Singapore’s government health database has been hacked and the personal information of about 1.5 million people has been stolen, including that of Prime Minister Lee Hsien Loong.
A joint statement by the Health Ministry and the Ministry of Communications and Information announced: "Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS)confirmed that this was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs."
However the government has not speculated publically about attributing the source of the attack.
But it is known that Prime Minister Lee Hsien Loong’s personal details and information on his outpatient dispensed medicines were specifically targetted, among non-medical personal details of 1.5 million patients who visited clinics between May 2015 and July 4 this year. The data included names, NRIC numbers, addresses, gender, race and date of birth.
It is reported that a Committee of Inquiry will be established and immediate action taken to strengthen government systems against cyber attacks.
Ross Brewer, VP & MD EMEA at LogRhythm notes how the state of Singapore is typically in good health when it comes to cyber-security, but that It’s too early to say whether this was just simply a targeted attack on the PM’s records with the data of other citizens’ collateral damage, though clearly Mr Lee’s data was ‘specifically and repeatedly targeted’.
Brewer adds: "Hackers gained access to the database via a malware infected computer at SingHealth. The organisation has temporarily banned staff from accessing the internet on work devices as it moves to ensure that the malware cannot spread further – a response reminiscent of the NHS’ to the WannaCry ransomware attacks last year.
"Malware is becoming more sophisticated. Singapore is regarded as a world leader in cyber-security but even it couldn’t detect the infection before it was too late. This should be a warning to businesses which need to equip themselves with advanced threat detection capabilities, if they haven’t invested in a solution already. Technology such as NextGen SIEM adds automation and machine learning to enhance monitoring capabilities that can enable businesses to quickly identify activity caused by sophisticated malware and respond to it before data is lost."
Legal consequences of breach
Simon Cuthbert, head of international, 8MAN by Protected Networks particularly considered the data-breach aspect, noting, "The repercussions will likely be extensive in terms of financial damage, reputational damage and customer loyalty. It will be interesting, and noteworthy, to see how the authorities in Singapore respond to this breach under the PDPA (Personal Data Protection Act) the Malaysian equivalent to the EU GDPR legislation. As with the new EU GDPR legislation there is the risk of high fines but also the possibility of imprisonment up to 12 months in Singapore. This will be a significant blow to the wealthy city which prides itself on its stability and security."
Fraser Kyne, EMEA CTO at Bromium adds: "This is a very serious breach given the sensitivity of the data accessed, and the sheer volume of records. It appears the initial infection came through a single user endpoint being infected with malware, which then worked its way through the network. This once again highlights how today’s cyber-security is a house of cards – it just takes one person to click on the wrong thing for the whole thing to come crashing down. Only when we admit that we cannot detect and stop threats, and instead start focusing on minimising harm, can we ever hope to disrupt hackers. The simple fact is that if the endpoint was isolated, then the hacker would have had nowhere to go and nothing to steal.
"Yet it also highlights the fact that we can no longer trust our networks or most of our endpoints. Hackers will inevitably find a way in. Air-gapping can be an effective solution, but it is impractical when you have multiple employees trying to access a business critical application. Instead, we need to shrink protection to application level. By protecting applications that store our most sensitive and critical data, even if the device or network is compromised, that application cannot be touched as it will be invisible to the device and network."
Olli Jarva, managing consultant at Synopsys' Software Integrity Group emailed SC Media UK to note how healthcare and medical data is now more valuable than credit card or financial information and thus it is time to build security into applications that store healthcare data.
He adds, "Today’s news pointed out that "Unusual activity was first detected on July 4, 2018, on one of the SingHealth’s IT databases". When we are designing and building the systems to be resilient for cyber-attacks, we have to start building security from within, rather than only relying on perimeter defence. This means that before a single line of code is written, we have already started to map down our potential security problems from the design standpoint.
"Typically large computer systems are part of a bigger project developed and delivered by System Integrators (third parties), where the supply chains can get complicated. This compounds the challenge to manage security, as different parts of the system may have different third-party software components and inherent vulnerabilities, and often, may not be properly identified and patched early enough. This isn’t a challenge that is unique to healthcare, it is a challenge that every large organisation goes through.
"From a security standpoint, the healthcare industry shares the same shortcomings as other enterprises, but with some added obstacles:
Lack of security resources, financial resources, and expertise, to correct this weakness.
Dealing with an extremely heterogeneous environment. While healthcare organisations may standardise on laptops and IT servers, providers also manage multiple devices that are attached to the network. These can include drug infusion pumps, imaging devices like MRI and CT scanners, and treatment software (such as those used to manage implantable pacemakers).
Systems in different parts of a healthcare organisation may not play well with each other. Like any large organisation, a healthcare organisation may have multiple business or operations units, and each unit may procure software solutions that best meet their needs, but may not have uniform cyber security effectiveness. Electronic Health Records (EHRs) promise to help practitioners and patients by simplifying the sharing of information.
James Hadley, CEO & Founder of Immersive Labs adds: "A breach of any type can never be underestimated, however, as this incident has resulted in the loss of health records the consequences could be devastating for individuals. It is no longer acceptable to stick with traditional means of security, and leave the protection of data down to those seen to be elite in the field. Every organisation, from businesses to hospitals, must create a cyber-skilled workforce, to ensure they are ahead of the bad guys and make breaches like this more difficult to come by. Taking on cyber-security skills at this kind of scale should be a major priority."
This view is echoed by Matt Aldridge, senior solutions architect at Webroot who says healthcare networks, and organisations need to take a proactive stance with regard to cybersecurity. "Firstly, the sector should work together in a collaborative fashion to identify and address existing vulnerabilities. Additionally, staff training to recognise threats should be high on the list to enable people to recognise attacks. Finally, as attackers constantly develop and deploy new technologies to help them access private data, so healthcare organisations should improve their cybersecurity arsenal with the best technology to keep them safe. Smart capabilities, such as machine learning, can be used to intelligently deliver threat protection and help detect and stop attacks, particularly on a large scale. A combination of an intelligent and well defined approach to security and making use of the latest defence technologies can go a long way to helping keeping patient data safe."
Praise for quick response
Amid the fallout the Singapore government gets praise from Eric Hoh, President of Asia Pacific at FireEye who says: "we would like to see more governments follow their lead in disclosing breaches. Disclosure enables other organisations to take steps to improve their defenses against similar attacks.
"A cyber espionage threat actor could leverage disclosure of sensitive health information, or financial health related vulnerabilities to coerce an individual in position of interest to conduct espionage. There are no quick fixes to the cyber security challenge, and breaches are inevitable. It’s important that business and governments work together to improve our collective security so that when breaches do occur, we can minimise the consequences."
FireEye reports that Asia Pacific organisations it investigated were breached for a median of 498 days before they even detected the intruder, with Hoh, adding: "Against those metrics, this is a relatively fast response."
Sanjay Aurora, managing director, Asia Pacific, Darktrace agrees, commenting in an email to SC Media UK: " For this cyber attack to have been detected, investigated and reported within a month is a comparative success. How many other countries around the world are capable of even detecting this attack within a month, let alone able to conduct a full investigation in this short time period? Hackers only got the equivalent of a phone book for the majority, but support will be needed for the 160,000 medicinal details stolen.
"At the moment we can only speculate on the motives of the hackers behind the SingHealth data breach. Like other kinds of personal data, medical information can be easily monetised via criminal forums. But beyond making a quick buck, a more sinister reason to attack would be to cause widespread disruption and systemic damage to the healthcare service - as a fundamental part of critical infrastructure – or to undermine trust in a nation’s competency to keep personal data safe.
"On the whole, Singapore has a very good security posture and a number of Singaporean organisations are embracing the latest AI technologies to detect threats already on the inside and keep their systems safe against these inevitable attacks.’’
UK taking action
In the UK the new health and social care secretary, Matt Hancock has just announced a £487 million technology boost for the NHS, which Vikki Archer, head of public sector, UK and Ireland, CyberArk described as: "... certainly a step in the right direction to help improve the efficiency of our healthcare system and fix some of its current issues….. What must be avoided, though, is simply throwing money at technology without consideration of wider issues around its successful deployment, like overall accountability and a joined-up approach to securing patient data and system resilience.
"By adopting centrally managed controls and monitoring of IT and cyber security systems, NHS trusts can usher in a new era of accountability. There needs to be one team in place with one view of the technology and security landscape. Investment in technology for the health service will achieve nothing without a centralised team to analyse and protect the IT systems where patient data resides. Such standardisation will also help create more clearly defined plans and objectives around IT spend, and perhaps most importantly, put the service on the front foot in the fight against both internal and external threats."
Useful reference material
Jarva suggested that the following reference information be taken into account:
In response to the Cybersecurity Act of 2015, the US Department of Health and Human Services (HHS) established The Health Care Industry Cybersecurity Task Force (2017).
This taskforce came up with six recommendations that healthcare organisations should be considering:
1: Define and streamline leadership, governance, and expectations for cyber security in the healthcare industry.
2: Increase the security and resilience of medical devices and health IT.
3: Develop the healthcare workforce capacity necessary to prioritise and ensure cybersecurity awareness and technical capabilities.
4: Increase healthcare industry readiness through improved cybersecurity awareness and education.
5: Identify mechanisms to protect R&D efforts and intellectual property (IP) from attacks or exposure.
6: Improve information sharing of industry threats, risks, and mitigations.