Last week, the city-state of Singapore was rattled by revelations regarding a “deliberate, targeted and well-planned” cyber attack on the country’s largest healthcare group, SingHealth, which compromised the personal data of 1.5 million patients including Singapore Prime Minister, Lee Hsien Loong, who was “specifically and repeatedly targeted.”
According to a joint press release from the Ministry of Communications and Information (MCI) and Ministry of Health (MoH), the breach, the largest in the nation’s history, affected patients who had visited SingHealth clinics between 1st May 2015 and 4th July 2018. The data in question includes patients’ names, addresses, gender, race, date of birth and national ID numbers. However, the records were not tampered with, amended or deleted.
Investigations by the Cyber Security Agency of Singapore (CSA) revealed that the attackers gained privileged access to the database by hacking one of SingHealth’s front-end workstations. Data was exfiltrated for about a week starting from 27th June 2018 before it was discovered and immediately halted by database administrators on 4th July 2018. The exact details of the breach are still being investigated.
CyberSecurity Asean has reached out to several security firms in the region to get their take on the incident. Here we compile what some of the experts have to say about the attack.
Olli Jarva, Managing Consultant, Software Integrity Group, Synopsys, pointed out the fact that over the past few years, healthcare data has grown its value such that hackers are now willing to go the extra mile to obtain it.
He added that just like any other major organisation, large computer systems used by the healthcare industry are typically part of a bigger project developed and delivered by system integrators (third parties), where the supply chains can get complicated. Therefore from a security standpoint, the healthcare industry shares the same shortcomings as other enterprises, but with some added obstacles:
Lack of security resources, financial resources, and expertise, to correct this weakness.
Dealing with an extremely heterogeneous environment. While healthcare organisations may standardise on laptops and IT servers, providers also manage multiple devices that are attached to the network. These can include drug infusion pumps, imaging devices like MRI and CT scanners, and treatment software (such as those used to manage implantable pacemakers).
Systems in different parts of a healthcare organisation may not play well with each other. Like any large organisation, a healthcare organisation may have multiple business or operations units, and each unit may procure software solutions that best meet their needs, but may not have uniform cyber security effectiveness. Electronic Health Records (EHRs) promise to help practitioners and patients by simplifying the sharing of information.
Alagesan Alagappan, Security Leader of IBM Malaysia highlighted the findings of the 2018 Cost of a Data Breach Study by Ponemon Institute done for South East Asia, which states that heavily regulated industries such as healthcare organisations have a per capita data breach cost substantially higher than the overall mean. The average per capita cost for a data breach in healthcare is US$408. Healthcare is more susceptible to churn at 6.7% because customers have high expectations.
He added, “When it comes to healthcare organisations and healthcare related data, there are a few steps and tips that we find helpful based on our experience in this particular sector:
According to Francis Prince Thangasamy, CenturyLink’s Vice President of IT Services & Managed Hosting for Asia Pacific, the big challenge is the ever-evolving cybersecurity environment in today’s digital age, and this level of risk is especially heightened in Singapore’s globalised economy. As the healthcare industry undergoes digital transformation, the borders between networks are becoming more porous, making it difficult to track the movement of private patient data. The introduction of IoT devices like smartphones, tablets and healthcare equipment further increase the “surface of attack”.
As IoT services continue to be rolled out globally, enterprises, government services and networks have become interconnected through billions of connected devices worldwide. A single successful cyber-attack on any part of the ecosystem can open up access to the entire network and sensitive data within and beyond the organisation or country, making it complex to manage and secure. In this context, the concept of a security perimeter can be difficult to define.
Mitigating the vulnerabilities that arise through digital transformation takes more than just having the right malware detection tools. These kinds of breaches further emphasise the complexity and speed at which threats are growing. They are a signal to organisations that they need a proactive security posture that helps monitor, detect, and respond to emerging threats.
In light of this, security technologies need to be supported by a threat intelligence network that can help keep track and anticipate future attacks. It is also essential to move beyond traditional measures and utilise proactive monitoring systems—such as User Entity Behavior Analytics (UEBA)—to proactively detect and respond to cyber-attacks rapidly, as the different layers of security get compromised. With significant threats now occurring close to home, the government can also look towards partnering with the wider tech and cybersecurity ecosystem. This collaborative approach brings together talent from a diverse pool of expertise to come up with effective solutions.
We also contacted Adam Meyers, CrowdStrike’s VP of Intelligence, who said, “At CrowdStrike, we see the healthcare sector being an increasingly targeted vertical by sophisticated state-sponsored and cybercriminal threat groups, including BOSS SPIDER, OVERLORD SPIDER, and numerous nation-state threat actors, particularly those operating out of the People’s Republic of China (PRC).”
“Healthcare organisations should look at their overall cybersecurity posture and be on high alert for tactics known to be used by adversaries. Security teams should do more than rely on their security tools to spot intrusions, they should also be actively monitoring for threats and utilising threat intelligence streams to detect, react, respond and remediate faster. CrowdStrike recently disclosed a new cyber metrics - “breakout” time, that is the time an attacker needs to move laterally across the network and be in a position to carry out their objectives. In 2017, “breakout time” was 1 hour and 58 minutes - defenders have that long to stop an incident before it turns into a breach,” he explained.
However, even though attacks becoming increasingly common, perpetrators are realising that more often than not, victims have not taken the necessary cyber-safety precautions, and are hence vulnerable to such attacks, said Naveen Bhat, Managing Director, Asia Pacific, Ixia Solutions Group, Keysight Technologies.
Naveen highlighted the importance of training employees on good security practices. “Despite numerous prior attacks which have been covered in the press, many organisations still adopt a ‘wait and see’ approach. Every organisation which stores customer data and/or confidential information should take proactive steps to train their staff to guard against such attacks. This training should cover social engineering, penetration testing, and network testing. This training is best repeated periodically. In addition, organisations should adopt strong security defences – besides the implementation of enterprise cybersecurity networks, IT personnel should have the latest tools and training facilities to keep their skills honed."
The data breach also became a talking point at Symantec Vision Malaysia 2018 in Kuala Lumpur, where Sanjay Rohatgi, Symantec’s Senior Vice President for APAC, echoed Adam Meyer’s comment about the rising threat of cybercriminal groups and lauded the Singapore government for standing up and acknowledging the breach. He continued, “If it can happen to them, it can happen to us here as well. The cyber attackers, the hacker or hacktivist community is getting very, very smart. They’re not individual hackers anymore. They are criminal gangs. They’re a fully operational industry now in some parts of the world, and no industry is spared.”
He went on to say that acknowledging and reporting a breach is very critical because that’s how the community is able to learn and be better prepared to detect and effectively respond to the threats.
Also present at the event was the CEO of CyberSecurity Malaysia, Dato' Dr. Haji Amirudin Abdul Wahab, who mentioned that data breaches are now a global phenomenon, with similar cases having been exposed in Malaysia involving local telcos and broadcasters in recent times. Whether they like it or not, organisations have to be ready for it because technology is a double-edged sword.
His advice for companies looking to fortify their cyber defences, “Don’t look only from the aspects of technology. Technology is critical, but it is just one component. You have to look beyond technology. You have to look on the people side, the processes and the policies, even. If you think just buying the best tools is going to save you from being breached, you’re wrong. Cyber security needs to be looked at from a holistic perspective.”