SingHealth cyber-attack: now what?

Last Friday, authorities broke the news that hackers had infiltrated the databases of SingHealth, the largest group of healthcare institutions in Singapore.

The worst cyber-attack to be inflicted in Singapore, the hackers walked away with the personal data of about 1.5 million patients, including data belonging to Prime Minister Lee Hsien Loong and a few other ministers.

The illegally exported data include names, NRIC numbers, addresses, genders, races and dates of birth. This incident has caused unrest among Singaporeans, with some even questioning the government’s Smart Nation drive.

In view of this, Sid Deshpande, research director at Gartner, answers some questions to provide a balanced perspective regarding the impact of this serious breach of personal data and what Singapore needs to do moving forward.

Who are these cyber-attackers and what do they really want?

Sid: Medical records contain sensitive data that can be used for identity fraud, insurance fraud or tax fraud. So it is plausible that there was a financial incentive to it. Generally, information contained in medical records is more ‘permanent’ than financial information like credit card numbers – so this type of information likely fetches higher payouts on the dark web.

It could also be sponsored by nation states that have interests inimical to Singapore’s.

Ultimately, the identity of the attackers isn’t that important in the bigger picture. Attribution is really difficult as far as security incidents are concerned and resources are better utilized in preventing such incidents from happening in the future rather than trying to accurately pinpoint which group did it.

What then needs to be done?

Sid: Incidents like these highlight the importance of having defense in depth, or security controls at various layers of the technology infrastructure.

An equal emphasis needs to be applied on application security, endpoint security, data security, web/email security and identity/access management to prevent or reduce the number of security incidents. Preventative approaches need to be supplemented with good detection and response capabilities.

Attackers usually intend to stay dormant in systems to avoid detection and cause further damage, so the fact that the breach was detected this early actually shows that the security teams in this case were actively monitoring systems to detect incidents.

What does this major breach signal for a country like Singapore, where the government has already put a strong focus on security?

Sid: This breach reinforces the need for a continued focus on operational security best practices. Improving security maturity of a nation and its critical systems is not a one-time activity. Other nations have been affected by bigger breaches so Singapore is not alone in that respect.

One key takeaway is that placing the onus of responsibility on the end-users or non-technical staff for poor security is not enough. Security teams need to put in place processes that can mitigate risks associated with intentional and unintentional violation of security best practices by technology users.

How should we go about balancing Singapore’s need to become a ‘Smart Nation’ and fighting the bands of cyber-attackers?

Sid: Security preparedness needs to be baked into every single digital project initiated by the government and critical industries. There has to be a realization that despite our best efforts, security incidents will happen and 100% prevention is impossible.

Therefore, investments need to be made in improving detection and response capabilities, in addition to strengthening prevention. Limiting the damage after a security incident occurs is critical – this is both in terms of quickly denying attackers access to sensitive resources once the breach has been detected and also in terms of protecting citizens from scams.

In the aftermath of a major breach involving citizen data it is very likely that malicious actors will try to capitalize on the general panic to try to get citizens to reveal even more personal information by way of impersonating authorities over the phone, SMS or email. Therefore, clear communication from authorities is extremely critical.

What should Singaporeans need to watch out for?

Sid: The most immediate threats people will face is that of identity fraud, financial fraud and tax fraud. Data contained in healthcare records is more permanent than credit card information, for example, so citizens need to be alert to scams resulting from social engineering efforts.

For more perspectives: