[BreachExchange] Exploited server in SingHealth cyber attack did not get security update for 14 months, COI finds

[Destry Winant]

https://www.straitstimes.com/singapore/hacked-singhealth-server-had-not-had-security-update-for-14-months-cyber-attack-coi-finds

SINGAPORE - A server exploited by hackers to ultimately reach
SingHealth's critical system, leading to Singapore's worst data breach
in June, had not received the necessary security software updates for
more than a year.

Servers are typically patched several times a month.

This server became one of the many pathways hackers exploited, as it
fell through the cracks of Integrated Health Information Systems'
(IHiS) oversight, the Committee of Inquiry (COI)heard on Thursday
(Sept 27).

At the COI hearing into the breach, Mr Tan Aik Chin, a senior manager
of cancer service registry and development at the National Cancer
Centre Singapore (NCCS), testified that he became the "convenient"
custodian of the server in question.

On paper, he was not supposed to manage the server, but he had been
doing so in practice since 2014.

Because the server is located at the NCCS, his counterparts at IHiS
felt it was "convenient" to give him the username and password for the
administrator account of this server "in case they need me to help",
he said before the four-member committee on Thursday.

These counterparts later left the organisation and no one at IHiS took
over the management of the server.

The NCCS belongs to the SingHealth cluster. Formed in 2008, IHiS is an
agency which runs the IT systems of all public healthcare institutions
here.

Mr Tan, whose main task is planning business continuation programmes,
said he was not trained in cyber security or server administration,
and had not been given any standard operating procedures for managing
security incidents.

The last time the exploited server received the necessary security
software updates was in May last year, following the spread of the
WannaCry ransomware that disrupted healthcare, manufacturing,
transport and government operations around the world. IHiS had
circulated instructions to update all Windows servers.

Mr Tan learnt that the exploited server became infected with a virus
sometime in July this year - 14 months after the last security
software update. An IHiS staff member could not update the anti-virus
software within this server, as it was too old and had to be
reinstalled. The IHiS staff member told Mr Tan to disconnect the
server from the SingHealth network to perform manual anti-virus
software installation and virus signature updates.

On July 10, when Mr Tan scanned the server, he detected three security
threats, two of which had been cleaned up, but one had been
"quarantined".

The intrusions on SingHealth's electronic medical records system began
undetected on June 27 before being discovered on July 4 and terminated
by an IHiS staff member.

The Cyber Security Agency of Singapore and upper management at IHiS
and SingHealth were informed of the attack on July 10.

On Thursday, Ms Serena Yong, director of IHiS infrastructure services
division, said that she was not aware that the server in question was
not being managed by IHiS in practice.

She had given a directive in 2014 that IHiS would not manage eight
research servers, which then came under the care of Mr Tan.

Before 2008, he was managing a mixture of application, database and
research servers under the NCCS. But after IHiS was set up in 2008, it
took over the management of everything except research servers.

The inquiry continues.