Multiple Cybersecurity Failures Led to SingHealth’s 1.5-Million Records Breach

A healthcare data breach investigation revealed that failing to implement basic cybersecurity best practices opens the door to hackers. Healthcare companies can spend big on cybersecurity technology, but not following standard cybersecurity guidelines and failing to assess and maintain defenses can very easily result in a costly data breach.

In June 2018, SingHealth, Singapore’s largest health network, was attacked by hackers. The attackers stole the data of 1.5 million people, including Prime Minister Lee Hsien Loong’s health records. The massive data breach prompted the creation of the Committee of Inquiry (COI) which investigated the incident.

Though it’s not possible to stop all data breaches, sticking to cybersecurity guidelines and implementing appropriate cybersecurity solutions can minimize the threat of a breach and reduce risk to an acceptable level. In SingHealth’s case, several serious failures had occurred.

The cyberattack was alleged to have been conducted by nation-state backed hacking group; however, due to the failures, any competent hacker could have conducted the attack.

The investigation showed that if SingHealth had fixed one vulnerability by applying a patch, the attack might have not succeeded. But that was only one of SingHealth’s failures mentioned in the 453-page investigation report.

SingHealth depended entirely on Integrated Health Information Systems (IHiS), a third-party IT management firm, to evaluate and manage cyber risks. The report indicates there were several serious failures at IHiS , one of which was not taking prompt action after a breach had been identified. That allowed the hackers to access sensitive data, including the Prime Minister’s health records and prescription details.

A middle manager failed to report the network infiltration for fear of further pressure being placed on his team. An important staff member at the firm also showed a startling lack of concern that systems had been breached. Due to the staff’s failure to take immediate action in response on the breach, the hackers were able to exfiltrate patient information. If the incident was reported to the Singapore’s Cyber Security Agency and the incident was escalated, it may have been possible to prevent the theft of data.

The investigation showed that the IHiS staff lacked cybersecurity awareness and did not get enough training to identify an attack in progress and react appropriately.

At SingHealth, cybersecurity was seen as an IT management concern instead of a risk management issue. SingHealth placed too much reliance on the IT management company to protects its systems. IHiS failed to evaluate all cybersecurity defenses and procedures and make certain they were sufficient to prevent and quickly respond to APT attacks. Regular monitoring was not evident, vulnerabilities were not evaluated, and penetration tests were not conducted.

Two-factor authentication had not been implemented, and there was little control over administrative accounts. Strong passwords were not used on domain and local accounts, the IT security risk assessments were not thorough and consistent, and insufficient safeguards were implemented to keep the EHR database secure. COI also reported that the incident response practices were inefficient.

The investigators made 16 recommendations to enhance security at SingHealth. The following seven recommendations were deemed critical:

  • IHiS and Public Health Institutions must implement and adhere to an improved security structure
  • The cyber stack ought to be analyzed to see if it is sufficient to protect against and respond to threats
  • Staff must be trained on cybersecurity awareness to boost capacity to stop, identify, and respond to security breaches
  • Improved security checks should be conducted, particularly on Critical Information Infrastructure (CII) systems
  • There must be tighter control and greater supervision of privileged administrator accounts
  • Incident response processes should be enhanced to better respond to cyber attacks
  • Industry and government partnerships must be developed to accomplish a greater level of collective security