Singapore’s IHiS (Integrated Health Information Systems) has sacked two managers and fined five senior staff, including CEO Bruce Liang, for their part in last year’s SingHealth data breach.
The incident affected 1.5 million people – just under a third of the country’s population – with criminal hackers accessing patients’ names, dates of birth, NRIC (National Registration Identity Card) numbers, and details of their gender and race.
About 160,000 patients, including Singapore’s prime minister, Lee Hsien Loong, also had information related to their outpatient prescriptions stolen.
The breach was initially described by the Ministry of Health and the Ministry of Communications and Information as a “deliberate, targeted and well-planned cyberattack”, but an investigation later discovered that human error played a major role.
Although SingHealth had adopted the necessary technical controls, two senior employees were found to be “negligent and in non-compliance of orders”.
Investigators criticised Citrix Team Leader Lum Yuan Woh’s poor attitude and server setup, which “introduced unnecessary and significant risks to the system”. Meanwhile, Security Incident Response Manager Ernest Tan “persistently held a mistaken understanding of what constituted a ‘security incident’” and when incidents needed to be reported.
Five other senior employees were also criticised, but their mistakes weren’t deemed serious enough to justify dismissal. Four of them were fined and one was demoted.
What exactly went wrong?
SingHealth’s employees committed three major mistakes:
- First, they failed to apply software patches, which allowed the attackers to exploit a Microsoft Office vulnerability and gain access to an employee’s computer.
Microsoft is very efficient when it comes to patching – so efficient, in fact, that industry insiders often refer to its regular updates as ‘Patch Tuesday’. The company’s attentiveness shouldn’t be a surprise, given that its products are used by more than a billion people worldwide. Should a criminal hacker find an exploit, pretty much every computer-using organisation in the world would be at risk.
But patches only work if the organisation applies the update. In this case, SingHealth didn’t, and it only has itself to blame.
- It took a year to identify the breach. The crooks first accessed SingHealth’s network as early as August 2017, but it took employees almost a year to notice the intrusion. During that time, the criminals distributed malware and infected other computers.
It almost always takes time to spot a breach, but the target should be no more than 100 days. According to the 2018 Ponemon Cost of a Data Breach Study, the average cost of an incident discovered within this time frame was $5.99 million (about £4.5 million), but if it takes longer, the average rises to $8.7 million (about £6.6 million).
- Employees were using weak passwords such as ‘P@ssw0rd’. This is by far one of the biggest weaknesses in any organisation (along with writing passwords down), which is especially frustrating when you consider how simple effective password security can be.
‘We will learn’
IHiS Chairman Paul Chan said the incident was a “reminder of our need to be ever more vigilant and prepared for new cyber threats. Patient care will continue to be our priority. IHiS will learn from this incident, and work with the Ministry of Health and the healthcare clusters to implement the necessary changes that will help us emerge stronger from this.”
One the most important lessons IHiS needs to learn is how to create a cyber security culture, one in which everybody is aware of their responsibilities and follows the organisation’s information security policies.
That problem is far from exclusive to IHiS. Human error is a major cause of data breaches, and all organisations should take appropriate measures to mitigate the risk.
You can find out what those measures entail by reading our free guide: Nine ways to improve your security awareness programme. It explains:
- The steps you should take before implementing a security awareness programme;
- How you can engage your audience;
- The importance of focusing on behaviour, not just knowledge; and
- How to measure the success of your security awareness programme.