The SingHealth data breach that took place last year was one of the largest cyberattacks in the history of Singapore. The breach led to over 1.5 million patient records being stolen by the attacker. These data records contained personal information and medical history of the patients, which included the Singaporean Prime Minister. The stolen records included names, addresses, and NRIC numbers among other information of the patients.
However, despite the devastating loss, this cyberattack was not inevitable. The Committee of Inquiry (COI) publicly released its report on the cyberattack which stated that this attack could have been stopped if the right measures had been taken.
According to the report, there were a number of vulnerabilities and misconfigurations that should have been fixed before the attack occurred. This might not have stopped the Advanced Persistent Threat (APT) from exploiting the security, but it would have made it more difficult for the attacker to achieve their objectives. Furthermore, it could have minimized the damages that SingHealth had to face due to the breach.
Key findings of the report:
There were five key findings of the COI report on the SingHealth attack. The first one, as we have already discussed, was that the attack was not inevitable but it could have been stopped or otherwise dampened by taking the required security measures. The other four findings of the report are as follows:
- The attacker was skilled and stealthy: The attacker was not just a casual hacker trying to get his way into the SingHealth system. Instead, their approach was sophisticated and demonstrated signs of belonging to an APT group. The COI believes that the attacker had a clear goal in mind and that was to access the information of the Prime Minister, a record that was repeatedly accessed during the breach. The use of customized malware and advanced tactics and procedures showed that the attacker had technical expertise.
- Lack of skills and resources: The COI has reported that the Integrated Health Information Systems (IHIS) staff deployed lacked the awareness, training, and resources required to identify and respond to a cyberattack. This included the teams that were involved directly with the cybersecurity such as the response team for computer emergencies and the department for security management.
- Key security employees failed to take timely, appropriate steps: The failure to take effective action was a missed opportunity to prevent the attacker from stealing the data according to the COI report. The Information Security Office (ISO) and Security Incident Response Manager (SIRM) had an incorrect understanding of what should be considered as a security incident, and when it should be reported. The COI report believes that there was reluctance on the behalf of the ISO and SIRM which led to a delay in escalating the incident in order to avoid a false alarm. This was one of the most major findings of the report.
There were loopholes in the system: A number of vulnerabilities were highlighted in the SingHealth system that could have been exploited by the attacker. These
- Loopholes made it easier for the attacker to succeed in accessing and stealing information from the patient database. Some vulnerabilities that were highlighted include an open network connection between Citrix servers and patient database, a lack of two-factor authentication on the Citrix servers that made unauthorized access easier, and weak administrator passwords.
Recommendations for dealing with IT security incidents:
On the basis of the key findings, the COI report listed 16 recommendations that SingHealth, healthcare providers, and other businesses with IT should consider to minimize the chances of and limit the damage caused by cyberattacks.
There were three primary aims of the recommendations made by the COI. First, to reduce the risk of cyberattacks on public-sector systems which store large amounts of personal data. Second, to enhance the response plans for security incidents similar to this one. Third, to ensure better protection of SingHealth’s database systems against cyberattacks.
The recommendations range from basic cybersecurity measures to advanced measures and can be categorized into five major areas. Out of the 16 recommendations, the first 7 are priority recommendations that are mandatory to implement whereas the remaining 9 recommendations are additional and should be implemented for improved security.
Out of the priority recommendations, the first 6 recommendations focus on cybersecurity policies, capabilities, and awareness – the goal is to improve basic cybersecurity measures for daily operations. These include the implementation of enhanced security checks, privileged administrator accounts, review of online processes, staff awareness, and overall improved cybersecurity and incident response policy. The seventh recommendation focuses on collective security through partnerships between the government and the industry so that threat intelligence and behavioral analytics can be applied.
The additional 9 recommendations address particular security concerns that were identified during the inquiry which include issues related to technical capabilities, organizational structure, employee training, and business processes. These include risk assessments, improved safety of e-health records, patch management, and competency of the incident response team.
The COI has stated that even though most of these recommendations might seem obvious and self-evident, all such measures were missing or not implemented effectively enough by the IHIS at the time of the data breach. It is also worth noting here that even though the report is targeted towards the SingHealth and IHIS, these recommendations apply to all organizations that store personal data of citizens and customers.
The NHS WannaCry incident:
Before the SingHealth data breach, one of the most major cyberattacks on the healthcare sector took place in 2017 on the United Kingdom’s National Health Service (NHS). The WannaCry cyberattack resulted in a loss of almost £92 million and a significant amount of data for the NHS. The attack directly resulted in hospitals and clinics being shut down and cancellation of over 19,000 appoints that included cases of cancer and other severe illnesses.
As with the SingHealth data breach, there were a number of vulnerabilities in the NHS systems that led to the cyberattack. The lack of patch management, cybersecurity awareness, and anti-malware software being some of the primary reasons. In particular, the NHS failed to install a patch that would have prevented or at least limited the damaged caused by WannaCry. For some of its trusts, it took weeks to get the systems back up and running with full functionality.
Now, the NHS has taken steps to secure its systems including the implementation of an artificial intelligence based approach for threat detection and prevention. However, these are measures taken after the cyberattack occurred so they are more reactive than proactive.
The SingHealth data breach and the NHS WannaCry attack show that these are not isolated events, but instead serious threats to the healthcare sector. The poor security infrastructure of many healthcare institutions across the globe makes them a potential target for cyberattacks.
These are two of the most serious breaches in the history of cybersecurity. This highlights the importance of implementing effective and appropriate cybersecurity measures to protect yourself against such threats. The recommendations made by the COI in its report is a great first step for organizations, particularly healthcare providers, to improve their cybersecurity and prevent the risks of being exploited by similar cyberattacks.