Inadequate staff training and cyber defenses were main cause of disastrous leak

A report detailing the investigation into the 2018 SingHealth data breach that leaked the medical records of 1.5 million Singapore residents has blamed a lack of basic security hygiene coupled with ill-trained IT staff for the disaster.

The review was written by the Singapore Committee of Inquiry, bearing statements and research from Singapore’s Cyber Security Agency, Ministry of Health, and the Integrated Health Information System (IHiS) .

An investigation was launched after an unknown party accessed the database of SingHealth – Singapore’s largest healthcare organization – between May 1, 2015, and July 4, 2018, taking medical records, national identity numbers, and other personal details.

The attackers took millions of Singapore citizens’ data, as well as repeatedly and specifically targeting the records of Prime Minister Lee Hsien Loong, as suspicions pointed to the work of a nation-state actor.

The review agreed, noting: “The Committee agrees with CSA’s assessment of the attacker as skilled and sophisticated attacker bearing the characteristics of an APT group.”

However it did also note that while it is difficult to prevent an APT (Advanced Persistent Threat – a term commonly ascribed to government-funded hackers), the attack could have been stopped if staff had taken appropriate action.

Indeed, much of the report is dedicated to highlighting the failings in SingHealth’s basic security hygiene.

Administration accounts had not implemented two-factor authentication, systems were not patched or updated, and staff didn’t respond seriously or quickly enough, the report (PDF) stated.

“The Security Incident Response Manager (SIRM) and Cluster Information Security Officer (Cluster ISO) for SingHealth, who were responsible for incident response and reporting, held mistaken understandings of what constituted a ‘security incident’, and when a security incident should be reported,” the report read.

There was also a coding vulnerability in the database which hadn’t been patched and likely led to attackers gaining access.

The 454-page report did commend IT staff for spotting suspicious behavior, such as unauthorized access to servers, but noted that they failed to recognize the significance of these attacks and therefore stopping the intrusion.

The committee gave 16 recommendations for the healthcare organization, including a review of current technologies to deem whether they are adequate to defend against a future cyber-attack; improving staff awareness on security measures; tightening control of admin-level accounts; and improving incident response processes.

Routine security checks should also be made to check the robustness of both SingHealth’s own systems and vendor-bought products, the report advised.

IHiS, which created and maintains the software SingHealth uses, also made a commitment to bolster its security defenses following the breach, which it says will be fully implemented by the end of the year.