SingHealth COI makes 16 recommendations to strengthen cyber defence
These include beefing up incident response processes, raising staff awareness
A senior manager at Integrated Health Information Systems (IHiS) did not report the cyber attack as he feared added pressure and more work.
With no clarity on how such incidents should be reported, a junior staff member who discovered the breach left it to her direct supervisors to follow up.
Such organisational failings at IHiS - the Health Ministry's (MOH) IT arm - were laid bare after 22 days of hearings by a Committee of Inquiry (COI) last year.
The SingHealth attack last June, Singapore's worst data breach, is believed to have been state-sponsored, and the COI found that the attacker was skilled and sophisticated.
The personal data of 1.5 million SingHealth patients, including Prime Minister Lee Hsien Loong, was accessed and stolen.
Examining the events and factors leading up to the attack, the COI, chaired by retired judge Richard Magnus, made clear in its 453-page public report released today that a change in organisational culture, mindset and structure, as well as effective and agile leadership by senior management, is necessary to implement its proposed recommendations.
The COI issued 16 recommendations in the report, aimed at building a culture of security, securing public healthcare systems and improving incident and post-incident responses, as part of its terms of reference.
Seven of the recommendations are priorities SingHealth and IHiS must immediately take steps to implement. They include beefing up incident response processes, identifying and plugging gaps in security technologies, as well as improving staff awareness on cyber security. (See report below.)
All 16 recommendations are also applicable to organisations that manage large amounts of personal data, the COI said, though in practice, implementation will depend on existing policies, processes and personnel in each of these organisations.
It wrote: "While some measures may seem axiomatic, the cyber attack has shown that these were not implemented effectively by IHiS at the time of the attack.
"For IHiS, SingHealth, and other organisations responsible for large databases of personal data, getting the fundamentals right is a necessary and vital step in building cyber security competencies and the ability to counter the real, present, and constantly evolving cyber security threats."
To ensure SingHealth and IHiS implement its recommendations effectively, the COI proposed the two organisations provide updates every six months to the Healthcare IT Steering Committee, the healthcare sector's highest platform for cyber security issues, chaired by the permanent secretary of the MOH.
Audit checks should also be conducted by MOH shortly after the specified implementation dates.
A fuller version of the COI report, not published due to national security and to prevent copycat attacks, was submitted to Minister-in-charge of Cyber Security S. Iswaran on Dec 31 last year.
Responding to the report, IHiS chief executive Bruce Liang said in a statement: "(We will) do our utmost to drive change throughout our organisation, with patient well-being as our priority.
"We are committed to a continuous process of improvement to further strengthen our cyber defence in the public healthcare sector."
SingHealth's group chief executive Ivy Ng said that it will work closely with the MOH, IHiS and industry experts to proactively implement the COI's recommendations.
Since the attack, SingHealth has reinforced the culture of personal ownership of cyber defence, she added, and all staff are empowered to identify and report cyber security threats.
An MOH spokesman said the ministry is committed to safeguarding patient data and will work towards improving its systems and processes.
She added: "MOH apologises once again to all affected patients for the incident."
Health Minister Gan Kim Yong and Mr Iswaran will give ministerial statements in Parliament next week with more detailed responses to the report.
FOR MORE, READ THE STRAITS TIMES TODAY
COI on SingHealth cyber attack: 7 priority recommendations
The Committee of Inquiry (COI) identified five key findings and issued 16 recommendations, of which seven were marked as priorities SingHealth and IHiS must take steps to implement immediately. They are:
Adoption of an enhanced security structure and readiness by IHiS and public health institutions.
The COI found aspects of the public healthcare sector's cyber security posture that were poor. It recommended cyber security be seen as a risk management issue and a "defence-in-depth" approach be taken.
Review of the cyber stack to assess if it is adequate to defend and respond to advanced threats.
Besides identifying and filling gaps in the "cyber stack"- the layers of security technology put in place - application security for e-mail must be heightened and network security enhanced.
Improvement of staff awareness on cyber security, to enhance capacity to prevent, detect and respond to security incidents.
The COI said staff can be an organisation's weakness if they do not understand cyber security policies and procedures, how to mitigate risks and are not ready to respond to a security breach.
Enhanced security checks must be performed, especially on critical information infrastructure systems.
This involves regular vulnerability assessments, reviewing, evaluating and certifying vendor products, as well as conducting penetration testing, red teaming (ethical hacking by an external, independent party) and threat hunting.
Privileged administrator accounts must be subject to tighter control and greater monitoring.
These accounts are prime targets. All administrators must use two-factor authentication, and instead of passwords, the COI recommended using passphrases, which are easier to remember and harder to guess using brute force.
Incident response processes must be improved for more effective response to cyber attacks.
Early detection, proper investigation and timely reporting could likely have prevented the SingHealth data breach.
Partnerships between industry and government to achieve a higher level of collective security.
The COI said threat intelligence sharing should be enhanced, cross-border and cross-sector partnerships should be strengthened and behavioural analytics applied for collective defence.