Lessons From Report on Massive Singapore Healthcare HackAnalysis of SingHealth Attack Offers Recommendations That Could Be Applied Wordwide
A variety of security weaknesses - ranging from misconfigurations to coding vulnerabilities, untrained staff and flawed incident response - contributed to a 2017 cyberattack impacting about 1.5 million patients of SingHealth, Singapore's largest healthcare group. That's the conclusion of a new report issued by a committee designated to examine the breach.
The report's recommendations for security improvements raise issues relevant to healthcare organizations worldwide.
"The key findings in the report .... on the cyberattack on Singapore Health Services' patient database read like most audits or risk assessments performed at U.S. healthcare organization," says former healthcare CIO David Finn, an executive vice president at security consulting firm CynergisTek.
The breach exposed data on about 1.5 million patients who visited organizations that are part of SingHealth. The incident exposed personal information for more than 25 percent of the country's residents, government officials say.
The committee's report notes that the attack "of unprecedented scale and sophistication" was carried out between July and August 2017 on a patient database. "The crown jewels of the SingHealth network are the patient electronic medical records contained in the SingHealth Sunrise Clinical Manager database," the report notes.
The Integrated Health Information Systems Private Limited, or IHiS, is Singapore's Ministry of Health's division responsible for administering and operating the SCM system, including implementing cybersecurity measures. IHiS was also responsible for security incident response and reporting, the report notes.
Evidence suggests that the initial intrusion was through a phishing attack, which led to malware being installed and executed on a workstation, the report notes.
The committee found a high probability that a coding vulnerability in the SCM application allowed the attacker to easily retrieve the credentials of an account that then enabled the attacker "to cross the last-mile to the SCM server, as it could be used to make SQL queries to the database."
Among the report's key findings:
- IHiS staff did not have adequate levels of cybersecurity awareness, training and resources to appreciate the security implications of their findings and to respond effectively to the attack.
- Certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate, effective or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack.
- A number of vulnerabilities, weaknesses and misconfigurations in the SingHealth network and SCM system - many of which could have been remedied before the attack - contributed to the attacker's success in obtaining and exfiltrating the data,
Based on the findings, the report laid out more than a dozen recommendations for addressing the security weaknesses and other issues that contributed to the cyberattack.
The top recommendations mainly highlight security basics, including:
- Adopting an enhanced security structure and readiness;
- Improving staff awareness on cybersecurity to enhance capacity to prevent, detect and respond to security incidents;
- Enhancing security checks on critical information infrastructure systems;
- Implementing tighter controls and greater monitoring on privileged administrator accounts;
- Improving incident response processes;
- Partnering between industry and government to achieve a higher level of collective security;
- Carrying out IT security risk assessments and audit processes more regularly;
- Implementing enhanced safeguards to protect electronic medical records;
- Better securing domain controllers against attacks;
- Implementing a robust patch management process.
The U.S. healthcare sector has also been the target of massive cyberattacks - the largest so far being the hacking of health insurer Anthem Inc. in 2014 that resulted in a breach of nearly 79 million records.
In addition, hundreds - if not thousands - of other U.S. healthcare entities have struggled with ransomware and phishing attacks and other assaults that have involved the various contributing issues that were highlighted in the report about the SingHealth hack.
"The risks to most organizations from a breach are simply too high to continue to be ignored by executive and board-level leaders."
—Jon Moore, Clearwater Compliance
The top issues cited in the report that are also most common in the U.S, Finn says, are the lack of awareness and training; unpatched vulnerabilities - including some identified in early penetration tests and still unpatched; and the finding that older defenses could not detect or identify an advanced persistent threat, Finn notes.
"None of these would be surprising in most healthcare organizations in the U.S.," he adds.
The top recommendations from the report read "uncannily like the Department of Health and Human Services' Health Care Industry Cybersecurity Task Force Report," Finn says.
"Both reports talk about partnership between government, industry and providers to enhance security across the sector - or collective security. Both talk about standardizing risk assessments and frameworks and to take them seriously."
Keith Fricke, principle consultant at tw-Security, observes: "Controlling privileged access is at the top of the list for me. Criminals using compromised credentials with elevated privileges provides them with significant unauthorized capability to read, write, delete and copy data. Competent criminals can sometimes use the elevated privileges to hide their tracks too."
Vulnerability management and recurring workforce awareness training are crucial, he says. "Knowing where high risk vulnerabilities exist and mitigating them goes a long way in reducing opportunities for breaches to occur. Security has to be top of mind for workers because criminals never tire in their quest to gain unauthorized access to valuable information."
Another important security consideration for healthcare organizations worldwide, Fricke says, is the need for resiliency and business continuity capability. "Without a solid backup/restore plan, organizations will face periods of operational downtime until a ransom can be paid, or suffer from data loss in the case of malware such as NotPetya."
Spotlight on Risk Management
A key lesson from the SingHealth experience is that "organizations should implement and continuously mature their cyber risk management programs," says Jon Moore, chief risk officer at security and privacy consulting firm Clearwater Compliance.
"That means having the appropriate governance in place, understanding the risks within their unique environment, treating risks that exceed their organization's risk threshold, and continuously monitoring their environments to make sure the safeguards they have in place are functioning appropriately and that any new risks are identified and addressed," he says.
Cyber risk management should be part of an organization's overall enterprise risk management program, Moore says.
"The risks to most organizations from a breach are simply too high to continue to be ignored by executive and board-level leaders. Most modern organizations are dependent on maintaining the confidentiality, integrity and availability of electronic data to fulfill their mission, yet far too often the risks to patient safety, capital and earnings from the compromise of their information systems is underappreciated."