Out-Law / Your Daily Need-To-Know

SingHealth breach: tardy responses and security failings are major causes

27 Sep 2018, 4:54 pm

In his opening statement at the first public hearing before the Committee of Inquiry (COI), Singapore solicitor-general Kwek Mean Luck said that tardy responses and security inadequacies were major causal factors in the massive cyber attack on SingHealth earlier this year.

The cyber attack, which is the worst of its kind in Singapore to date, compromised the personal data of 1.5 million patients and led to the leakage of outpatient prescription information of 160,000 people, including that of prime minister Lee Hsien Loong and other ministers.

The attackers carried out the cyber attack by infecting workstations with malware and moving laterally in the SingHealth network between last December and this May, and escaped detection by using techniques typical of a "skilled and sophisticated threat actor", said Kwek.

Their ultimate target appears to have been to reach SingHealth's electronic medical records (EMR) system.

The attackers exploited inactive administrator accounts to remotely log in to a server that contained a link to another system containing the EMR database from May to June this year. Multiple attempts were made to access the data in the EMR system via that link between June 27 and July 4 this year.

These unusual activities were finally detected on July 4, and terminated by a database administrator at Integrated Health Information Systems (IHiS). Immediate security measures were also taken by the IHiS staff to limit the spread of the attack, including changing the passwords of all administrators and shutting down the server with the unwanted link to the EMR database.

Testimonies by IHiS staff at the public hearing revealed that although IHiS staff had detected unauthorised failed attempts to access SingHealth's critical systems as early as June 11 this year, they had little to no training on how security incidents were to be reported. Consequently, IHiS senior management were not alerted as to the cyber attackers' activities until the night of July 9. SingHealth, the Ministry of Health and the Cyber Security Agency of Singapore, were informed on July 10 and Singaporeans were told about the incident 10 days later.

The COI will conduct public and private hearings to determine the reasons for the cybersecurity attack and how the public healthcare sector can strengthen its responses and defences in future. It is expected to submit a report on its findings and recommendations by 31 December 2018.