Ng Teng Fong General Hospital in Singapore
As the dust settles on what was Singapore’s largest-ever data breach, everyone has an opinion, from concerned citizens to security experts, to government officials.
Was there a way to prevent this attack? What will happen to the stolen data? How can such an attack be prevented from happening in the future?
Since the attack was made public, security experts have chimed in with their thoughts.
How valuable is healthcare data?
How valuable was the data stolen? From what Channel Asia understands, 1.5 million patients in total were affected by the SingHealth data breach, of those 160,000 patients had details related to outpatient dispensed medicines stolen.
The somewhat “good” news, however, is that no records appeared to be tampered with, from what Channel Asia currently understands.
Healthcare data can be extremely valuable with hackers willing to go the extra mile to obtain it, but are healthcare providers aware of the value of the data they are storing?
“This has been a growing trend over the past few years, such that healthcare data has outgrown the value of credit card or social security numbers,” said Olli Jarva, managing consultant, Software Integrity Group, Synopsys.
"Medical data contains a trove of information – from personally identifiable data to financial details – that can be used to create a highly sought-after composite of an individual,” said Leonard Kleinman, chief cyber security advisor of APJ at RSA.
"As it [medical data] could contain any amount and level of information, healthcare institutions are among the most sought-after industries by criminals who can be motivated by a multitude of possible reasons,” added Kleinman.
How much can such data cost? According to Kleinman entry data can be sold for $50 - $100 higher than stolen credit card data.
"According to the 2017 Cost of Data Breach Study by Ponemon Institute, a lost/stolen healthcare record fetches US$408,” said Kleinman.
It is too early to know the true cost of such an attack, and it could be months, sometimes years, before Singaporeans are affected by it.
"Given the nature of this attack, it is hard to say exactly what the end game is, especially when the attackers have not identified themselves,” said Kleinman.
The unfortunate truth is however, that such events are not uncommon, and the fact of the matter is there is no easy fix.
“Having better visibility into the enterprise IT environment is a fundamental first step,” said Kleinman.
“It is going to take a concerted, ongoing effort by hospitals, healthcare practitioners, contractors, legislators and even patients themselves, to ensure that the future of healthcare data is a secure one,” added Kleinman.
How did Singapore do by international standards?
It appears that by international standards, Singapore did extremely well in detecting the attack and reporting it in a timely manner.
"We have to accept that sophisticated, deliberate cyber-attacks such as these are now a part of reality,” said Sanjay Aurora, managing director of Asia Pacific at Darktrace. "For SingHealth to have detected, investigated and reported this incident within a month is a comparative success.
"How many other countries around the world are capable of even detecting this attack within a month, let alone able to conduct a full investigation in this short time period?"
From Aurora’s perspective, the hackers only got the “equivalent of a phone book”, however, admitted support will be needed for the 160,000 medicinal details stolen.
A more pressing question is what the hackers intend to do with the data they have stolen? Any guess at this time is speculation, but history shows a few possibilities, one being a profit motive, with medical information fetching a heavy price on the dark web.
However, from what Channel Asia understands, this breach was not the work of a criminal gang, but the most likely scenario appears to be the involvement of a state actor.
If it was indeed the work of a state actor, then a more sinister reason might be to blame.
"A more sinister reason to attack would be to cause widespread disruption and systemic damage to the healthcare service – as a fundamental part of critical infrastructure – or to undermine trust in a nation’s competency to keep personal data safe,” said Aurora.
Aurora describes healthcare networks as “digital jungles” with well-resourced attackers able to take the time and effort to conduct low and slow attacks to discover vulnerabilities, often silently exploiting them over long periods of time.
“Once their work is done, they are expert in covering their tracks, making attribution extremely difficult,” added Aurora.
“On the whole, Singapore has a very good security posture and a number of Singaporean organisations are embracing the latest AI technologies to detect threats already on the inside and keep their systems safe against these inevitable attacks,” said Aurora.
What more can be done?
One possibility is to build security into the applications that store healthcare data, according to Jarva from Synopsys.
“When we are designing and building the systems to be resilient for cyber-attacks, we have to start building security from within, rather than only relying on perimeter defence,” said Jarva.
“This means that before a single line of code is written, we have already started to map down our potential security problems from the design standpoint."
Read more on the next page...
