SINGAPORE: A series of gaps in SingHealth’s mission-critical IT systems and staff missteps contributed to Singapore’s most serious breach of personal data that happened in June this year, according to Solicitor-General Kwek Mean Luck on Friday (Sep 21).
Giving his opening statement at the start of the Committee of Inquiry’s (COI) public hearings, Solicitor-General Kwek detailed how SingHealth’s network, particularly its electronic medical records (EMR) software system, was targeted in this cyberattack, which saw 1.5 million patient records accessed and 160,000 of those having their outpatient dispensed medicines’ records taken.
“The COI will hear that the cyberattack had characteristics that are typical of an advanced persistent threat (APT) attack, utilising advanced and sophisticated tools, including customised malware that evaded SingHealth’s antivirus software and security defences,” said Mr Kwek, who is leading the process of presenting evidence at the COI.
READ: Singapore health system hit by ‘most serious breach of personal data’ in cyberattack; PM Lee’s data targeted
READ: Commentary: SingHealth data breach should give us pause to think what else might be vulnerable
EMR SYSTEM TARGETED
The Solicitor-General identified the healthcare provider’s Sunrise Clinical Manager (SCM) software solution from Allscript Healthcare Solutions in the statement, saying it was implemented in 1999 and managed by Integrated Health Information System (IHIS) – the central IT agency for the health care sector.
The EMR contained in SingHealth’s SCM database includes:
Patient demographic data, clinical episode information, doctors’, nurses’ and clinicians’ orders, results, clinical documentation, vital signs, medical alerts and allergies, diagnosis and health issues, vaccination details, discharge summaries, medical certificates and outpatient medication dispensed.
As at July 2018, the database contained patient data belong to more than 5.01 million unique patients, Solicitor-General Kwek said.
He added that before June 2017, the SCM application and servers holding the EMR were on Citrix servers and hosted at Singapore General Hospital. A month later, the system at SGH was decommissioned and migrated to the Healthcare-Cloud (H-Cloud) – the public healthcare’s first private cloud set up in 2014.
With the migration, the SCM client app, database and security servers were all within H-Cloud environment. But there was still an open network connection from the Citrix server farm at SGH to the SCM database server in H-Cloud, which was a vulnerability that the cyberattacker later exploited.
GENESIS OF AN ATTACK
The cyberattacker had actually gained an initial presence in SingHealth’s network as early as August 2017 by “infecting workstations”, the Solicitor-General said.
“The attacker was able to gain access to an end-user workstation via a publicly available hacking tool because the workstation was running on a version of Microsoft Outlook that was not patched to address the use of that hacking tool,” he said, citing CSA’s findings.
Between December 2017 and May 2018, the attacker made use moved sideways in the network, making use of malware planted in one of the initially infected workstations to gain remote access to and control of the workstation. He then used that computer to distribute malware to infect other computers.
“The Cyber Security Agency of Singapore’s (CSA) assessment is that the attacker moved in a targeted manner, planning his route in the network to reach the SCM database, which was the attacker’s ultimate objective,” he said.
The agency’s director for National Cyber Incident Response Centre Dan Hock Yau will share with the committee how the attacker used a modus operandi that effectively bypassed IHIS’ security measures, which were deemed “sufficient to prevent a conventional attack” but not one of this nature, the Solicitor-General said.
From May to June this year, the attacker used a compromised workstation and some Citrix local administrator accounts to remotely log in to Citrix servers in SGH. CSA found that one of those Citrix local administrator accounts had protection measures, including a password – P@ssw0rd – that could be easily deciphered.
Solicitor-General Kwek said at this point, the attacker had not yet obtained SCM database credentials that would have allowed him to log in. In fact, the attacker had made multiple failed attempts to log in to the databased “using either non-existent user accounts or user accounts that had insufficient privileges to gain access”.
This was another of the network inadequacies highlighted by CSA’s Mr Dan, who said the attacker was able to run bulk queries because the system did not have existing rules or controls to detect such behaviour or the illegitimate use of certain SQL programmes, he pointed out.
SOFTWARE FLAW FLAGGED IN 2014
The Allscripts SCM software was mentioned as there is evidence there was “insecure coding vulnerability” in it and it is “highly probable” the vulnerability allowed the attacker to easily retrieve SCM database credentials from the Citrix server on H-Cloud, which can then be used to log in to the database.
And IHIS was said to have known of this back in 2014.
Former employee Zhao Hainan had informed a commercial competitor of Allscripts about the existence of the vulnerability in general terms, the Solicitor-General said, adding “it appears that no action was taken by IHIS management personnel who were aware of his exploits to investigate or remedy the vulnerability he had found”.
The cyberattacker eventually managed to access a H-Cloud Citrix server through which users were accessing the SCM database, and CSA hypothesised that it is probable that the perpetrator stole the needed credentials through this avenue. The SCM databased was successfully accessed on Jun 26 but no queries were made on that date, he added.
HITTING JACKPOT
The real activity started the day after, when the attacker began sending queries to the database up till Jul 4, running “numerous bulk SQL queries from the SGH Citrix server against the SCM database server (via the open network connection)”. These activities were only terminated by IHIS database administrator Katherine Tan on Jul 4.
The data unlawfully accessed and exfiltrated from Jun 27 to Jul 4 this year belonged to 1,495,367 patients comprising their demographic records. The attackers also made off with 2,001,008 dispensed medication records pertaining to about 159,000 of these patients, said Solicitor-General Kwek.
On the attacker’s profile, he said CSA has ascertained them to be a “skilled and sophisticated threat actor and that the tactics, techniques and procedures as well as some of the tools and malware used by the attacker fit the profile of an APT group that (the agency) has previously encountered in other investigations”.
In light of national security considerations, the committee will hear its grounds for attribution in a private hearing, he added.
STAFF MISSTEPS
The Solicitor-General also outlined three time periods to consider when assessing the immediate responses to the cyberattack.
From Jun 11, 2018, when IHIS staff first became aware of attempts at unauthorised access to the SCM database;
From Jul 4 to Jul 9, when IHIS staff became aware of and terminated SQL queries run by the attacker on the database, and first notifying senior management of the activities on the night of the 9th;
From Jul 10, when IHIS senior management, SingHealth, the Ministry of Health and CSA were brought on board to Jul 20 when the incident was first made public.
Of the first period, Solicitor-General Kwek said the committee will hear from IHIS about how despite taking the initiative for actions like changing passwords and shutting down a Citrix server at SGH, these were “nevertheless piecemeal and inadequate”.
For the second time period, he said the evidence will show that despite what the staff knew from mid-June, they “did not fully appreciate that multiple cybersecurity incidents culminating in a breach of the SCM database were occurring”. As such, they did not report the incident in a timely manner as required under CSA’s National Cyber Incident Response Framework.
“Given that the SCM system is a critical infrastructure information (CII) system, a cybersecurity incident occurring in the SCM system would in fact be considered a Category 1 incident under the NCIRF and require verbal reporting by the sector lead to CSA within two hours,” the Solicitor-General said.
Among the first two witnesses for the public hearing on Friday is IHIS assistant director (Infra Services – Systems Management) Lim Yuan Woh, who had first discovered on Jun 11 that certain accounts had been compromised, he added.
Solicitor-General Kwek said in conclusion that as the evidence is presented before the committee, “it will be apparent that more could have been done to deter the cyberattack”.
“At the same time, it is also important to bear in mind that this was a highly sophisticated and persistent attack, planned and executed with patience,” he said.
“In the spirt of the inquiry of this COI, the focus is not on fault-finding but on probing and learning, so that we can identify are as that would strengthen the defences of our organisations against future cyberattacks.”
