The Committee of Inquiry (COI) looking into the cyber attack on SingHealth's medical data has released its report on Jan. 10.

The report investigated the circumstances leading to the exfiltration of patient's medical records that occurred between June 27 to July 4 2018 and provided recommendations to prevent future attacks.

In total, 1.5 million patients' non-medical personal data and 160,000 patients' outpatient medicine dispensation records were stolen from SingHealth's database which was administered and operated by Integrated Health Information Systems (IHiS).

Prime Minister (PM) Lee Hsien Loong's medical data was one of the specific targets.

The COI heard from 37 witnesses in private and public hearings held over 22 days. It also received 26 submissions from individuals, organisations and industry associations.

The report gave five key findings, we'll start with the report's Key Finding #5 which best summed up this whole incident:

Key Finding #5: "The success of the attacker in obtaining and exfiltrating the data was not inevitable"

• Security vulnerabilities could have been remedied before the attack but they were not done.
• Key personnel who detected the attack could have escalated the issue but did not do so.

And now, on to the specifics of what vulnerabilities were not remedied and which key personnel did not take immediate action:

Key Finding #1: IHiS staff lacked appropriate cybersecurity awareness, training, and resources

The COI commended "a number" of IHiS’ IT administrators for noticing suspicious activity. However it said the administrators "could not fully appreciate the security implications of their findings".

It added that "senior members of IHiS’ management were similarly unable to fully appreciate the security implications of the findings".

Key Finding #2: Key IT security IHiS staff did not take "appropriate, effective, or timely action"

The COI found that the Security Incident Response Manager (SIRM) delayed reporting the cyber attack as he felt that "additional pressure would be put on him and his team" once the management was informed.

The report also said there was evidence that the manager was reluctant to escalate the matter due to his belief that "it would not reflect well in the eyes of the organisation if the matter turned out to be a false alarm".

SingHealth's Cluster Information Security Officer did not understand the significance of the situation and "effectively abdicated to the SIRM the responsibility of deciding whether to escalate the incident".

The COI said this was a missed opportunity.

Key Finding #3: There were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth's network and database

The COI listed four vulnerabilities in this key finding including weak administrator passwords and the "need to improve network segregation for administrative access to critical servers".

It also found that although the Singapore General Hospital's servers required 2-factor authentication, this was not enforced as the exclusive means for administrator access, allowing attackers to gain access to the servers.

The COI said that all these vulnerabilities contributed to the attacker's success and could have been remedied before the attack. It noted that a number of vulnerabilities remained at the time of the attack.

Key Finding #4: Attacker was skilled and bore characteristics of an Advanced Persistent Threat (APT) group

The attacker had a clear goal -- personal and outpatient medication data of the PM and of other patients.

The report said that the attack was a well-resourced group with a wide range of technical expertise, and used stealthy and customised malware.

The report did not say where this group originated from or who it worked for.

The Cyber Security Agency of Singapore described APTs as:

"APT refers to a class of sophisticated, usually state-linked, cyber attackers who conduct extended, carefully planned cyber campaigns, to steal information or disrupt operations. APT attackers are known to be extremely persistent in finding ways to get into a network/system once a target had been identified."