The theft of 1.5 million patient records, including those of Singapore's Prime Minister, from the city state's SingHealth hospital group by hackers could probably have been stopped had the IT department not been so useless, an inquiry has found.
In July, citizens were notified that miscreants had siphoned massive amounts of private information from the healthcare organization's database, which included the records of Premier Lee Hsien Loong, along with those of roughly a quarter of the island state's population.
A committee of inquiry published its report into the hack on Thursday, and said the attacker, or attackers, probably should have been stopped before they could make off with the data.
Marriott: Good news. Hackers only took 383 million booking records ... and 5.3m unencrypted passport numbersREAD MORE
The report suggested that, since the Prime Minister was the main target, a “well-resourced” group “having an extensive command and control network, the capability to develop numerous customised tools, and a wide range of technical expertise,” was involved.
“While our cyber defences will never be impregnable and it may be difficult to prevent an Advanced Persistent Threat (APT) from breaching the perimeter of the network, the success of the attacker in obtaining and exfiltrating the data was not inevitable,” the report stated.
In particular, the hackers exploited poorly secured Citrix servers that should have had two-factor authentication enabled for administrative accounts – but the IT gear just wasn't secured that way.
Internet connectivity to the Citrix servers and the Sunrise Clinical Manager (SCM) software was a convenience rather than a necessity, increasing risk, the report added: “Network connectivity was maintained for the use of administrative tools and custom applications, but there was no necessity to do so.”
Worse, the company that operates the patient record database had been warned of vulnerabilities following a penetration-test audit. The report said Integrated Health Information Systems (IHiS) was advised of security holes in 2017, including weak admin passwords and insufficient network segregation.
“Unfortunately, the remediation process undertaken by IHiS was mismanaged and inadequate, and a number of vulnerabilities remained at the time of the Cyber Attack,” the report said.
The attack's timeline also revealed that IHiS dragged its feet reporting the breach of its network security:
- Probably through phishing attacks, an attacker first gained access to front-end workstations in August 2017, and by June 2018, had access to Citrix servers with SCM database connections, and had compromised “a large number” of user and admin accounts.
- From May 2018, the attacker was unsuccessfully trying to log into the database.
- Although admins began spotting malicious connections on 11 June 2018 and saw further attempts on 12, 13, and 26 June, the attacker was able to log into the database on 27 June and begin exfiltrating data.
- A week later, on July 4, IHiS admins identified the suspicious queries against the database, and blocked the attacks.
The matter wasn't escalated to the Cyber Security Agency of Singapore, SingHealth’s senior management, the Ministry of Health, nor the Ministry of Health Holdings until July 10, 2018, and it took until July 20 for before the cyber-raid was announced to the public.
The report is critical of IHiS staff training, saying it lacked the “awareness, training and resources” to respond to the attack, and as a result, they missed opportunities to prevent the data exfiltration.
Recommendations in the report include an enhanced security structure, better endpoint security and forensic capability, better staff awareness, enhanced security testing (including periodical red team exercises), tighter controls on administrative accounts, and better incident response planning. ®