SingHealth COI report: 16 recommendations put forward in dealing with IT security incidents
SINGAPORE: Seven priority and nine additional recommendations have been put forward by the Committee of Inquiry (COI) investigating the SingHealth cyberattack as a “necessary and vital first step” to combat cybersecurity threats, it said in the public version of its report on Thursday (Jan 10).
The recommendations relate to five broad areas, which range from building a culture of cybersecurity to the improvement of incident response capabilities.
Chaired by retired chief district judge Richard Magnus, the four-member COI was tasked to establish the events and contributing factors leading to the cyberattack on SingHealth’s patient database system on or around Jun 27 last year, and the subsequent “exfiltrating” of data from the network.
The cyberattack is Singapore’s most serious breach of public data to date. In all, 1.5 million patients' non-medical personal data were stolen, while 160,000 of those had their dispensed medicines' records taken. Among those affected was Prime Minister Lee Hsien Loong, with the attackers repeatedly targeting his personal particulars and information about his outpatient medications.
Over 22 days of hearings, the COI heard evidence from 37 witnesses, and also received 26 written submissions from individuals, organisations and industry associations. The COI’s report, which covers the assessment of the evidence, findings, attribution of the attack, as well as priority and additional recommendations, was submitted to Minister-in-charge of Cybersecurity S Iswaran on Dec 31.
The seven priority recommendations include strategic and operational measures to boost the cybersecurity of SingHealth as well as IHiS, and steps needed to implement these “immediately”, said the COI in its report. The nine additional recommendations, on the other hand, relate to other specific concerns raised in the course of the COI’s inquiry and “must be implemented or seriously considered”.
“While some measures may seem axiomatic, the cyberattack has shown that these were not implemented effectively by IHiS at the time of the attack,” said the COI. “For IHiS, SingHealth, and other organisations responsible for large databases of personal data, getting the fundamentals right is a necessary and vital step in building cybersecurity competencies and the ability to counter the real, present, and constantly evolving cybersecurity threats.”
EMPLOYEES A POSSIBLE ACHILLES HEEL
In order to build a culture of cybersecurity, two priority recommendations must be implemented, said the COI. Firstly, staff awareness on cybersecurity must be improved, in order to better prevent, detect and respond to security incidents.
“Employees can be the first line of defence in a cyberattack, but they can also be an organisation’s Achilles heel,” said the COI. “If employees do not understand security policies and procedures, how to mitigate risks, or are not prepared to respond to a security breach, they are potentially contributing, whether intentionally or not, to breaches in cybersecurity.”
While IHiS and SingHealth did train their staff through various means, such as phishing exercises conducted by IHiS on all SingHealth staff and email blasts to inform IHiS staff of security policies, responsibilities and security vulnerabilities, the COI found that these efforts “failed” to equip IHiS staff to respond effectively to the cyberattack.
“Although the existing measures reflect effort and good intentions on the part of management, it is telling that at least in the area of creating awareness about the risks of phishing, a disturbing number of SingHealth staff fell prey to the phishing emails twice or more,” added the COI, which recommended that a security awareness programme for all workforce members be implemented and completed on a regular basis.
Also, an enhanced security structure must be adopted by IHiS and public health institutions, added the COI.
This can be done by conducting training and table top exercises as well as conducting regular audits and compliance checks in order to bridge “gaps” between policy and practice. All legacy systems in the public healthcare sector such as the Sunrise Clinical Manager (SCM) software solution must also be reviewed as a matter of “priority”, said the COI.
“Over the course of the COI proceedings, the evidence showed that certain aspects of the public healthcare sector’s cybersecurity posture were poor, in particular on the sector’s mindset towards cybersecurity,” said the COI. “At the same time, even as…those aspects of the public healthcare sector’s cybersecurity posture that are adequate, there is scope to further improve.”
MAKING USE OF ‘PRIVILEGED’ CREDENTIALS
As part of securing the system, another priority recommendation includes reviewing the “cyber stack” – the layers of security technology that an organisation puts in place to form an integrated defence against cyberattacks.
One way would be to review the efficacy of the email-protection measures that are currently in place, as the Cyber Security Agency of Singapore’s (CSA) hypothesis presented during the COI hearings, was that the initial intrusion into the SingHealth network was via a phishing email.
Secondly, enhanced security checks on critical information infrastructure (CII) and mission critical systems also need to be carried out to discover “security vulnerabilities, misconfigurations, potential attack vectors, and even the presence of attackers lurking within the network,” said the COI.
The scope of vulnerability assessments should also extend beyond the CII to key assets and systems connected to it and other relevant systems, as it was found that vulnerability assessments were not conducted on the Citrix servers - which communicate between workstations and database servers and are connected to the SCM database.
“As seen in the cyberattack, the attacker exploited access to the SGH Citrix servers as a key part of his attack route to the SCM database. It is thus important for key assets and systems connected to CII, mission-critical and/or internet-facing systems to also be subject to vulnerability assessment,” it added.
Thirdly, privileged administrator accounts must be subject to tighter control and greater monitoring, recommended the COI.
“Compromised privileged credentials have been revealed as a primary attack vector in the cyberattack. Privileged credentials were used by the attacker to move about in the network, after the initial intrusion, in his hunt for valuable assets,” it said.
Among other things, this would mean all administrators using two-factor authentication when performing administrative tasks.
“With 2FA, users must input two distinct identification methods - such as a password and a one-time-use PIN - to verify their permission to access a restricted system. A second factor of authentication would significantly secure access to privileged accounts, and the risk of unauthorised access to mission-critical servers would be reduced,” added the COI.
CYBERSECURITY THREATS HERE TO STAY
Incident response processes must also be improved for a more effective response to cyberattacks, said the report.
“A proactive response is key to mitigating damage and facilitating recovery efforts,” it added. “Had early detection, proper investigation and timely reporting occurred, the unauthorised access to, and exfiltration of, patient data from the SCM database could likely have been prevented.”
This would mean the regular testing of such plans, with regular exercises and simulations as well as a clear and establish procedure on how to report such cyberattacks.
Stressing the need for “collective security”, the COI’s final priority recommendation pointed to the need for the government, through CSA, to continue to ensure sharing of threat intelligence across the CII sectors.
“CSA and relevant agencies should study this recommendation and consider how to implement measures to better achieve collective security, sharing of threat intelligence and networked defence,” added the COI. “Cybersecurity threats are constantly evolving, and will continue to increase in sophistication, intensity, and scale. Similarly, while implementing the recommendations is a necessary and vital first step, organisations must constantly renew, review, and refresh their security structures, technology, and readiness.”
Other recommendations from the COI include enhanced safeguards put into place to protect electronic medical records as well as the implementation of an internet access strategy which minimises exposure to threats, among others.
The COI noted that IHiS has already taken action following the cyberattack, accelerating three ongoing security projects, proposing six more measures, and is considering an additional twelve measures. But it also stressed that oversight of the implementation process, and verification that the measures have been properly implemented will be “vital”.
As such, it proposed that IHiS and SingHealth provide updates to the Healthcare IT Steering Committee (HITSC) every six months on the progress of the implementation of the COI’s recommendations and measures from IHiS, and for the HITSC to consult CSA should any issues arise regarding their implementation.
The HITSC is a strategic-level forum for decisions on broad policies, strategies and issues relating to overall healthcare IT and is the healthcare sector’s highest level platform for cybersecurity issues.
“IHiS and SingHealth should give priority to implementing the recommendations,” said the COI. “This imperative applies equally to all organisations responsible for large databases of personal data. Cybersecurity threats are here to stay, and will increase in sophistication, intensity, and scale. Collectively, these organisations must do their part in protecting Singapore’s cyberspace, and must be resolute in implementing these recommendations.”