Reading the findings by the Committee of Inquiry on the SingHealth data breach these few days is like watching a drama unfold. It is almost surely going to be a textbook case study of information security data breaches everyone all over the world is going to talk about.
As embarrassing as it may be for us, or at least SingHealth in particular, this episode highlights the gross incompetence in information security that can lurk in any organisation. Information security is everyone’s responsibility, but clearly at SingHealth, most people don’t believe in that.
Some of the findings we have heard include:
- Administrator account for the server linked to the electronic medical record (EMR) system had the password
P@ssw0rd. I suppose someone thought this password was complicated enough to evade guessing. They are so wrong. Already back in 2016, this is exactly one of the 10 most-guessed passwords, according to researchers at SplashData. - A server exploited in the data breach did not get any security updates for 14 months. FOURTEEN months is not an eternity, that would be an understatement. SIX months is already an eternity when it comes to IT security. Fourteen months is simply incomprehensible. They might as well not have passwords.
- The role of server administrator apparently fell on a person who has no training in server administration or cyber security. A natural follow-up question will then be how he became entrusted with that responsibility. This is akin to just handing the keys for a nuclear missile launch control system to some random dude that happens to be conveniently available.
- An IHiS staff, who is presumably proficient in is job, was mistaken that no data was stolen. This resulted in the delay in finding out the truth that, in fact, significant amount of information had been scooped up by the attacker.
- There are apparently some significant organisational lapses at IHiS. We are learning about issues with procedures, escalation plans, and covering duties of staff on leave, etc.
You would reasonably have expected an organisation specifically setup for the purpose of providing IT services for the healthcare industry and involving healthcare data must be quite strong with IT security controls. Yet, they made so many missteps, missteps that were so serious that it is bewildering. Everything we are hearing seems to hint towards some underlying cultural problem, like the other cultural problem at another national institution that hasn’t manage to clean up their act after half a decade.
Now, didn’t some people early on described this data breach as a sophisticated, unprecedented, cyberattack? From the start I had told myself that I wouldn’t be surprised if the data breach came down because of some really lame reasons. Indeed, what has happened at SingHealth and IHiS is precisely that. They attempted to defend their castle with peons who were untrained, soldiers who were not at their posts, commanders who were too busy drinking, and no one noticed that the enemy has strolled in through the main gate because it was neither locked down, nor was the drawbridge raised.
This SingHealth inquiry is not over, and from the way things look, we will continue to hear more shocking revelations. It appears that this COI is going to unearth a lot of dirt. (I think perhaps they’ve decided that there are some scapegoats to blame, a whole bunch of them in fact, that they can comfortably let the drama unfold before the public.)
There’s a positive angle to this. This data breach incident is leaving us with important lessons. There are many things we know, but we don’t practise. We close one eye, or even two eyes, and pretend that if we don’t know, then nothing happened. It is a wake up call to take information security really seriously.
More importantly, everyone needs to understand that information security requires each one of us to play our part. Notice I don’t say “IT security”, because information security isn’t just about technology. There are non-technology aspects as well, and they aren’t any less important. Also, it’s the information we care about, not the IT.
When this is over, the SingHealth data breach debacle will go down history as real-life lessons on everything that went wrong and how others can avoid repeating them.