After the SingHealth cyber attack, it took a week for attackers to steal the personal data of 1.5 million people—about a quarter of the city-state’s population.
It apparently took just about a week after cyber attackers broke into SingHealth, Singapore’s largest healthcare group, for them to steal the “non-medical personal particulars” of 1.5 million people—about a quarter of the city-state’s population—plus “information on outpatient dispensed medicines” of about 160,000 of them.
SingHealth (Singapore Health Services) operates two tertiary hospitals, five national specialty centers, and eight polyclinics, according to its website.
Among the victims was Prime Minister Lee Hsien Loong, who was specifically targeted in what the Ministry of Health (MOH) said in an advisory was an “unprecedented” attack.
The MOH called it “deliberate, targeted, and well-planned…not the work of casual hackers or criminal gangs.” While they refused to say whether they knew, or even suspected, who was behind the SingHealth cyber attack, the statement led to widespread speculation that it was a nation-state with advanced capabilities and tools. The obvious suspects for something like that: Russia, China, Iran, and North Korea.
Jeff Middleton, CEO of cyber security consultancy Lantium, told the AFP news agency that healthcare data is attractive to hackers not just because of the value of personal data but also because it can be used to blackmail people in positions of power.
“Any non-public health information could be used for extortion. Russian spy services have a long history of doing this,” he said.
As is often the case, the entry point was a single computer. The Cyber Security Agency of Singapore (CSA) determined the attackers got access to the SingHealth IT system “through an initial breach on a particular front-end workstation.”
More details weren’t immediately available, but it would suggest that once again, a worker fell for a well-crafted phishing attack. The MOH said the attackers “managed to obtain privileged account credentials to gain privileged access to the database.”
Olli Jarva, managing consultant with the Synopsys Software Integrity Group, said this follows the typical model of a modern attack. After doing some reconnaissance, “the hacker will then compromise the first device that gives access to the networks, and use it as a springboard to further compromise the target organization,” he said.
Those steps include establishing a foothold without being detected, escalating privileges, doing some more reconnaissance of internal assets, and finally exfiltrating data.
The SingHealth cyber attack also illustrates that it doesn’t take much time to do significant damage.
The MOH said the breach began June 27 and they detected it July 4, eight days later. “The breach was immediately contained, preventing further illegal exfiltration,” the advisory said.
If that is indeed the case, it is an unusually fast detection and response time, Jarva said, “considering that one of the studies done in North America stated that U.S. companies took an average of 206 days to detect a data breach.”
Still, it was enough time for those who had visited SingHealth facilities between May 1, 2015, and July 4, 2018, to have their data “illegally accessed and copied. The data taken include name, NRIC [National Registry Identity Card] number, address, gender, race and date of birth,” the MOH said.
“Information on the outpatient dispensed medicines of about 160,000 of these patients was also exfiltrated,” it said, adding that there had been no tampering with the records and that they didn’t include diagnoses, test results, or doctors’ notes.
In a Facebook post, Prime Minister Loong called the attackers “extremely skilled and determined” with “huge resources.”
But he said if they were “hunting for some dark state secret, or at least something to embarrass me…they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it.”
Besides the possible motive, the other obvious question is whether the SingHealth cyber attack could have been prevented. There is no way to know for sure, of course, but the CSA and Singapore’s Integrated Health Information Systems (IHiS) are now taking actions they could have taken earlier.
“IHiS, with CSA’s support, has implemented further measures to tighten the security of SingHealth’s IT systems. These include temporarily imposing Internet surfing separation,” the MOH said, adding that they have “also placed additional controls on workstations and servers, reset user and systems accounts, and installed additional system monitoring controls. Similar measures are being put in place for IT systems across the public healthcare sector against this threat.”
SingHealth is likely not an outlier, however, when it comes to vulnerabilities in healthcare organizations. Jarva noted that the healthcare sector worldwide has become a more attractive target for hackers since the e-commerce and financial sectors have strengthened their security.
He said the latest BSIMM (Building Security In Maturity Model) report, which compiles best practices of 109 major organizations in financial services, insurance, healthcare, independent software vendors (ISVs), cloud, Internet of Things (IoT), critical infrastructures, and utilities, showed the healthcare sector overall lagging behind other sectors when it comes to software security.
That may start to change, at least in the United States, with the recent decision by the federal Food and Drug Administration to use ANSI/UL 2900 as a “consensus standard” for healthcare security, covering medical devices and also “process requirements.”
And change cannot come soon enough for an industry with a focus on the physical care and safety of its clients. As Jarva notes, attacks like this one will continue and become more sophisticated.
“Data breaches are here to stay,” he said. “We will always do our best to limit the chance of getting breached. But if there are enough resources behind the attack, it can be challenging to defend against.
“We have to start to build security in during the early stages of developing applications,” he said, “which will make them more resilient to the attacks.
“Building the protection capabilities afterwards, when the application is already built, is more expensive and harder to implement.”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.