Singapore health system hack affects personal data of 1.5 million

July 23, 2018

Singapore health system hack affects personal data of 1.5 million

Singapore is battling yet another government targeted cyber attack. It’s not the first to hit the Singapore government, a previous attack on the defence ministry was foiled and Prime Minister Mr Lee Loong’s official website has also previously been compromised.

As a result of recurring attacks, in 2016 the Singapore government put measures in place to try and prevent further attacks. It removed internet access on government systems allowing key ministries in the civil service to only use the intranet.

However, these measures have proven futile with the latest and worst cyber attack to hit Singapore when its health service was breached last week. The computers at the Ministry of Health still had internet access.

The data breach has affected 1.5 million healthcare patients (a quarter of Singapore’s population) as well as Singapore’s Prime Minister.

How the breach unfolded

On 4 July the Integrated Health Information Systems (IHis), which is responsible for running Singapore’s public healthcare institutions IT systems, noticed anomalies in the SingHealth network. The SingHealth database had been hacked. SingHealth is the largest healthcare group in Singapore. It comprises two tertiary hospitals, five national speciality centres and eight polyclinics.

The personal data had been accessed and stolen over an eight-day period, between 27 June and 4 July (when detected and fixed).  The anomalies in the network were only picked up a week after the breach had occurred. Upon discovery, the breach was immediately contained, but the hackers had access to the data for a week without anyone aware enabling them to copy volumes of data in that time.

On 12 July, the authorities were informed of the incident and the investigation is ongoing.

An initial breach on a front-end workstation is believed to be the route of attack. The hackers gained access to privileged account credentials and subsequently gained access to the SingHealth database.

The Information stolen comprises non-medical personal information of 1.5 million patients including National Registration Identity Card number, address, gender, race and date of birth. Additionally, the outpatient records of 160,000 patients were compromised, including the details of outpatients’ dispensed medications. The data was not encrypted

In a government press release, it was confirmed that no records were tampered with and no diagnosis, test results or doctors’ notes were breached. Additionally, no evidence was found to show that other public healthcare IT systems have been compromised.

Patients who’ve visited SingHealths clinics between 1 May 2015 and 4 July 2018 are being notified of the breach and the possible compromise of their personal information.

Singapore’s Prime Minister is believed to be the target of the attack

The government has described the attack as “deliberate, targeted and well-planned”. There’s speculation that the attack may have been state-sponsored as Singapore’s Prime Minister, Mr Lee Loong’s information was specifically and repeatedly targeted. This information could be used to cause instability within the country. While the health data of 1.5 million Singapore citizens could end up for sale on the Dark Web.

Health data holds significant value

Health information has pronounced value and there is a very real probability that this data will end up for sale on the Dark Web.

Health data has grown in value and is a lucrative business for hackers as they reap high rewards from the sale of it. In recent months a Norwegian healthcare provider was attacked impacting over half of Norway’s population and MyHeritage, which provides ancestry and DNA testing services, was attacked effecting 92 million users.

Not only is health data easy for hackers to monetise it can be used to build victim profiles for future attacks. Health data usually comprises a trove of personally identifiable information that when combined can be used to easily identify an individual. Unlike banking details (like account numbers) that can be changed, health data is lasting.

The Healthcare industry is part of a countries critical infrastructure and is, therefore, a very appealing target for hackers. Hackers will take greater risks to get their hands on health data.

Moving forward

This incident is another reminder that cyber attacks are inevitable no matter the organisation. Organisations need to be prepared. Organisations need to protect their systems and customer data and have a working response plan ready so that when faced with a breach incident—when and not if—the impact is limited and the recovery quick.

With regards to this attack, better detection tools may have helped to spot the anomalies sooner. However, if the data were protected even with the hackers’ free rein to access and copy the data for an entire week, the data would not have been accessible or of any use to them. The outcome would have been very different.

It’s important that organisations shift focus from only protecting the perimeter to a more data-focused approach. Hackers will do whatever it takes to get want they want. Layers of security from within are fundamental. Security by design is essential. Protecting the data is very necessary.

Additionally, we need to educate our people. In this incident, the hackers gained access through a front-end workstation meaning users played a vital role.

Government organisation, Singapore Computer Emergency Response Team (SingCert) has advised all organisations to review their data security practices and data handling.

In the wake of the breach SingCert stated:

“Ensure that any sensitive data is encrypted, and limit access of employees and other stakeholders by their roles. Passwords that are stored should be encrypted.”

As health data is sought after, it’s vital that healthcare organisations, in particular, take the necessary actions to protect their customers’ sensitive and personal information. It is a target.

Access to the data should be controlled, limited and managed. All sensitive data should be encrypted and the keys properly protected and managed. So, even if the perimeter is compromised and access to systems gained, the data will remain secure and any breach of personal and sensitive data will be avoided.

News Source: BBC News, The Hacker news