News broke earlier today that a major cyberattack on Singapore’s government health database stole the personal information of about 1.5 million people, including Prime Minister Lee Hsien Loong.
In response to this news, IT security experts commented below.
Ramon Vicens, CTO at Blueliv:
“It may be some time before we know exactly how the hackers got into the Singaporean government health database, but the attackers might have used targeted malware, exploited an infrastructure vulnerability or misconfigured system, or even used a simple phishing attack against an unsuspecting employee. Once inside, advanced cybercriminals can move laterally, placing backdoors, Remote Access Trojans and other malware to become persistent and exfiltrate data to resell or utilise for their own financial gain.
We have long expected organisations considered ‘data brokers’ to be targeted by cybercriminals – that is, any organisation holding PII (Personally Identifiable Information) – and especially after the high-profile breaches we saw last year (Equifax and Deloitte to name just two). Finding out where the vulnerabilities are in advance of an attack, or at the very least identifying where the stolen data has gone in real-time when a breach happens, can mitigate the potential damage.
Addressing the cyberskills gap is a crucial issue that must be addressed worldwide. Unfortunately, public sector institutions are often among the last to catch up. Under no circumstances should an IT or security team be the only group within an organization that knows how to identify potentially malicious activity. The ability to recognise when you might be compromised can save a huge amount of pain and financial loss before, during and after an attack.”
Lee Munson, Security Researcher at Comparitech.com:
“Every breach, of any size, has the potential to compromise people and cause them real harm, either financially or in other ways.
A health breach, such as the stolen government database in Singapore, can cause the worst type of harm though, given that it is likely to contain not only regular personal data, such as names, addresses and telephone numbers, but also very sensitive information about health issues.
Not only does the leaking of such data cause potential embarrassment and provide the opportunity for convincing spear-phishing attacks, it can also play havoc with insurance quotes and renewals, as well as all the associated emotional stress that goes hand in hand with each of those things.”
Matt Aldridge, Senior Solutions Architect at Webroot:
“This significant attack highlights why defences in this industry must be robust. Patient data is very valuable to hackers, with the stolen information often used to commit further crimes, like identity theft and we simply can’t afford to keep letting the bad guys gain access to critical systems. Health data is incredibly important to people, and is far more ‘personal’ than other information. In addition, restricting access to machines following an incident can negatively impact ongoing patient care.
To meet the challenge of securing the increasing amount of data generated and shared across healthcare networks, organisations need to take a proactive stance with regard to cybersecurity. Firstly, the sector should work together in a collaborative fashion to identify and address existing vulnerabilities. Additionally, staff training to recognise threats should be high on the list to enable people to recognise attacks. Finally, as attackers constantly develop and deploy new technologies to help them access private data, so healthcare organisations should improve their cybersecurity arsenal with the best technology to keep them safe. Smart capabilities, such as machine learning, can be used to intelligently deliver threat protection and help detect and stop attacks, particularly on a large scale. A combination of an intelligent and well defined approach to security and making use of the latest defence technologies can go a long way to helping keeping patient data safe.”
Olli Jarva, Managing Consultant at Synopsys:
Value of Healthcare and Medical Data now more valuable than credit card or financial information
The healthcare data breach outlines a new reality. Today, we are beginning to see a new and scary fact – healthcare data has grown its value such that hackers are now willing to go the extra mile to obtain it. This has been a growing trend over the past few years, such that healthcare data has outgrown the value of credit card or social security numbers. Are healthcare providers aware of the value of the data they are storing?
Time to build security into applications that store healthcare data
Today’s news pointed out that “Unusual activity was first detected on July 4, 2018, on one of the SingHealth’s IT databases”. When we are designing and building the systems to be resilient for cyber-attacks, we have to start building security from within, rather than only relying on perimeter defence. This means that before a single line of code is written, we have already started to map down our potential security problems from the design stand point. Application security problems can be divided to two parts, Flaws and Bugs. To catch most of these software security problems, we need to identify them early on so that they would not come back to haunt us later on. We have to stay vigilant when it comes to understanding how and what kind of data we are protecting, where it is located, and what kind of security controls we have in place to protect it. We need to “Shift-left” with our thinking when it comes to security and tackle those issues earlier on in our Software Development Lifecycle. If we leave these problems for later, the cost of fixing and reacting to breaches would be extremely costly and the effects may not devastating.
Complex Supply chains
Typically large computer systems are part of a bigger project developed and delivered by System Integrators (third parties), where the supply chains can get complicated. This compounds the challenge to manage security, as different parts of the system may have different third-party software components and inherent vulnerabilities, and often, may not be properly identified and patched early enough. This isn’t a challenge that is unique to healthcare, it is a challenge that every large organisation goes through.
Challenges in Healthcare industry in overall
When it comes to cyber security challenges in the healthcare industry, it is a different environment to defend and secure.
From a security standpoint, the healthcare industry shares the same shortcomings as other enterprises, but with some added obstacles:
- Lack of security resources, financial resources, and expertise, to correct this weakness.
- Dealing with an extremely heterogeneous environment. While healthcare organisations may standardise on laptops and IT servers, providers also manage multiple devices that are attached to the network. These can include drug infusion pumps, imaging devices like MRI and CT scanners, and treatment software (such as those used to manage implantable pacemakers).
- Systems in different parts of a healthcare organisation may not play well with each other. Like any large organisation, a healthcare organisation may have multiple business or operations units, and each unit may procure software solutions that best meet their needs, but may not have uniform cyber security effectiveness. Electronic Health Records (EHRs) promise to help practitioners and patients by simplifying the sharing of information.
In response to the Cybersecurity Act of 2015, the US Department of Health and Human Services (HHS) established The Health Care Industry Cybersecurity Task Force (2017).
This taskforce came up with 6 recommendations that healthcare organizations should be considering:
1: Define and streamline leadership, governance, and expectations for cyber security in the healthcare industry.
2: Increase the security and resilience of medical devices and health IT.
3: Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
4: Increase healthcare industry readiness through improved cybersecurity awareness and education.
5: Identify mechanisms to protect R&D efforts and intellectual property (IP) from attacks or exposure.
6: Improve information sharing of industry threats, risks, and mitigations.
Simon Cuthbert, Head of International at 8MAN:
“This breach is just another example of a health authority failing to protect their most important asset – data. Reports state this was a well-planned attack targeting 1.5 million people, a quarter of the population of Singapore. The repercussions will likely be extensive in terms of financial damage, reputational damage and customer loyalty. It will be interesting, and noteworthy, to see how the authorities in Singapore respond to this breach under the PDPA (Personal Data Protection Act) the Malaysian equivalent to the EU GDPR legislation. As with the new EU GDPR legislation there is the risk of high fines but also the possibility of imprisonment up to 12 months in Singapore. This will be a significant blow to the wealthy city which prides itself on its stability and security.”
Fraser Kyne, EMEA CTO at Bromium:
“This is a very serious breach given the sensitivity of the data accessed, and the sheer volume of records. It appears the initial infection came through a single user endpoint being infected with malware, which then worked its way through the network. This once again highlights how today’s cybersecurity is a house of cards – it just takes one person to click on the wrong thing for the whole thing to come crashing down. Only when we admit that we cannot detect and stop threats, and instead start focusing on minimising harm, can we ever hope to disrupt hackers. The simple fact is that if the endpoint was isolated, then the hacker would have had nowhere to go and nothing to steal.
“Yet it also highlights the fact that we can no longer trust our networks or most of our endpoints. Hackers will inevitably find a way in. Air-gapping can be an effective solution, but it is impractical when you have multiple employees trying to access a business critical application. Instead, we need to shrink protection to application level. By protecting applications that store our most sensitive and critical data, even if the device or network is compromised, that application cannot be touched as it will be invisible to the device and network.”
James Hadley, CEO & Founder at Immersive Labs:
“A breach of any type can never be underestimated, however, as this incident has resulted in the loss of health records the consequences could be devastating for individuals. It is no longer acceptable to stick with traditional means of security, and leave the protection of data down to those seen to be elite in the field. Every organisation, from businesses to hospitals, must create a cyber skilled workforce, to ensure they are ahead of the bad guys and make breaches like this more difficult to come by. Taking on cyber security skills at this kind of scale should be a major priority.”
Jake Moore, Security Specialist at ESET:
“Data is stolen for many reasons, some financial, some personal and some to form the basis of future targeted type attacks, in this instance although it may seem like a targeted attack it may well have been an opportunistic attack that reaped rewards beyond the attackers original intentions, medical data can form a very good solid basis for future attacks, we often get very sensitive about our illnesses and ailments and any communication from seemingly confidential sources will usually form a basis of a successful attack, protecting this type of data is often difficult through budget or even technical capabilities, budgets for protecting financial or corporate data are often way higher than health or medical. But the advice is always the same, always question your communication, even if you’re expecting it, check thoroughly to ensure its genuine and do not be afraid to double check or confirm sources, no legitimate business or company will mind if you help them become a safer partner. These sorts of attacks are increasing and security needs to be increased especially when protecting personal and confidential information.”
Andy Norton, Director of Threat Intelligence at Lastline:
“It’s not difficult to see how a Nation State might benefit significantly from discovering the medication of the Singaporean Prime Minister and in the process, expose 1.5 million additional victims as collateral damage.
If assessing the health of political heavyweights in South East Asia is indeed a strategy of a nation state actor, then when the cyber security agencies of Singapore release more details of the attack, we should see repeated indicators in other countries.”
Javvad Malik, Security Advocate at AlienVault:
“For now it is unclear who is responsible for the breach or how it was undertaken.
But it does drive home the importance for all companies across all verticals, particularly those which deal with personal data of any kind to have effective threat detection and incident response controls in place so that any such breaches can be detected quickly and stopped from turning into a large incident.”