Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 361 of 425 appears to be no set timeline for the rolling out of the DAM solution at present, this is a positive step forward and should be encouraged. 44.3 End-user access to the electronic health records should be made more secure 1046. Although the attacker compromised the AA. account in this case and was able to retrieve patient data in bulk by querying the database directly, there is also a significant risk of an attacker using stolen credentials to access the EMR via the front-end client, masquerading as a legitimate user, and carrying out targeted retrieval of medical records of specific pre-identified individuals. This would not trigger alerts tied to the volume of records retrieved. 1047. More rigorous authentication methods should therefore be considered. Because passwords are so vulnerable, requiring people to use at least two forms of authentication – e.g. a password and token – to access the EMR would appreciably enhance protection against unauthorised access. A multifactor authentication process would make it significantly harder for an attacker to impersonate a user, even if the primary password has been exposed. Experts Dr Lim, Gen. Alexander, Vivek and Richard all concur with the recommendation to implement two-factor authentication (“2FA”). 1048. Gen. Alexander testified that FA has been successfully implemented in a number of health services in the USA, including Centura Health, UC Health, National Institute of Health, and Raleigh Regional Hub. Gen. Alexander also said that it is possible for FA solutions to be extremely quick, and to enable a onetime login process, such that once logged in, medical personnel can carry on accessing the EMR while walking around the wards. Vivek has said that implementation of FA would not necessarily be too onerous, and could be accomplished by simply issuing smart ID cards to users, which is already done in the government context.
