SingHealth Breach Investigation Discloses Catalogue of Cybersecurity Failures

An inquiry into a healthcare data breach has demonstrated how the failure to apply basic cybersecurity processes leaves the door wide open to hackers. Healthcare companies can invest in modern cybersecurity technology but failing to implement normal cybersecurity best practices and evaluate and preserve fortifications can easily result in an extremely expensive data breach.

The breach in question happened not in the United States, but Singapore. Nevertheless, the outcomes of the investigation have bearing in the United States where a lot of healthcare data breaches have been suffered because of similar cybersecurity failures.

In June 2018, hackers attacked Singapore’s biggest health network, SingHealth. The files of 1.5 million people were thieved, including the health files of the country’s Prime Minister, Lee Hsien Loong. To put the level of the breach into viewpoint, Singapore has a population of 5.6 million.

After the breach, the Committee of Inquiry (COI) was created to carry out a thorough investigation, the results of which were made open this week.

Although it’s not possible to avoid every data breach – firm and well-resourced hackers could, given sufficient time, penetrate most companies’ safeguards – adhering to cybersecurity best practices and implementing appropriate cybersecurity solutions can decrease the danger of a breach to a practical and satisfactory level. In the case of SingHealth, that didn’t occur.

The cyberattack was thought to have been carried out by nation-state supported hacking group, nevertheless, the attack might have been executed by far less trained hackers.

The inquiry disclosed that had SingHealth applied a patch to rectify a single weakness, the attack might have been stopped, even though that was one of several failures described in a 453-page report of the inquiry.

SingHealth depended solely on a third-party IT management business, Integrated Health Information Systems (IHIS), to evaluate and control cyber risk. Many failures were noticed at the company.

Although the attack was a bit stealthy, the indications of a breach were noticed by the IT management firm, however, the action was not taken to stop the hackers from accomplishing their main objective – to get the health information and treatment details of the Prime Minister.

A middle manager was misguided regarding what comprised a reportable cybersecurity occurrence and failed to report network incursions out of fear that it would lead to further pressure on his team. The main member of staff at the company showed “a shocking lack of concern” about the fact that systems had seemingly been breached. As a consequence of this lack of concern and the company’s failure to take swift action over the breach, the hackers had time to exfiltrate patient data. Had the occurrence been escalated to Singapore’s Cyber Security Organization, the theft of data might have been avoided.

The inquiry disclosed staff at IHIS lacked sufficient levels of cybersecurity consciousness and had not been sufficiently trained to identify an attack in progress and react effectively.

At SingHealth, cybersecurity was seen as an IT management problem instead of a risk management problem and too much dependence was placed on the IT management company to make sure that its systems were safeguarded.

There was a failure to evaluate all cybersecurity safeguards and procedures and make sure they were adequate to avoid and react to APT attacks. Usual checks were not carried out to evaluate weaknesses and penetration tests had not been performed.

Two-factor verification had not been applied, and there was a lack of control over administrative accounts. Password rules implementing the use of strong passwords had not been applied on the domain and local accounts. IT safety risk evaluations were not adequately detailed and were not carried out with adequate regularity. Inadequate safeguards had been applied to protect the EHR database and incident reaction processes were not effective.

In total, 16 references were made by the investigators to improve safety, seven of which were ranked crucial.

The crucial recommendations are:

  • An increased safety structure and readiness should be adopted by IHiS and Public Health Institutions.
  • The cyber stack should be reviewed to evaluate if it is sufficient to protect and react to advanced dangers.
  • Staff consciousness on cybersecurity should be improved to increase capacity to avoid, find, and react to safety occurrences.
  • Increased safety checks should be carried out, particularly on Critical Information Infrastructure (CII) systems.
  • Privileged administrator accounts should be subject to tighter control and greater checking.
  • Incident reaction processes should be improved for more effective reaction to cyber attacks.
  • Parnerships between industry and government to achieve a higher level of collective safety.