The 2018 SingHealth cyberattack marked a pivotal year, necessitating a strategic shift in Singapore’s cyber landscape. Among the 1.5 million patients’ personal records exfiltrated, the targeting of the Prime Minister’s records clearly demonstrated the attacks’ sophistication.

How Did the Data Leak Happen

From the initial investigations, it was shown that one of the SingHealth workstations was infected with malware, which eventually resulted in the attackers gaining access to the database. Further observations of the data leak were also noted.

1. Lack of Security Awareness
System employees could not respond to the attacks effectively; they did not understand the implications of the signs of data leak, despite being alerted to a host compromise.

2. Incomplete Security Mitigations
The security team did not understand the scope of the suggested mitigations and only implemented them in a fragmented subset, in spite of performing regular risk assessments. As a result, the system was crippled with vulnerabilities in the system architecture design and software, which  was exploited to access patients’ data.

3. Lack of Continuous Security Solutions
There was insufficient attack detection and security monitoring in the key areas of the system architecture. 

Key Security Learnings

The 2018 SingHealth incident was a timely reminder that in order to maintain an effective defense, systems must evolve to adopt continuous cybersecurity monitoring across organizational and technical fronts. These key lessons are essential to develop resilience against complex threats.

1. Risk Assessments Insights
While risk assessments were conducted at least  twice prior to the 2018 cyberattack, the insights were neither properly conveyed to system operators nor comprehensively understood by the security management team.

2. Threat Identification Contextualization
Risk assessments should move away from hardcoded threats, which can be easily ignored due to their repetitive nature. Instead, such assessments should identify threats that are specific to the current system, including new security controls.

3. Attack Paths Prioritization 
Prioritizing risks solely based on asset classification was not only simplistic but also ineffective. It ignored the effects of connectivity and the links between system components. Furthermore, attackers could exploit this loophole by targeting lower-priority assets to reach high-value targets.

As systems increase in scale and complexity and cyberattacks become sophisticated, there is a need to develop a proactive and dynamic security strategy. One way to deter such data leaks from occurring is by applying good threat modeling practices to protect valuable assets against damaging attacks and to make systems resilient. Read more here.