The worst-ever security breach to hit Singapore to date was not down to sophisticated hackers, but the most basic of failings by staff managing the SingHealth computer system.
This, according to an independent panel investigating the SingHealth security breach.
In its 453-page report, the Committee of Inquiry noted lax cyber security practices discovered include weak passwords, delay in implementing important security patches, and an IT cyber-security team that could not even recognise a cyber-attack.
At present, all the domain expertise and resources to detect and manage cyber-security risks lie with IHiS -Singapore’s central IT agency for the healthcare sector.
The COI said the data breach could have been avoided if not for a “blanket of middle management mistakes” at IHiS.
A middle manager did not understand what would constitute a cyber-security incident, and didn’t delayed reporting the network intrusion, fearing that he and his team would be under greater pressure.
The key man for cyber-security, cluster information security officer Wee Jia Huo, was found to have displayed an “alarming lack of concern” when it was clear that there was a data breach.
As indicated in the report:
“The attacker was stealthy but not silent, and signs of the attack were observed by IHiS’ staff. Had IHiS’ staff been able to recognise that an attack was ongoing and take appropriate action, the attacker could have been stopped before it achieved its objectives.”
The COI also determined that organisational culture was to blame for some of the missteps.
“One must not lose sight of the fact that the treatment of cyber-security issues and incidents by staff and middle management is very much shaped by organisational culture.”
The lapses contributed to successful data exfiltration from SingHealth’s electronic medical records system from 27 June 4 Jul last year.
Hackers stole the personal data of 1.5 million patients and the outpatient prescription details of 160,000 people, including Prime Minister Lee Hsien Loong.
Despite the severity of the breach, Professor Ivy Ng, SingHealth Group CEO and IHiS CEO Bruce Liang have yet to take personal responsibility for the incident.