Security experts chime in on Singapore’s historic data breach

Was there a way to prevent this attack?
Ng Teng Fong General Hospital in Singapore

Ng Teng Fong General Hospital in Singapore

As the dust settles on what was Singapore’s largest-ever data breach, everyone has an opinion, from concerned citizens to security experts, to government officials.

Was there a way to prevent this attack? What will happen to the stolen data? How can such an attack be prevented from happening in the future?

Since the attack was made public, security experts have chimed in with their thoughts.

How valuable is healthcare data?

How valuable was the data stolen? From what Channel Asia understands, 1.5 million patients in total were affected by the SingHealth data breach, of those 160,000 patients had details related to outpatient dispensed medicines stolen.

The somewhat “good” news, however, is that no records appeared to be tampered with, from what Channel Asia currently understands.

Healthcare data can be extremely valuable with hackers willing to go the extra mile to obtain it, but are healthcare providers aware of the value of the data they are storing?

“This has been a growing trend over the past few years, such that healthcare data has outgrown the value of credit card or social security numbers,” said Olli Jarva, managing consultant, Software Integrity Group, Synopsys.

"Medical data contains a trove of information – from personally identifiable data to financial details – that can be used to create a highly sought-after composite of an individual,” said Leonard Kleinman, chief cyber security advisor of APJ at RSA.

"As it [medical data] could contain any amount and level of information, healthcare institutions are among the most sought-after industries by criminals who can be motivated by a multitude of possible reasons,” added Kleinman.

How much can such data cost? According to Kleinman entry data can be sold for $50 - $100 higher than stolen credit card data.

"According to the 2017 Cost of Data Breach Study by Ponemon Institute, a lost/stolen healthcare record fetches US$408,” said Kleinman.

It is too early to know the true cost of such an attack, and it could be months, sometimes years, before Singaporeans are affected by it.

"Given the nature of this attack, it is hard to say exactly what the end game is, especially when the attackers have not identified themselves,” said Kleinman.

The unfortunate truth is however, that such events are not uncommon, and the fact of the matter is there is no easy fix.

“Having better visibility into the enterprise IT environment is a fundamental first step,” said Kleinman.

“It is going to take a concerted, ongoing effort by hospitals, healthcare practitioners, contractors, legislators and even patients themselves, to ensure that the future of healthcare data is a secure one,” added Kleinman.

How did Singapore do by international standards?

It appears that by international standards, Singapore did extremely well in detecting the attack and reporting it in a timely manner.

"We have to accept that sophisticated, deliberate cyber-attacks such as these are now a part of reality,” said Sanjay Aurora, managing director of Asia Pacific at Darktrace. "For SingHealth to have detected, investigated and reported this incident within a month is a comparative success.

"How many other countries around the world are capable of even detecting this attack within a month, let alone able to conduct a full investigation in this short time period?"

From Aurora’s perspective, the hackers only got the “equivalent of a phone book”, however, admitted support will be needed for the 160,000 medicinal details stolen.

A more pressing question is what the hackers intend to do with the data they have stolen? Any guess at this time is speculation, but history shows a few possibilities, one being a profit motive, with medical information fetching a heavy price on the dark web.

However, from what Channel Asia understands, this breach was not the work of a criminal gang, but the most likely scenario appears to be the involvement of a state actor.

If it was indeed the work of a state actor, then a more sinister reason might be to blame.

"A more sinister reason to attack would be to cause widespread disruption and systemic damage to the healthcare service – as a fundamental part of critical infrastructure – or to undermine trust in a nation’s competency to keep personal data safe,” said Aurora.

Aurora describes healthcare networks as “digital jungles” with well-resourced attackers able to take the time and effort to conduct low and slow attacks to discover vulnerabilities, often silently exploiting them over long periods of time.

“Once their work is done, they are expert in covering their tracks, making attribution extremely difficult,” added Aurora.

“On the whole, Singapore has a very good security posture and a number of Singaporean organisations are embracing the latest AI technologies to detect threats already on the inside and keep their systems safe against these inevitable attacks,” said Aurora.

What more can be done?

One possibility is to build security into the applications that store healthcare data, according to Jarva from Synopsys.

“When we are designing and building the systems to be resilient for cyber-attacks, we have to start building security from within, rather than only relying on perimeter defence,” said Jarva.

“This means that before a single line of code is written, we have already started to map down our potential security problems from the design standpoint."

Read more on the next page...

Page Break

Jarva sees application security problems divided into two parts, flaws and bugs.

“To catch most of these software security problems, we need to identify them early on so that they would not come back to haunt us later on,” said Jarva.

"We have to stay vigilant when it comes to understanding how and what kind of data we are protecting, where it is located, and what kind of security controls we have in place to protect it."

Jarva advised tackling those issues earlier in the software development life cycle, rather than later, which can be costly to fix later on.

Healthcare IT systems are usually large, complex systems, involving many parts, which can increase the difficulty of managing security in a controlled manner, as different parts of the system may have different third-party software components and inherent vulnerabilities, “and often, may not be properly identified and patched early enough,” said Jarva.

“This is not a challenge that is unique to healthcare, it is a challenge that every large organisation goes through."

In fact, the healthcare sector shares the same shortcomings as other enterprises, but with additional challenges, such as a lack of security resources, financial resources, and expertise, to correct this weakness, though this may not be as big a problem in Singapore as it is in other countries, but it is still a challenge nonetheless.

Another challenge is the environment healthcare systems operate in can be extremely heterogeneous, with laptops, IT servers, and a multitude of connected devices such as drug infusion pumps, imaging devices like MRI and CT scanners, and treatment software (such as those used to manage implantable pacemakers).

Due to the size of the healthcare sector, not all systems connected well with each other, but Singapore has been working to standardise information flow across the sector with its  electronic health records initiative.

What to do next?

Paul Ducklin, senior technologist at Sophos has some advice to those affected by this data breach on what to do next.

"The data stolen in this breach is an identity thief's goldmine,” said Ducklin.

"It is a startling reminder to all Singaporeans that there is no such thing as 'cyber attackers would never care about little old me' – once your data is scooped up in a cyber security blunder of this sort, you simply cannot control where it will go next.

"Anyone affected in this breach has no choice but to assume that their personal information will end up for sale in the cyber underground, ready for active abuse by cyber crooks."

What does Ducklin recommend? Firstly, keep a careful watch over all financial statements, such as bank accounts, payment cards, loans, pension funds, taxation records and so on, and report any suspicious activity immediately.

The next step would be to talk to financial institutions about locking down account details in order to make it harder for cyber criminals to try to take over accounts.

Also, users must be on the lookout for unsolicited communications that arrive in the wake of this breach offering any sort of help or asking for further details "to assist in the investigation."

Lastly, Ducklin advised users to not use contact information, web links or phone numbers that were sent online, instead look for contact information on existing invoices, on printed correspondence received in the past, or by visiting an organisation's office in person.

"Whether this was a lone hacker who got lucky, a well-oiled cyber crime gang or a state-sponsored attack team you will not get your personal data back, and it will not change the fact that you cannot control who gets it next,” said Ducklin.

“Keep your own eyes open for any attempt to abuse your personal data in the future."

Importance of collaboration

There are Singaporeans who have put the Singapore government on blast for such an attack, calling for resignations. However, by international standards, they have done extremely well so far.

What happens next is crucial. It is important a full independent investigation takes place and the government learns from this breach and takes concrete action to ensure a similar breach does not occur again.

Singapore will continue on its quest to be the world’s first smart nation, with Lee Hsien Loong - Singapore’s Prime Minister - restating his commitment in the wake of the attack, who was also personally affected by this breach.

"With a growing focus on integrating MedTech, FinTech and GovTech as a part of our Smart Nation drive, local organisations must guard against the possibility of these attacks hitting our shores,” added Linda Gray Martin, director and general manager of RSA Conferences.

"The scenario is worrying for industries that rely heavily on public confidence. A laboratory that cannot vouch for the fidelity of medical test results, or a bank that has had account balances tampered with, are examples of organisations at risk.

"No government can keep criminals off the internet and no company can pre-empt the entire spectrum of threats, from automated attacks to sophisticated ones that lie low in networks, invisible to security teams."

As such, it is important we not operate in silos can we work together to secure our networks, “increasingly, cyber security conversations are not just for CIOs, CISOs and IT managers,” said Martin.

“The rest of the C-suite, government officials and citizens need to come together to strengthen APJ’s cybersecurity posture,” added Martin.

Martin explained the critical importance of having a crisis-response team ready ‘when’, not ‘if’, a breach occurs.

“Incident response is also very much a mandatory capability in today’s connected, globalised economy – something many in the practitioner community agree on,” said Martin. “It is not a matter of ‘if’ you will be breached but ‘when’."

“Having a crisis-response team ready ensures that organisations can return to normal operations as soon as possible."