SingHealth Cyberattack Analysis

SingHealth Cyberattack Analysis

Major cyberattacks on SingaporeÔÇÖs government health database resulted in the personal information of about 1.5 million people ÔÇö including Prime Minister Lee Hsien Loong ÔÇö being stolen. Of these, 160,000 people, including Prime Minister Loong and a few ministers, had their outpatient prescriptions stolen as well.

Background

SingHealthÔÇÖs database containing patient personal particulars and outpatient dispensed medicines has been the target of a major cyberattack. (Ministry of Health Singapore, 2018).

About 1.5 million patients who visited SingHealthÔÇÖs specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have had their non-medical personal particulars illegally accessed and copied. The data taken include name, NRIC number, address, gender, race, and date of birth. Information on the outpatient dispensed medicines of about 160,000 of these patients was also exfiltrated. The records were not tampered with, i.e., no records were amended or deleted. No other patient records, such as diagnosis, test results or doctorsÔÇÖ notes, were breached. We have not found evidence of a similar breach in the other public healthcare IT systems as the Ministry of Health later stated.

ÔÇ£When SingHealth digitised its medical records, they asked me whether to computerise my own personal records too or to keep mine in hardcopy for security reasons. I asked to be included. Going digital would enable my doctors to treat me more effectively and promptly. I was confident that SingHealth would do its best to protect my patient information, just as it did for all their other patients in the database.ÔÇØ (H. Loong, 2018).

The attackers specifically and repeatedly targeted Prime Minister Lee Hsien LoongÔÇÖs personal particulars and information on his outpatient dispensed medicines. The Ministry of Health added here. Mr Loong has survived cancer twice. (BBC., 2018).

ÔÇ£I am personally affected, and not just incidentally. The attackers targeted my own medication data, specifically and repeatedlyÔÇØ. As the PM added in his lengthy Facebook post.

How and why, it occurred?

Well, on 4 July 2018, IHiSÔÇÖ database administrators detected unusual activity on one of SingHealthÔÇÖs IT databases. They acted immediately to halt the activity. IHiS investigated the incident to ascertain the nature of the activity while putting in place additional cybersecurity precautions. On 10 July 2018, investigations confirmed that it was a cyberattack, and the Ministry of Health (MOH), SingHealth and CSA were informed. It was established that data was exfiltrated from 27 June 2018 to 4 July 2018. SingHealth lodged a police report on 12 Jul 2018. A police investigation is ongoing. (Integrated Health Information Systems (IHiS) is the technology agency for the public healthcare sector. It runs the public healthcare institutionsÔÇÖ IT systems).

Similarly, On Friday, May 12, 2017, a massive cyber-attack was launched using WannaCry (or WannaCrypt). In a few days, this ransomware virus targeting Microsoft Windows systems infected more than 230,000 computers in 150 countries. Once activated, the virus demanded ransom payments unlock the infected system. The widespread attack affected endless sectors ÔÇö energy, transportation, shipping, telecommunications, and of course health care. BritainÔÇÖs National Health Service (NHS) reported that computers, MRI scanners, blood storage refrigerators and operating room equipment might have all been impacted. Patient care was reportedly hindered, and at the height of the attack, NHS was unable to care for non-critical emergencies and resorted to the diversion of care from impacted facilities. While daunting to recover from, the entire situation was entirely preventable. Microsoft released a ÔÇ£criticalÔÇØ patch on March 14, 2017. Once applied, this patch removed any vulnerability to the virus. However, hundreds of organisations running thousands of systems had failed to apply the patch in the first 59 days it had been released. (Ehrenfeld, 2017) wrote about it.

However, in this recent event, no mention of ransom was reported by the officials nor motives or perpetrators other than ÔÇ£It was not the work of casual hackers or criminal gangs,ÔÇØ the ministry said, adding that the attackers targeted details about Lee and the medicines he received as (Tham, 2018) later analysed and published on his paper.

The Cyber Security Agency of Singapore (CSA) has ascertained that the cyber attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation. They subsequently managed to obtain privileged account credentials to gain privileged access to the database. Upon discovery, the breach was immediately contained, preventing further illegal exfiltration.

In the official Facebook Post (H. Loong, 2018) writes, ÔÇ£I donÔÇÖt know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me. If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but nothing is alarming in it.ÔÇØ

For those conducting cyberattacks on the healthcare sector, it is an attractive target for two simple reasons: it is a rich source of valuable data, and it is a soft target. More worrisome are attacks that result in breaches of protected health information and personally identifiable information. Such information is valuable to attackers for two main reasons. First, it has direct monetary value: attackers can sell these data in anonymous online forums that are part of whatÔÇÖs sometimes referred to as ÔÇ£the dark web.ÔÇØ For example, in June 2016, a hacker posted on the ÔÇ£Real DealÔÇØ dark web marketplace offering for sale more than 600,000 medical records from three different systems, one of which was an entire electronic health record, including screenshots. Medical records can be used for various fraudulent activities, including falsified claims, medical device purchasing (and reselling), and credit card identity theft. (Gordon, Fairhall & Landman, 2017).

Second, protected health information is durable. Whereas credit card numbers, insurance identifiers, and even Social Security numbers can be changed, a piece of medical history is indelible and can be used as identifying information even years after an initial breach. The data can also be used for highly targeted e-mail ÔÇ£phishingÔÇØ campaigns to collect credentials that, in turn, give attackers access to systems and information.

What Could Have Been Done to Prevent It?

This entire situation highlights a critical need to re-examine how we maintain our health information systems. Equally important is a need to rethink how organisations sunset older, unsupported operating systems, to ensure that security risks are minimised. For example, in 2016, the NHS was reported to have thousands of computers still running Windows XP ÔÇö a version no longer supported or maintained by Microsoft. There is no question that this will happen again. However, health organisations can mitigate future risks by ensuring best security practices are adhered to. Ehrenfeld explained it very well.

In a recent study (Gordon et al., 2017), Protecting our information systems and our health data is critical to ensuring the safe delivery of health care. Unfortunately, protection against the myriad threats to healthcare data is sophisticated, and there is no silver bullet. More suggestions can be found on the link above.

Conclusion

The healthcare sector is complex, fragmented, and chronically short of resources, yet it holds vast amounts of sensitive and valuable data in vulnerable systems. Cybersecurity is not just about protecting data; it is fundamental for maintaining patients’ safety, privacy, and trust. Effective cybersecurity must become an integral part of healthcare systems, a pillar of regulation, and the subject of future research strategies. We must urgently develop reasonable standards and solutions that are specific to the healthcare sector, agree on clear lines of responsibility and governance, and commit appropriate resources to the provision of adequate security. (Martin, Martin, Hankin, Darzi & Kinross, 2017).

Based on the Singapore Government Official statement made earlier by the Ministry of Health Singapore; the Integrated Health Information Systems (IHiS), with CSAÔÇÖs support, has implemented further measures to tighten the security of SingHealthÔÇÖs IT systems. These include temporarily imposing internet surfing separation. We have also placed additional controls on workstations and servers, reset user and systems accounts, and installed additional system monitoring controls. Similar measures are being put in place for IT systems across the public healthcare sector against this threat.

Cyber Is The New Fear: Cover Your Back

Cyber Is The New Fear: Cover Your Back

The world wide web (www) was preliminary designed to connect people electronically from different parts of the world. However, over the last couple of decades or so, grave concerns have been raised about the safety of the internet. keep in mind; before I elaborate further, there are three layers of the Internet that function completely differently from each other. consider it as Olympic, but only limited to three categories of sports. Allow me to add it here instead of starting a new paragraph; (I) Surface Web (which I personally classify as a Community Club), thatÔÇÖs the Internet where you can read my blog or navigate to Facebook, Twitter, Google search, Gmail, Hotmail, Yahoo, Uber Eats or maybe majdiology.com. (II) Deep Web (basically designed for P2P (Peer to peer) collectively right-minded groups who prefer to have their contents hidden and unindexed by any search engine spiders. It is mainly meant to share illegal content such as pirated downloads, live penetration of an illegal act, child pornographies, protected wildlife trades which ÔÇ£I personally witnessed on many occasions while I was a delivery driverÔÇØ, underground activities such as brothels, etc., (I trust you got my point since IÔÇÖm trying to make this piece as short as I can by invoking your thoughts). Anyhow, I still wouldnÔÇÖt start a new paragraph when it arrives at the last layer. (III) Dark Web (IÔÇÖll publish a detailed separate piece dedicated to it in the near future), at any rate, let’s keep dancing along! Simply, the Dark Web can only be accessed through ÔÇ£ Overlay NetworksÔÇØ. Whether you are using Chrome, Firefox, Safari (God forbids), Opera, etc., your hands are tied. The Dark Web is preliminarily designed and intended to run and to only function on top of your internet. That is, your browsers or favourite search engines wonÔÇÖt ever discover the Dark Web which is responsible for over 80% of the entire Internet.

Undoubtedly, the internet is one of the best resources available to us today, whether we are talking about performing our day-to-day duties or simply bonding with our families and/or friends. However, the internet has now become extremely dangerous and many industries have been created through the misuse of the platform.

For instance, letÔÇÖs take the case of applications we use for our mobile phones devices. There are thousands of these apps available on the internet. Everyone is entitled to download any application they wish for whatever reason. However, one would expect that their right to privacy is not lost whenever they decide to download and use an app on their mobile device. But the sad reality is that many people have poor knowledge and little understanding of the terms and conditions that are assigned to the use of such an app, and often this ignorance comes back to bite them. We are all victims of this.

Sooner or later, our online privacy will be a thing of the past as the authorities may not be able to effectively police the consumers’ privacy when it comes to using apps. Because of the highly complex nature of and confusion surrounding the terms and conditions, which are deliberately created by the attorneys of the developers of these applications. Surely, none of us would willingly forfeit our rights to the government to act as ÔÇ£Big BrotherÔÇØ in our behaviour. But it is fair to expect the developers & their Attorneys to disclose all relevant information in simple, succinct ways and clarify where customersÔÇÖ information is stored when using the applications. Hosting companies such as the Store Play of Google & App Store of Apple must be held accountable for hosting unverified hidden codes that would potentially compromise usersÔÇÖ privacy & security.

I found it extremely prominent to disclose that the two largest app hosting providers listed above are the beneficiaries of each & every sold or subscribed, used, tried, or even downloaded through their platforms.

Many developers and service providers often seek to hide their malign intentions through the presentation of several dozens of pages of terms and conditions. They count on consumerÔÇÖs ignorance and unwillingness to read the terms and conditions. These providers need to be reminded that we cannot hire a lawyer every time we purchase or freely install an app to ensure they explain the liabilities and entitlements related to such products.

Additionally, the use of third-Party entities (in the form of plugins, etc.,) in the provision of services to consumers should be demolished by the big corporations and service providers. If these companies use third-party companies to provide services or products, they should take full responsibility when it comes to any liability suffered by consumers.

The same should also apply to the use of Credit Cards or rewards cards. These days rewards points are being used quite frequently. These companies also use the so-called surveys as instruments to collect our personal information. Companies like Google even go further as they know our private affairs in detail and they are using it against us for marketing purposes.

Most of us have no idea where our details are stored and what is done with them. Therefore, do not be surprised when you receive a phone call from Switzerland or Bangladesh.

IÔÇÖm afraid that one day a stranger will knock on my door and call me by my name, even if I did not invite them.

These things should be of concern to us all. As an IT guy, I urge everyone to take privacy seriously when using the internet on any device.

To protect yourself and minimise any liability or inconvenience, consider taking the following steps:

  • Pay attention to warranties and Disclaimers,
  • Be very careful with online surveys;
  • Never use one email address only, create multiple email addresses (the free ones) and use them for different types of communication;
  • Never use your real date of Birth (unless you have to);
  • Never use your real full name (unless you have to);
  • Never give your physical address (unless you have to);
  • Changes your password regularly;