SingHealth hack 'worrying' for Singapore but govt response lauded

Singapore

CYBERSECURITY experts praised the government's swift response to the cyberattack on SingHealth, but noted that it is "worrying" for Singapore's Smart Nation drive and industries that rely heavily on public confidence.

In what is Singapore's worst cyber attack so far, hackers infiltrated the computers of SingHealth and stole the personal particulars of 1.5 million patients. Of these, 160,000 people, including Prime Minister Lee Hsien Loong and a few ministers, had their outpatient prescriptions stolen as well. SingHealth is Singapore's largest group of healthcare institutions with four hospitals, five national speciality centres and eight polyclinics.

At a multi-ministry press conference on Friday, the authorities said PM Lee's information was "specifically and repeatedly targeted".

Richard Ford, chief scientist at information security firm Forcepoint, told The Business Times the incident is a "worrying reminder" of the vulnerabilities present in a digitally-connected workforce and an endless data sprawl. "The healthcare industry is particularly vulnerable in a Smart Nation like Singapore as there is complex collaboration between multiple medical specialists working for different organisations and interacting using disparate IT systems."

Linda Martin, director and general manager of RSA Conferences (a series of cybersecurity conferences), added: "The scenario is worrying for industries that rely heavily on public confidence. A laboratory that cannot vouch for the fidelity of medical test results, or a bank that has had account balances tampered with, are examples of organisations at risk."

She told BT that governments may also fall foul of such attacks as critical data repositories are altered. "With a growing focus on integrating medtech, fintech and govtech as a part of our Smart Nation drive, local organisations must guard against the possibility of these attacks hitting our shores."

Tan Shong Ye, a partner at PwC, noted that the Singapore government "responded swiftly" to the incident, including convening a Committee of Inquiry (COI) to look into the cyberattack and find ways to better secure public sector IT systems. "It is good that action was taken immediately after the threat was detected to minimise the risk of further data exfiltration."

Initial investigations showed that a SingHealth front-end workstation was infected with malware through which the hackers gained access to the database. The data theft took place between June 27 and July 4.

Unusual activity was first detected on July 4 on one of SingHealth's IT databases. Security measures, including the blocking of dubious connections and changing of passwords, were taken to thwart the hackers. On July 10, the Health Ministry (MOH), SingHealth and the Cyber Security Agency of Singapore were informed after forensic investigations confirmed that it was a cyber attack. A police report was made on July 12.

No further data has been stolen since July 4.

Among the actions taken by SingHealth was its imposition of a temporary Internet surfing separation on all of its 28,000 staff's work computers. (Other public healthcare institutions will do the same.)

The SingHealth group of healthcare institutions include Singapore General Hospital and KK Women's and Children's Hospital.

Leonard Kleinman, chief cybersecurity adviser for the Asia-Pacific and Japan at RSA Conferences, told BT: "Medical data contains a trove of information, from personally identifiable data to financial details, that can be used to create a highly sought-after composite of an individual."

He added that on the Dark Web, such data can fetch a high price, with each entry selling for US$50-US$100 higher than stolen credit card data. Going by the 2017 Cost of Data Breach Study by Ponemone, a stolen healthcare record fetches US$408.

"We may also not necessarily see the fallout of such incidents happen immediately, as it could take months for the data to be first sold, then used. Given the nature of this attack, it is hard to say exactly what the end game is, especially when the attackers haven't identified themselves."

Eric Hoh, president for the Asia-Pacific at Nasdaq-listed cybersecurity company FireEye, said that many businesses and governments in South-east Asia face cyber threats, but few grasp the scale of the risks posed. "Singapore ranks among the leaders in cybersecurity, and we'd like to see more governments follow their lead in disclosing breaches. Disclosure enables other organisations to take steps to improve their defences against similar attacks."

Notaby, the patient records stolen from SingHealth were not tampered with (ie, amended or deleted), and no other patient records - such as diagnoses, test results or doctors' notes - were breached, said MOH and Ministry of Communications and Information (MCI).

This was a "deliberate, targeted and well-planned" cyberattack, MOH and MCI said on Friday at the press briefing.

"It was not the work of casual hackers or criminal gangs."

Wong Onn Chee, chief technology officer of security firm Resolvo, stressed that when it comes to cybersecurity, it is "not a matter of if, but when". He said: "With cyber attackers getting better-skilled by the day, it's not surprising to see breaches happen despite our best efforts."

What is important, he said, is the country's cyber defences and the way it responds to cyber incidents and recovers from them. "Our future as a Smart Nation will depend on the way we protect, detect and respond to cyber threats."

Mr Lee on Friday said as much. In a Facebook post on the SingHealth cyberattack, the Prime Minister said: "Government systems come under attack thousands of times a day. Our goal has to be to prevent every single one of these attacks from succeeding. If we discover a breach, we must promptly put it right, improve our systems, and inform the people affected."

Mr Lee added that when SingHealth digitised their medical records, they had asked if he wanted to computerise his own personal records or keep his records in hardcopy for security reasons. "I asked to be included. Going digital would enable my doctors to treat me more effectively and in a timely manner. Of course, I also knew that the database would be attacked, and there was a risk that one day despite our best efforts it might be compromised. Unfortunately that has now happened."

Despite that, Mr Lee said: "We cannot go back to paper records and files. We have to go forward, to build a secure and Smart Nation."