Multiple Cybersecurity Failures Led to SingHealth’s 1.5-Million Records Breach

A healthcare data breach investigation revealed that failing to implement fundamental cybersecurity procedures opens the door to hackers. Healthcare companies can spend money for the most current cybersecurity technology, but not following standard cybersecurity guidelines and assessing and maintaining defenses can very easily result in an unbelievably costly data breach.

The breach investigated occurred in Singapore. Nevertheless, the discoveries of the investigation are also relevant in the United States where a lot of healthcare data breaches happen because of the same cybersecurity failures.

In June 2018, SingHealth, Singapore’s largest health network, was attacked by hackers. The attackers stole the data of 1.5 million people, including Prime Minister Lee Hsien Loong’s health records. Because of the breach, the Committee of Inquiry (COI) was created to investigate the incident.

Though it’s not possible to stop all data breaches, sticking to cybersecurity guidelines and using proper cybersecurity solutions can minimize the threat of a breach to an acceptable level. In SingHealth’s case, the breach was not averted. The cyberattack was alleged to have been made by nation-state supported hacking group, however, the attack might have been done by low-level skilled hackers.

The investigation showed that if SingHealth only fixed that one vulnerability by applying a patch, the attack might have not succeeded. But that was only one of SingHealth’s failures mentioned in the 453-page investigation report.

SingHealth depended entirely on Integrated Health Information Systems (IHiS), a third-party IT management firm, to evaluate and handle cyber risks. IHiS committed many failures, one of which is not taking action even after being able to identify the signs of a breach. That led to allowing the hackers to access the Prime Minister’s health data and prescription details.

A misguided middle manager failed to report network infiltrations for fear of further pressure on his team. An important staff member at the firm showed a startling lack of concern that systems had been breached. Due to the staff did not show concern and the IHiS’s failed to take immediate response on the breach, the hackers were able to exfiltrate patient information. If the incident was reported to Singapore’s Cyber Security Agency, it would have been possible to prevent the theft of data.

The investigation showed that the IHiS staff lacked cybersecurity awareness and did not get enough training to identify an attack in progress and react appropriately.

At SingHealth, cybersecurity was seen as an IT management concern instead of a risk management issue. SingHealth placed too much reliance on the IT management company to protects its systems. IHiS failed to evaluate all cybersecurity defenses and procedures and make certain they were enough to stop and react to APT attacks. Regular monitoring were not done to evaluate vulnerabilities and penetration tests were not conducted.

Two-factor authentication was not implemented, and there was no control on administrative accounts. Strong passwords were not used on domain and local accounts. The IT security risk assessments were not thorough and consistent. Not enough safeguards were implemented to keep the EHR database secure and the incident response practices were not efficient.

The investigators gave a total of 16 recommendations to enhance security. These seven recommendations are considered critical:

  • IHiS and Public Health Institutions must follow an improved security structure and be prepared
  • The cyber stack ought to be analyzed to see if it is enough to protect and respond to threats
  • Staff must be trained on cybersecurity awareness to boost capacity to stop, identify, and respond to security occurrences
  • Improved security checks should be conducted, particularly on Critical Information Infrastructure (CII) systems
  • There must be tighter control and greater supervision of privileged administrator accounts
  • Incident response processes should be enhanced to better respond to cyber attacks
  • Industry and government partnerships must be developed to accomplish a greater level of collective security