It was the summer of 2018 when hackers stole information on 1.5 million patients, including records belonging to Singapore Prime Minister Lee Hsien Loong.
Now the country's "worst cyber attack" is the subject of hearings and that lead to two major revelations this week.
Failure to patch leads to hack
The Singapore Times has been covering the hearings, including the bombshell about a failure to patch the server which hackers used to gain access to the healthcare network.
"A server exploited by hackers to ultimately reach SingHealth's critical system, leading to Singapore's worst data breach in June, had not received the necessary security software updates for more than a year. "
In fact, it had been 14 months since the last patch. That patch was installed in May 2017, in response to the worldwide outbreak of WannaCry ransomware.
Failure to train in cybersecurity
The hearings also revealed something else just as surprising about Singapore's largest health system. The man assigned to patch the server and who first noticed there was a problem that had been "quarantined" by a manual anti-virus scan was left to fend for himself.
"Mr Tan, whose main task is planning business continuation programmes, said he was not trained in cybersecurity or server administration and had not been given any standard operating procedures for managing security incidents."
How did someone with his job description end up responsible for cybersecurity?
The hearings revealed that maintaining this particular server apparently fell through the cracks of the Integrated Health Information Systems oversight.
This reminds us of the way the Equifax Breach started, the person in charge of patching the Apache Struts vulnerability was apparently never notified because an email distribution list was outdated and did not include that employee.
