34 witnesses of fact. 3 expert witnesses. 21 days of hearing in 4 tranches. It started on 28 August 2018. Closing submissions were heard 3 months later on 30 November 2018.
All of this culminated in 5 key findings and 16 recommendations as detailed below.
But first, to recap, I had reported in July last year that Singapore had suffered its worst cyber attack. 1.5 million patients’ non-medical personal data was taken from SingHealth, Singapore’s largest group of healthcare institutions consisting four public hospitals, five national speciality centres, and eight polyclinics. The Singapore Prime Minister’s outpatient dispensed medicines information was also taken.
A public announcement was made on 20 July 2018. Within four days, a Committee of Inquiry (COI) was convened. The government also said that the Personal Data Protection Commission (PDPC) had been notified of the cyber attack, and that it would investigate the matter.
The COI’s public report was released on 10 January 2019. The PDPC’s decision was published on 14 January 2019.
This piece is meant only to report the outcome of the COI’s and PDPC’s investigations, and I will dive straight into that. If time permits, I will churn out more on how the cyber attack happened, the evidence given, and the COI’s and PDPC’s findings. Watch this space!
COI’s Terms of Reference
They were to:
- Establish the events and contributing factors leading to the cybersecurity attack on SingHealth’s patient database system on or around 27 June 2018, and the subsequent exfiltration of patient data therefrom.
- Establish how the Integrated Health Information Systems (IHiS)* and SingHealth responded to the cybersecurity attack.
- Recommend measures to enhance the incident response plans for similar incidents.
- Recommend measures to better protect SingHealth’s patient database system against similar cybersecurity attacks.
- In light of the cybersecurity attack and the findings above, recommend measures to reduce the risk of such cybersecurity attacks on public sector IT systems which contain large databases of personal data, including in the other public healthcare clusters.
- Conduct itself in accordance with the provisions of the Inquiries Act, with the discretion to determine which, if any, part(s) of the inquiry shall be held in public, and consider the evidence put before the COI as led by the Attorney-General or his designates; and
- Make and submit a report of its proceedings, findings and recommendations to the Minister-in-Charge of Cybersecurity by 31 December 2018.
COI’s Findings
There were five Key Findings in respect of TORs #1 and #2:
- IHiS staff did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack.
- Certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate, effective, or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack.
- There were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth network and SCM system that contributed to the attacker’s success in obtaining and exfiltrating the data, many of which could have been remedied before the attack.
- The attacker was a skilled and sophisticated actor bearing the characteristics of an Advanced Persistent Threat group.
- While our cyber defences will never be impregnable, and it may be difficult to prevent an Advanced Persistent Threat from breaching the perimeter of the network, the success of the attacker in obtaining and exfiltrating the data was not inevitable.
COI’s 16 Recommendations
These comprised seven Priority Recommendations and nine Additional Recommendations, for TORs #3, #4, and #5.
The Committee said the Priority Recommendations “include strategic and operational measures to uplift the cybersecurity posture of SingHealth and IHiS, and steps must be taken to implement [them] immediately”.
With respect to the Additional Recommendations, the Committee said that they “relate to other specific concerns raised in the course of [the] Inquiry, including technical, organisational, training, and process-related issues. The measures … are similarly aimed at uplifting the cybersecurity posture … [and] must be implemented or seriously considered.”
The Committee also said that “implementation of the recommendations requires effective and agile leadership from senior management, and necessary adjustments to organisational culture, mindset, and structure”.
The Priority Recommendations were:
- An enhanced security structure and readiness must be adopted by IHiS and Public Health Institutions.
- The cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats.
- Staff awareness on cybersecurity must be improved, to enhance capacity to prevent, detect, and respond to security incidents.
- Enhanced security checks must be performed, especially on CII systems.
- Privileged administrator accounts must be subject to tighter control and greater monitoring.
- Incident response processes must be improved for more effective response to cyber attacks.
- Partnerships between industry and government to achieve a higher level of collective security.
The Additional Recommendations were:
- IT security risk assessments and audit processes must be treated seriously and carried out regularly.
- Enhanced safeguards must be put in place to protect electronic medical records.
- Domain controllers must be better secured against attack.
- A robust patch management process must be implemented to address security vulnerabilities.
- A software upgrade policy with focus on security must be implemented to increase cyber resilience.
- An internet access strategy that minimises exposure to external threats should be implemented.
- Incident response plans must more clearly state when and how a security incident is to be reported.
- Competence of computer security incident response personnel must be significantly improved.
- A post-breach independent forensic review of the network, all endpoints, and the SCM system should be considered.
PDPC’s Decision
The Commissioner of the PDPC found that both SingHealth and IHiS had breached section 24 of the Personal Data Protection Act (PDPA), and directed SingHealth and IHiS to pay financial penalties of $250,000 and $750,000 respectively.
Section 24 of the PDPA requires organisations to “protect personal data in [their] possession or under [their] control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks”.
The Commissioner noted in his decision that the financial penalties imposed were individually the highest and second highest financial penalty amounts imposed by the PDPC to-date. They were appropriate, given that:
(a) this was the largest data breach suffered by any organisation in Singapore;
(b) 5.01 million individuals’ highly sensitive and confidential personal data was put at risk, and this increased the seriousness of SingHealth’s and IHiS’ data security inadequacies; and
(c) 159,000 individuals’ Dispensed Medication Records were exfiltrated, from which one may be able to deduce the condition for which they were being treated, which may include serious or socially embarrassing illnesses.
The Commissioner also made clear that without certain mitigating factors, the Commissioner would have imposed the maximum financial penalty allowed under the PDPA ($1m) against IHiS, and a significantly higher financial penalty against SingHealth. (I would point out though that SingHealth’s and IHiS’ financial penalties add up to the magic number $1m.)
As both parties had already put remediation measures in place, the Commissioner did not have further directions for them.
*You might be baffled by the abrupt introduction of a new entity to the story. The quick explanation is that IHiS is the IT agency for the public healthcare system, and serves its IT needs.)