The Ministry of Communications and Information, Singapore (MCI) and the Singapore Ministry of Health (MoH) announced last week that SingHealth’s database, containing patient personal particulars and information on their outpatient-dispensed medicines, had been targeted by cybercriminals.
SingHealth is Singapore's largest healthcare group, with major hospitals, specialty centres, and polyclinics under its purview. According to MCI and MoH, some 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 had their non-medical personal particulars illegally accessed and copied.
The data taken include name, NRIC number (national identity number), address, gender, race and date of birth. Information on the outpatient-dispensed medicines of about 160,000 of these patients was also taken. According to the announcement, no records were amended or deleted. No other patient records, such as diagnosis, test results or doctors’ notes, were breached.
MCI and MOH said they have not found "evidence of a similar breach in the other public healthcare IT systems".
Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS)* revealed that the attack was deliberate, targeted and well-planned. "It was not the work of casual hackers or criminal gangs," they said in a statement.
On 4 July 2018, IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity. IHiS investigated the incident to ascertain the nature of the activity, while putting in place additional cybersecurity precautions.
On 10 July 2018, investigations confirmed that it was a cyberattack, and the Ministry of Health (MOH), SingHealth and CSA were informed. It was established that data was exfiltrated (stolen) from 27 June 2018 to 4 July 2018. CSA has ascertained that the cyber attackers accessed the SingHealth IT system through an initial breach on a front-end workstation. They subsequently managed to obtain privileged account credentials to gain privileged access to the database. It was also highlighted that the attackers "specifically and repeatedly targeted" Singapore PM Lee Hsien Loong’s personal particulars and information on his outpatient-dispensed medicines.
Upon discovery, the breach was immediately contained, preventing further illegal exfiltration. With heightened monitoring, further malicious activities were observed. However, no further illegal exfiltration has been detected since 4 July 2018. All patient records in SingHealth’s IT system remain intact. There has been no disruption of healthcare services during the period of the cyberattack, and patient care has not been compromised.
IHiS, with CSA’s support, has implemented further measures to tighten the security of SingHealth’s IT systems. These include temporarily imposing Internet surfing separation - the computers used for going online are not connected to the computers that handle SingHealth data.
The government has also placed additional controls on workstations and servers, reset user and systems accounts, and installed additional system monitoring controls. Similar measures are being put in place for IT systems across the public healthcare sector. SingHealth also lodged a police report on 12 July 2018. A police investigation is ongoing.
SingHealth has been contacting patients who visited its specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 to notify them if their data had been illegally exfiltrated. All the patients, whether or not their data were compromised, will receive an SMS notification within five days of 20 July. Patients can also access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.
MOH has directed IHiS to conduct a thorough review of Singapore's public healthcare system, with support from third-party experts, to improve cyberthreat prevention, detection and response. Areas of review will include cybersecurity policies, threat management processes, IT system controls and organisational and staff capabilities. Advisories have been sent to all healthcare institutions, public and private, on the cybersecurity precautions and measures to be taken. The Minister-in-Charge of Cyber Security will also establish a Committee of Inquiry to conduct an independent external review of this incident.
Compromises are common
*Integrated Health Information Systems (IHiS) is the technology agency for the public healthcare sector. It runs public healthcare institutions’ IT systems.
SingHealth is Singapore's largest healthcare group, with major hospitals, specialty centres, and polyclinics under its purview. According to MCI and MoH, some 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 had their non-medical personal particulars illegally accessed and copied.
The data taken include name, NRIC number (national identity number), address, gender, race and date of birth. Information on the outpatient-dispensed medicines of about 160,000 of these patients was also taken. According to the announcement, no records were amended or deleted. No other patient records, such as diagnosis, test results or doctors’ notes, were breached.
MCI and MOH said they have not found "evidence of a similar breach in the other public healthcare IT systems".
Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS)* revealed that the attack was deliberate, targeted and well-planned. "It was not the work of casual hackers or criminal gangs," they said in a statement.
On 4 July 2018, IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity. IHiS investigated the incident to ascertain the nature of the activity, while putting in place additional cybersecurity precautions.
On 10 July 2018, investigations confirmed that it was a cyberattack, and the Ministry of Health (MOH), SingHealth and CSA were informed. It was established that data was exfiltrated (stolen) from 27 June 2018 to 4 July 2018. CSA has ascertained that the cyber attackers accessed the SingHealth IT system through an initial breach on a front-end workstation. They subsequently managed to obtain privileged account credentials to gain privileged access to the database. It was also highlighted that the attackers "specifically and repeatedly targeted" Singapore PM Lee Hsien Loong’s personal particulars and information on his outpatient-dispensed medicines.
Upon discovery, the breach was immediately contained, preventing further illegal exfiltration. With heightened monitoring, further malicious activities were observed. However, no further illegal exfiltration has been detected since 4 July 2018. All patient records in SingHealth’s IT system remain intact. There has been no disruption of healthcare services during the period of the cyberattack, and patient care has not been compromised.
IHiS, with CSA’s support, has implemented further measures to tighten the security of SingHealth’s IT systems. These include temporarily imposing Internet surfing separation - the computers used for going online are not connected to the computers that handle SingHealth data.
The government has also placed additional controls on workstations and servers, reset user and systems accounts, and installed additional system monitoring controls. Similar measures are being put in place for IT systems across the public healthcare sector. SingHealth also lodged a police report on 12 July 2018. A police investigation is ongoing.
SingHealth has been contacting patients who visited its specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 to notify them if their data had been illegally exfiltrated. All the patients, whether or not their data were compromised, will receive an SMS notification within five days of 20 July. Patients can also access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.
MOH has directed IHiS to conduct a thorough review of Singapore's public healthcare system, with support from third-party experts, to improve cyberthreat prevention, detection and response. Areas of review will include cybersecurity policies, threat management processes, IT system controls and organisational and staff capabilities. Advisories have been sent to all healthcare institutions, public and private, on the cybersecurity precautions and measures to be taken. The Minister-in-Charge of Cyber Security will also establish a Committee of Inquiry to conduct an independent external review of this incident.
Compromises are common
“Such
situations are worryingly common amongst many companies that we speak
to,” said Eugene Lee, Director of Business Development at Connectivity
Global, a Singapore cybersecurity startup, on the news that a compromised workstation had led to the breach at SingHealth.
“With
e-mail being such an established tool for communication among
businesses and reaching all levels of employment, hackers can easily
access confidential information or install ransomware in companies'
servers through unsuspecting employees on front end devices. Companies
have had their entire systems compromised, simply because their
receptionist clicked on a malicious link in their email by accident or
one of their interns' emails was hacked.”
Challenges for the healthcare industry
Olli Jarva, Managing Consultant, Software Integrity Group, Synopsys, said that healthcare and medical data are now more valuable than credit card or financial information. He said, "From a security standpoint, the healthcare industry shares the same shortcomings as other enterprises, but with some added obstacles:
Paul Ducklin, Senior Technologist at Sophos said, “The data stolen in this breach is an identity thief's goldmine. It's a startling reminder to all Singaporeans that there is no such thing as 'cyberattackers would never care about little old me' – once your data is scooped up in a cybersecurity blunder of this sort, you simply can't control where it will go next. Anyone affected in this breach has no choice but to assume that their personal information will end up for sale in the cyber underground, ready for active abuse by cybercrooks.”
Ducklin recommended victims:
- Keep a careful watch over all their financial statements – bank accounts, payment cards, loans, pension funds, taxation records and so on, and to report any suspicious activity immediately.
- Talk to financial institutions about locking down account details in order to make it harder for cybercriminals to try to take over accounts or to apply for services in their name.
- Be suspicious of unsolicited communications that arrive in the wake of this breach that offer help or ask for further details "to assist in the investigation." "Social engineers and scammers are experts at preying on people's fears (and their willingness to help) after security incidents of this sort," Ducklin said.
- Ignore contact information, web links or phone numbers that have been sent online, as these may be fake. "Look for contact information on existing invoices, on printed correspondence you received in the past, or by visiting an organisation's office in person," he advised.
"Whether this was a lone hacker who got lucky, a well-oiled cybercrime gang or a state-sponsored attack team you won't get your personal data back, and it won't change the fact that you can't control who gets it next. Keep your own eyes open for any attempt to abuse your personal data in the future," said Ducklin.
Implications of an attack
Like Ducklin, Linda Gray Martin, Director & GM, RSA Conference said that attacks are going to be a given, whether at the national or enterprise level. "Cybercriminals now have access to a variety of nation-state toolkits on the Dark Web. It is only a matter of time before they begin launching large-scale campaigns of their own. No government can keep criminals off the Internet and no company can pre-empt the entire spectrum of threats, from automated attacks to sophisticated ones that lie low in networks, invisible to security teams," she said.
"With a growing focus on integrating medtech, fintech and gov tech as a part of our Smart Nation drive, local organisations must guard against the possibility of these attacks hitting our shores."
While the SingHealth databases were not deleted or edited, Martin noted that industries that rely heavily on public confidence could be affected badly after a cyberattack. "A laboratory that cannot vouch for the fidelity of medical test results, or a bank that has had account balances tampered with, are examples of organisations at risk. Governments may also fall foul of such attacks as critical data repositories are altered," she said.
"Increasingly, cybersecurity conversations are not just for CIOs, CISOs and IT managers. The rest of the C-suite, government officials and citizens need to come together to strengthen the Asia-Pacific and Japan region's (APJ’s) cybersecurity posture."
"It is not a matter of ‘if’ you will be breached but ‘when’. Having a crisis-response team ready ensures that organisations can return to normal operations as soon as possible," she added.
Invest in security by design
"When we are designing and building the systems to be resilient for cyberattacks, we have to start building security from within, rather than only relying on perimeter defence. This means that before a single line of code is written, we have already started to map down our potential security problems from the design standpoint," said Jarva.
"Application security problems can be divided to two parts, flaws and bugs. To catch most of these software security problems, we need to identify them early on so that they would not come back to haunt us later on. We have to stay vigilant when it comes to understanding how and what kind of data we are protecting, where it is located, and what kind of security controls we have in place to protect it.
"We need to 'shift-left' with our thinking when it comes to security and tackle those issues earlier on in our software development lifecycle. If we leave these problems for later, the cost of fixing and reacting to breaches would be extremely costly and the effects may be devastating."
The upcoming RSA Conference in Singapore is expected to bring together the public sector, private sector and academia to discuss and collaborate on safeguarding their organisations’ critical assets.
Challenges for the healthcare industry
Olli Jarva, Managing Consultant, Software Integrity Group, Synopsys, said that healthcare and medical data are now more valuable than credit card or financial information. He said, "From a security standpoint, the healthcare industry shares the same shortcomings as other enterprises, but with some added obstacles:
- Lack of security resources, financial resources and expertise to correct this weakness.
- An extremely heterogeneous environment. While healthcare organisations may standardise on laptops and IT servers, providers also manage multiple devices that are attached to the network. These can include drug infusion pumps, imaging devices like magnetic resonance imaging (MRI) and computer tomography (CT) scanners, and treatment software, such as those used to manage implantable pacemakers.
- Systems in different parts of a healthcare organisation may not play well with each other. Like any large organisation, a healthcare organisation may have multiple business or operations units, and each unit may procure software solutions that best meet their needs, but which may not have uniform cybersecurity effectiveness."
What victims should doPaul Ducklin, Senior Technologist at Sophos said, “The data stolen in this breach is an identity thief's goldmine. It's a startling reminder to all Singaporeans that there is no such thing as 'cyberattackers would never care about little old me' – once your data is scooped up in a cybersecurity blunder of this sort, you simply can't control where it will go next. Anyone affected in this breach has no choice but to assume that their personal information will end up for sale in the cyber underground, ready for active abuse by cybercrooks.”
Ducklin recommended victims:
- Keep a careful watch over all their financial statements – bank accounts, payment cards, loans, pension funds, taxation records and so on, and to report any suspicious activity immediately.
- Talk to financial institutions about locking down account details in order to make it harder for cybercriminals to try to take over accounts or to apply for services in their name.
- Be suspicious of unsolicited communications that arrive in the wake of this breach that offer help or ask for further details "to assist in the investigation." "Social engineers and scammers are experts at preying on people's fears (and their willingness to help) after security incidents of this sort," Ducklin said.
- Ignore contact information, web links or phone numbers that have been sent online, as these may be fake. "Look for contact information on existing invoices, on printed correspondence you received in the past, or by visiting an organisation's office in person," he advised.
"Whether this was a lone hacker who got lucky, a well-oiled cybercrime gang or a state-sponsored attack team you won't get your personal data back, and it won't change the fact that you can't control who gets it next. Keep your own eyes open for any attempt to abuse your personal data in the future," said Ducklin.
Implications of an attack
Like Ducklin, Linda Gray Martin, Director & GM, RSA Conference said that attacks are going to be a given, whether at the national or enterprise level. "Cybercriminals now have access to a variety of nation-state toolkits on the Dark Web. It is only a matter of time before they begin launching large-scale campaigns of their own. No government can keep criminals off the Internet and no company can pre-empt the entire spectrum of threats, from automated attacks to sophisticated ones that lie low in networks, invisible to security teams," she said.
"With a growing focus on integrating medtech, fintech and gov tech as a part of our Smart Nation drive, local organisations must guard against the possibility of these attacks hitting our shores."
While the SingHealth databases were not deleted or edited, Martin noted that industries that rely heavily on public confidence could be affected badly after a cyberattack. "A laboratory that cannot vouch for the fidelity of medical test results, or a bank that has had account balances tampered with, are examples of organisations at risk. Governments may also fall foul of such attacks as critical data repositories are altered," she said.
"Increasingly, cybersecurity conversations are not just for CIOs, CISOs and IT managers. The rest of the C-suite, government officials and citizens need to come together to strengthen the Asia-Pacific and Japan region's (APJ’s) cybersecurity posture."
"It is not a matter of ‘if’ you will be breached but ‘when’. Having a crisis-response team ready ensures that organisations can return to normal operations as soon as possible," she added.
Invest in security by design
"When we are designing and building the systems to be resilient for cyberattacks, we have to start building security from within, rather than only relying on perimeter defence. This means that before a single line of code is written, we have already started to map down our potential security problems from the design standpoint," said Jarva.
"Application security problems can be divided to two parts, flaws and bugs. To catch most of these software security problems, we need to identify them early on so that they would not come back to haunt us later on. We have to stay vigilant when it comes to understanding how and what kind of data we are protecting, where it is located, and what kind of security controls we have in place to protect it.
"We need to 'shift-left' with our thinking when it comes to security and tackle those issues earlier on in our software development lifecycle. If we leave these problems for later, the cost of fixing and reacting to breaches would be extremely costly and the effects may be devastating."
The upcoming RSA Conference in Singapore is expected to bring together the public sector, private sector and academia to discuss and collaborate on safeguarding their organisations’ critical assets.
*Integrated Health Information Systems (IHiS) is the technology agency for the public healthcare sector. It runs public healthcare institutions’ IT systems.
No comments:
Post a Comment