A major cyberattack on a Singapore healthcare database – resulting in the breach of more than one million patient details – has prompted industry experts to issue advice on best cybersecurity practice for those in the industry.
The SingHealth’s database which was targeted contained patient personal particulars and outpatient dispensed medicines.
In a statement, the Singapore Ministry of Health said about 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from May 1 2015 to July 4 2018 have had their non-medical personal particulars illegally accessed and copied.
The data taken includes name, NRIC numbers, address, gender, race and date of birth. Information on the outpatient dispensed medicines of about 160,000 of these patients was also exfiltrated.
The statement said the records were not tampered with (no records were amended or deleted) and no other patient records, such as diagnosis, test results or doctors’ notes, were breached.
“We have not found evidence of a similar breach in the other public healthcare IT systems,” the statement said.
“Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) confirmed that this was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs.”
The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines, it added.
Commenting on the breach, Fraser Kyne, EMEA CTO at Bromium, said: “This is a very serious breach given the sensitivity of the data accessed, and the sheer volume of records. It appears the initial infection came through a single user endpoint being infected with malware, which then worked its way through the network. This once again highlights how today’s cybersecurity is a house of cards – it just takes one person to click on the wrong thing for the whole thing to come crashing down.
“Only when we admit that we cannot detect and stop threats, and instead start focusing on minimising harm, can we ever hope to disrupt hackers. The simple fact is that if the endpoint was isolated, then the hacker would have had nowhere to go and nothing to steal.
“Yet it also highlights the fact that we can no longer trust our networks or most of our endpoints. Hackers will inevitably find a way in. Air-gapping can be an effective solution, but it is impractical when you have multiple employees trying to access a business-critical application.
“Instead, we need to shrink protection to application level. By protecting applications that store our most sensitive and critical data, even if the device or network is compromised, that application cannot be touched as it will be invisible to the device and network.”
Meanwhile, Olli Jarva, Managing Consultant at Synopsys’ Software Integrity Group, has provided commentary on cybersecurity and healthcare.
Value of healthcare and medical data now more valuable than credit card or financial information
The healthcare data breach outlines a new reality. Today, we are beginning to see a new and scary fact – healthcare data has grown its value such that hackers are now willing to go the extra mile to obtain it. This has been a growing trend over the past few years, such that healthcare data has outgrown the value of credit card or social security numbers. Are healthcare providers aware of the value of the data they are storing?
Time to build security into applications that store healthcare data
It was pointed out that ‘unusual activity was first detected on July 4, 2018, on one of the SingHealth’s IT databases’. When we are designing and building the systems to be resilient for cyberattacks, we have to start building security from within, rather than only relying on perimeter defence.
This means that before a single line of code is written, we have already started to map down our potential security problems from the design stand point. Application security problems can be divided to two parts, flaws and bugs.
To catch most of these software security problems, we need to identify them early on so that they would not come back to haunt us later on. We have to stay vigilant when it comes to understanding how and what kind of data we are protecting, where it is located, and what kind of security controls we have in place to protect it. We need to ‘shift-left’ with our thinking when it comes to security and tackle those issues earlier on in our software development lifecycle. If we leave these problems for later, the cost of fixing and reacting to breaches would be extremely costly and the effects devastating.
Complex supply chains
Typically, large computer systems are part of a bigger project developed and delivered by system integrators (third parties), where the supply chains can get complicated. This compounds the challenge to manage security, as different parts of the system may have different third-party software components and inherent vulnerabilities, and often, may not be properly identified and patched early enough. This isn’t a challenge that is unique to healthcare, it is a challenge that every large organisation goes through.
Challenges in healthcare industry in overall
When it comes to cybersecurity challenges in the healthcare industry, it is a different environment to defend and secure.
From a security standpoint, the healthcare industry shares the same shortcomings as other enterprises, but with some added obstacles:
- Lack of security resources, financial resources, and expertise, to correct this weakness.
- Dealing with an extremely heterogeneous environment. While healthcare organisations may standardise on laptops and IT servers, providers also manage multiple devices that are attached to the network. These can include drug infusion pumps, imaging devices like MRI and CT scanners, and treatment software (such as those used to manage implantable pacemakers).
- Systems in different parts of a healthcare organisation may not play well with each other. Like any large organisation, a healthcare organisation may have multiple business or operations units, and each unit may procure software solutions that best meet their needs but may not have uniform cyber security effectiveness. Electronic Health Records (EHRs) promise to help practitioners and patients by simplifying the sharing of information.
