SingHealth breach review recommends remedies that should already be basic security policies

A culmination of bad system management and undertrained IT staff, amongst other gaps, had resulted in Singapore’s most severe cybersecurity breach last July, according to the committee formed to review the events leading up to the SingHealth incident. It also recommends several steps the healthcare provider should take to plug the gaps and Several of its suggested remedies, however, already should be standard security practices for an essential services provider, including maintaining “an enhanced security structure”, improving staff awareness to detect and respond to cyberattacks, and the need to perform cybersecurity system checks.

The 454-page report published today outlined 16 recommendations the committee said were made in light of its findings, testimonies from witnesses and Singapore’s Cyber Security Agency (CSA), and public submission, as well as feedback from the Solicitor-General and key organisations including Ministry of Health, SingHealth, and the IT agency responsible for the local healthcare sector, Integrated Health Information System (IHIS). The review committee was formed shortly after the Health ministry in July 2018 revealed the personal data of 1.5 million SingHealth patients had been compromised, including that of the country’s prime minister Lee Hsien Loong. Non-medical personal details, such as name and date of birth, of these patients had been accessed and copied and outpatient medical data of some 160,000 patients also were compromised.

The committee, which sat through 22 days of hearings involving 37 witnesses, noted in its report that the cyberattack had vested for almost a year. Describing it as “unprecedented [in] scale and sophistication”, the report revealed that the attack was carried out between August 23, 2017, and July 20 last year, during which SingHealth’s patient database was illegally accessed. In its findings, the committee found that the IHIS staff lacked adequate levels of cybersecurity awareness, training, and resources to understand the implications of the attack and respond effectively.

While its IT administrators were able to identify suspicious attempts to log into the database, the same staff failed to correlate these findings with the tactics and procedures of an advanced cyberattack. In addition, there was no framework on incident reporting, the committee noted, adding that the IHIS employees were unfamiliar with IT security policies and unaware of the need to escalate the issue to CSA.

The report also noted vulnerabilities, weaknesses, and misconfiguration in SingHealth’s network as well as database, which ran Allscript Healthcare Solutions’ Sunrise Clinical Manager (SCM). These, it said, had enabled the attackers to succeed in breaching the system and exfiltrating the data.

In particular, the attackers had exploited a significant vulnerability in the network connectivity between Citrix servers located at a public general hospital and the SCM database, to make queries to the database. This connectivity had been maintained to support the use of administrative tools and custom applications, which the committee found to be unnecessary. Furthermore, the Citrix servers were poorly secured against unauthorised access, with two-factor authentication for administrator access unenforced.

A coding vulnerability in the SCM application also was likely exploited to obtain credentials for accessing the database.

Remedies lay out basic security processes, best practices

In its recommendations on what needed to be done moving forward, the committee detailed steps that seemed textbook for any organisation that owned critical information infrastructure (CII). Topmost, it noted that “an enhanced security structure and readiness” must be adopted by IHIS and all public health institutions, including a “defence-in-depth” approach and policies and practices to address existing gaps. “Cybersecurity must be viewed as a risk management issue and not merely a technical issue,” it said. “Decisions should be deliberated at the appropriate management level to balance the tradeoffs between security, operational requirements, and cost.” The committee also noted that the entire “cyber stack” should be reviewed to ensure it was adequate in defending and responding to advanced threats.

Gaps should be identified by mapping layers of the IT stack against existing security technologies and loopholes in response tactics must be plugged with endpoint and network forensics capabilities. In addition, employees’ cybersecurity awareness had to be improved so they could help prevent, detect, and respond to security incidents. There also should be routine security checks, especially where CII systems were concerned, and these should include regular vulnerability assessments, safety reviews and certification of vendor products, as well as regular penetration testing and threat hunting.

And incident response processes must be improved for more effective response to cyberattacks, such as establishing pre-defined modes of communication that should be used during incident response. Furthermore, the committee said, privileged administrator accounts must be subject to tighter control and greater monitoring. These should include maintaining an inventory of administrative accounts and the use of two-factor authentication when performing administrative tasks.

Password policies also should be implemented, and enforced, for both domain and local accounts. It added that IT security risk assessments and audit processes must be treated seriously and carried out regularly, and enhanced safeguards should be established to protect electronic medical records. The committee said: “While some measures may seem axiomatic, the cyberattack has shown that these were not implemented effectively by IHIS at the time of the attack.

For IHiS, SingHealth, and other organisations responsible for large databases of personal data, getting the fundamentals right is a necessary and vital step in building cybersecurity competencies and the ability to counter the real, present, and constantly evolving cybersecurity threats.” It noted that implementation of its recommendations required “effective and agile leadership” from senior management, and necessary adjustments to organisational culture, mindset, and structure. “These imperatives apply equally to all organisations responsible for large databases of personal data. We must recognise that cybersecurity threats are here to stay, and will increase in sophistication, intensity, and scale.

Collectively, these organisations must do their part in protecting Singapore’s cyberspace, and must be resolute in implementing these recommendations.”

Federal Pressed Steel Hasp & StapleA solid basic hasp for basic applications, a more passive security rather than securing a high value property or shed. Ideal for a visual deterrant, and at a great price. For more details please check out our video where we give you detailed measurements and out of the box review. All the Hasps come with fixings. .. - More Info

Wireless power socket ABUS Smartvest, ABUS Smart Security World FUHA35000AThe Smart vest wireless plug-in allows you to switch a variety of your electronic devices - comfortable and directly via the free app or automatically after individual timetable. So, you can create various smart functions, such as a presence simulation or the coffee machine already before you get out of pre-heating. Your creativity are almost limitless and your day-to-day, as it always should be - safe and smart.This text is machine translated. - More Info - EAN: 4003318388330

MJM28X 50cm Pole  - Locksonline DaitemThe MJM28X is a 50cm floor pole that should be used with the MJM31X floor plate. .. - More Info

Legge P2144 (Double Handed) 108 mm Rim Dead LockThe Legge P2144 is a simple and effective rim dead lock that would be suitable for areas such as sheds or interior doors. This model has a 1 lever locking mechanism which provides a basic level of security that would be an excellent booster of security for interior doors and gardens. The deadbolt in the Legge P2144 is operated by use of the key; th.. - More Info

Emergency Bolt Cooper Bolt 103 PUSH model Cooperbolt with alarmThe COOPERBOLT This CB103 PUSH model is for use on outward opening doors and has an integral battery powered alarm to give audible warning of a breach in security as soon as a door is opened. The door must be re-secured in order to silence the alarm. After releasing the door by hitting the push pad the door can only be re-secured by using the key. .. - More Info

You may also like...

       
Apps & Games Clothing Electronics & Photo Large Appliances
Baby Womens Apparel Garden Lighting
Beauty Mens Apparel Outdoors Luggage
Books Girls Apparel Health & Personal Care Pet Supplies
Car Boys Apparel Home Shoes & Bags
Motorbike Computers & Accessories Kitchen Equipment Sports & Outdoors
Fashion DIY & Tools Jewellery Toys & Games