SingHealth Breach: Panel Hears About MisstepsKey Security Practitioner Acknowledges He Was on Leave When Alerts Were Sent
The four-member Committee of Inquiry investigating the SingHealth data breach that affected 1.5 million patients in Singapore heard testimony at a hearing on Wednesday that the healthcare organization's technology vendor failed to take prompt action on security alerts because a key cybersecurity employee was on leave.
Integrated Health Information Systems, SingHealth's technology vendor, apparently failed to designate someone to handle that employee's duties while he was out, the panel learned, according to The Straits Times. Then upon his return, the employee failed to take immediate action because he did not think the warnings were of a severe nature.
"Industry best practices recommend a proper handing over/taking over process whenever a staff member leaves his position, even if it is for a few days or for annual leave," says Aloysius Cheang, CEO at iSyncGroup, a company specializing in IoT. "However, companies may not follow industry best practices. It is entirely up to the management to dictate that and to monitor that it is properly executed."
In a new development, the Committee of Inquiry has revealed that the exploited server in the attack had not been updated for more than a year, The Channel News Asia reports.
IHiS cybersecurity specialist Ernest Tan Choon Kiat, who is senior manager, infra services-security management, told the panel that he did not immediately read emails about suspicious network activities sent to him in mid-June because he was on a holiday.
"I did not read any of these emails at the time they were sent, as I was on overseas leave in Japan from June 9 to 17. I only read them when I returned to Singapore on Monday, June 18," he said at the hearing, according to Straits Times
During the hearing, however, it was not mentioned if in his absence there was anyone else who was designated to handle IT security while he was away.
Kiat told the panel that once he read the emails, he did not understand the severity of the situation or follow up to seek clarifications. Furthermore, he said he disagreed with a system engineer's description of the malware infection as an incident worth reporting, the Straits Times reports.
IHiS, which runs the IT systems of all public healthcare institutions in Singapore, receives 40 to 50 security alerts daily about malware infections, Kiat said at the hearing, according to Straits Times. "Malware investigations are "a fairly common occurrence and would be based on suspicion," Kiat said, according to the news report.
Once he returned from vacation, Kiat told the panel, he noticed that unauthorized attempts were also made to connect to electronic medical records. "This was only an attempt to connect to the database. To my mind, this was not a reportable security incident," he said.
"[Even] the fact that several different username-password combinations had been used in attempting to connect to the database did not ring any alarm bells," Kiat told the panel, according to Straits Times.
When asked if he attempted to reach out to the management of SingHealth, Kiat said that he did not think it was his responsibility to do that.
"The responsibility for escalating a security incident lies with the security officer of the affected healthcare entity," he said.
It also came to light at the hearing that there was only one computer at IHiS to carry out digital forensic examinations, which contributed to delays in determining the severity of the intrusions, the news report said.
Shortcomings in Alert Detection
While some practitioners blame IHiS for not having adequate trained staff in the absence of a key security officer, others say alert fatigue may have also played a role.
Tom Wills, adviser at TuriQ, a firm which empowers blockchain startups, says: "These things happen routinely. Security team members receive a continual stream of alerts all day long, the vast majority of which are false alarms. This would cause most people to tune out the alerts, which of course leads to the danger that a critical alert might be missed," Wills says. "I don't know if this is what happened in this particular case, but I do know that it's an endemic problem for security practitioners. If it did happen, information overload should not be considered an excuse, but should point to this systemic problem in incident management that needs to be addressed."
Wills says machine learning could help alleviate the problem of information overload.
"Machine learning technology shows promise in analyzing large volumes of data such as we get with security alerts, and eliminating false positives and negatives so that a given alert has much more value in terms of indicating an actual security issue that needs to be acted upon," he says.