, IHiS said it will study the recommendations made by the COI.



“The SingHealth cyberattack has revealed a number of key areas that we need to strengthen – from processes and systems to organisational structure and people. We will carefully study the recommendations in the COI report and do our utmost to drive change throughout our organisation, with patient wellbeing as our priority. We are committed to a continuous process of improvement to further strengthen our cyber defence in the public healthcare sector,” said IHiS CEO Bruce Liang.



Minister for Communications and Information and Minister-in-charge of Cybersecurity S Iswaran and Health Minister Gan Kim Yong are expected to deliver ministerial statements in Parliament next week responding to the COI’s findings and recommendations.