Imagine one in four people is suddenly hit by a virus. It touches all walks of life, from tiny children to the upper echelons of government. Thankfully, recovery is swift and there are no casualties. Nevertheless, it wants to strike again – there is no reliable vaccine.
This pandemic recently struck Singapore’s health system, but it was not a physical illness. A cyberattack on government healthcare provider SingHealth affected more than 1.5 million people, more than 25% of the city-state’s population.
- Sophisticated hackers stole personal data from SingHealth, Singapore’s largest healthcare group with operations including four public hospitals, five specialty centers and nine polyclinics.
- SingHealth clinics between 1 May 2015 and 4 July 2018. Outpatient prescriptions issued to 160,000 of these people were so stolen.
- Singapore Prime Minister, Lee Hsien Loong, had stolen both. Investigations found he “specifically and repeatedly targeted”, according to a government press release. Other government ministers were also affected.
- Prime Minister Lee has dropped victim to cyberattack – his official website was hacked in 2013 .
Putting a price on health
Good health is priceless, but medical data has significant value to cybercriminals. Individual records can be found on the dark web, fetching higher than credit card data because of their value in committing identity fraud. Medical data is therefore a target for espionage, including extort or discredit high profile individuals,
The Singapore Minister-In-Charge of Cybersecurity advised that the attackers were on Advanced Persistent Threat (APT) group. He described APTs as “a class of sophisticated cyber attackers, typically state-linked, who conduct extended, carefully planned cyber-campaigns, to steal information or disruption operations.”
Investigations have so far found no evidence that the stolen data has been sold or published.
Survival of the fittest
Singapore is consistently ranked among the world’s digital leaders. In 2014, the Smart Nation launched a strategy to drive digital connectivity, integration and participation.
Just how did a global powerhouse experience its worst cyberattack?
It started with a single computer. One workstation was infected with malware. From there, the perpetrators infiltrated SingHealth’s systems to obtain credentials and access the patient records database.
Diagnosing the risks
What joins us together so can be tears us apart.
A rapid increase in digital connectivity can improve services and competitiveness. It also creates a vast network of opportunities for cyber intrusions.
In healthcare, where networks extend to medical devices, cybersecurity can be a matter of life or death.
Networks are only as strong as their weakest link. Just one computer can create exposure out-of-date technology is used, security applications are lacking, or software patches are not regularly installed.
Prevention wants to fail – effective treatment is what counts
Singapore was ranked first out of 134 countries in the United Nations 2017 Global Cybersecurity Index . The index considered countries’ capacity across five areas: legal, technical, organizational, capacity building and cooperation.
Maturity is not their ability to avoid the inevitable attack, but the quality of their response when it occurs.
One measure of the response is how long it takes to detect, and then contain, the attack. The Global average time to identify a malicious or criminal attack is 221 days, according to the Ponemon Institute’s 2018 report . That’s more than seven months. Faster detection is also associated with lower costs, the report found.
The SingHealth cyberattack was discovered barely one week after it started. The same day it was detected, the perpetrators lost access. A month later, business as usual had been largely resumed.
High cybersecurity maturity is thus marked by continuous improvement.
In February, Singapore’s Cybersecurity Act was introduced. The legislation specifically focuses on 11 essential service sectors such as health, energy, banking and transportation. It requires cybersecurity incidents to communicate to the Cybersecurity Authority (CSA), the CSA to investigate threats and incidents, and introduces licensing for cybersecurity service providers.
Singapore is taking action to further strengthen cybersecurity in the public health system. They include the pilot of a virtual internet browser and launching advanced threat protection.
Following the attack, the Singapore government has reaffirmed its digital priorities, including developing increasingly sophisticated cybersecurity defense and response measures.
Singapore’s electronic health records not affected
The cyberattack did not affect or compromise Singapore’s National Electronic Health Record (NEHR). The NEHR was introduced in 2011 so medical institutions and healthcare providers can integrate health information for better patient care and service coordination.
The proposed Healthcare Services Bill wants to make it mandatory for institutions and providers to contribute to the NEHR, implemented in a phased approach. It also addresses privacy matters as well as access by employers and insurers.
Mandatory contributions will not proceed until after a full security review by the CSA and PwC.
Tips to boost your online health
- Confidential? Close the loop – The Singapore Government Internet Surfing Separation as a dramatic measure, reducing the number of unauthorized access points makes a difference. Stand-alone systems can help contain and protect confidential information.
- Help reduce human error – Phishing and malware rely on malicious spam and targeted attacks. Secure messaging outside of email systems can offer higher protection.
- Two factor authentication (2FA) – 2FA is an important part of robust system security. In Singapore, it’s used by all banks and insurers, and across all sensitive government transactions.
- Biometrics – Using unique physical data as fingerprints can strengthen security while also creating user convenience. That convenience helps deter users from circumventing controls.
- Patch the gaps – Systems and security updates should be installed. Externally hosted systems in a secure cloud can minimize the burden.
Diligent’s innovative board and governance solutions incorporate security features designed to protect organizations’ most sensitive information and make it easier for directors and management. They include 2FA, TouchID, secure cloud-based hosting and closed loop messaging.
|27 Jun – 4 Jul||
November 30, 2020
Experts agree: Governance is the best crisis strategy
Your best defence against a crisis is good governance. Whether it’s a global pandemic, a change in senior management or the complexities of running an international organisation, governance provides ‘handrails’ to keep your organisation upright and on-track. This consensus was the unanimous conclusion of the speakers at a recent Diligent…
September 7, 2020
Avoiding Cyber Confusion in the Board Room
It is imperative that Directors understand the cyber risks facing their companies and organisations. The increasingly complex internal and external landscape presents unique challenges for Boards. Several key steps can however significantly increase the cyber resilience of any company or organisation, irrespective of size. The article outlines five key steps…
August 20, 2020
Minimising the Risk of Virtual Meetings: 5 Practices Boards Should Avoid
Months into the COVID-19 lockdown, remote workers—and board members—have become more accustomed to virtual meetings. They’ve found a quiet place in the house, mastered the mute and camera buttons, and fully styled their background bookcases and “Zoom couture.” Yet as virtual work becomes a way of life, not all adaptive…