Major cyberattacks on SingaporeÔÇÖs government health database resulted in the personal information of about 1.5 million people ÔÇö including Prime Minister Lee Hsien Loong ÔÇö being stolen. Of these, 160,000 people, including Prime Minister Loong and a few ministers, had their outpatient prescriptions stolen as well.
Background
SingHealthÔÇÖs database containing patient personal particulars and outpatient dispensed medicines has been the target of a major cyberattack. (Ministry of Health Singapore, 2018).
About 1.5 million patients who visited SingHealthÔÇÖs specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have had their non-medical personal particulars illegally accessed and copied. The data taken include name, NRIC number, address, gender, race, and date of birth. Information on the outpatient dispensed medicines of about 160,000 of these patients was also exfiltrated. The records were not tampered with, i.e., no records were amended or deleted. No other patient records, such as diagnosis, test results or doctorsÔÇÖ notes, were breached. We have not found evidence of a similar breach in the other public healthcare IT systems as the Ministry of Health later stated.
ÔÇ£When SingHealth digitised its medical records, they asked me whether to computerise my own personal records too or to keep mine in hardcopy for security reasons. I asked to be included. Going digital would enable my doctors to treat me more effectively and promptly. I was confident that SingHealth would do its best to protect my patient information, just as it did for all their other patients in the database.ÔÇØ (H. Loong, 2018).
The attackers specifically and repeatedly targeted Prime Minister Lee Hsien LoongÔÇÖs personal particulars and information on his outpatient dispensed medicines. The Ministry of Health added here. Mr Loong has survived cancer twice. (BBC., 2018).
ÔÇ£I am personally affected, and not just incidentally. The attackers targeted my own medication data, specifically and repeatedlyÔÇØ. As the PM added in his lengthy Facebook post.
How and why, it occurred?
Well, on 4 July 2018, IHiSÔÇÖ database administrators detected unusual activity on one of SingHealthÔÇÖs IT databases. They acted immediately to halt the activity. IHiS investigated the incident to ascertain the nature of the activity while putting in place additional cybersecurity precautions. On 10 July 2018, investigations confirmed that it was a cyberattack, and the Ministry of Health (MOH), SingHealth and CSA were informed. It was established that data was exfiltrated from 27 June 2018 to 4 July 2018. SingHealth lodged a police report on 12 Jul 2018. A police investigation is ongoing. (Integrated Health Information Systems (IHiS) is the technology agency for the public healthcare sector. It runs the public healthcare institutionsÔÇÖ IT systems).
Similarly, On Friday, May 12, 2017, a massive cyber-attack was launched using WannaCry (or WannaCrypt). In a few days, this ransomware virus targeting Microsoft Windows systems infected more than 230,000 computers in 150 countries. Once activated, the virus demanded ransom payments unlock the infected system. The widespread attack affected endless sectors ÔÇö energy, transportation, shipping, telecommunications, and of course health care. BritainÔÇÖs National Health Service (NHS) reported that computers, MRI scanners, blood storage refrigerators and operating room equipment might have all been impacted. Patient care was reportedly hindered, and at the height of the attack, NHS was unable to care for non-critical emergencies and resorted to the diversion of care from impacted facilities. While daunting to recover from, the entire situation was entirely preventable. Microsoft released a ÔÇ£criticalÔÇØ patch on March 14, 2017. Once applied, this patch removed any vulnerability to the virus. However, hundreds of organisations running thousands of systems had failed to apply the patch in the first 59 days it had been released. (Ehrenfeld, 2017) wrote about it.
However, in this recent event, no mention of ransom was reported by the officials nor motives or perpetrators other than ÔÇ£It was not the work of casual hackers or criminal gangs,ÔÇØ the ministry said, adding that the attackers targeted details about Lee and the medicines he received as (Tham, 2018) later analysed and published on his paper.
The Cyber Security Agency of Singapore (CSA) has ascertained that the cyber attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation. They subsequently managed to obtain privileged account credentials to gain privileged access to the database. Upon discovery, the breach was immediately contained, preventing further illegal exfiltration.
In the official Facebook Post (H. Loong, 2018) writes, ÔÇ£I donÔÇÖt know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me. If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but nothing is alarming in it.ÔÇØ
For those conducting cyberattacks on the healthcare sector, it is an attractive target for two simple reasons: it is a rich source of valuable data, and it is a soft target. More worrisome are attacks that result in breaches of protected health information and personally identifiable information. Such information is valuable to attackers for two main reasons. First, it has direct monetary value: attackers can sell these data in anonymous online forums that are part of whatÔÇÖs sometimes referred to as ÔÇ£the dark web.ÔÇØ For example, in June 2016, a hacker posted on the ÔÇ£Real DealÔÇØ dark web marketplace offering for sale more than 600,000 medical records from three different systems, one of which was an entire electronic health record, including screenshots. Medical records can be used for various fraudulent activities, including falsified claims, medical device purchasing (and reselling), and credit card identity theft. (Gordon, Fairhall & Landman, 2017).
Second, protected health information is durable. Whereas credit card numbers, insurance identifiers, and even Social Security numbers can be changed, a piece of medical history is indelible and can be used as identifying information even years after an initial breach. The data can also be used for highly targeted e-mail ÔÇ£phishingÔÇØ campaigns to collect credentials that, in turn, give attackers access to systems and information.
What Could Have Been Done to Prevent It?
This entire situation highlights a critical need to re-examine how we maintain our health information systems. Equally important is a need to rethink how organisations sunset older, unsupported operating systems, to ensure that security risks are minimised. For example, in 2016, the NHS was reported to have thousands of computers still running Windows XP ÔÇö a version no longer supported or maintained by Microsoft. There is no question that this will happen again. However, health organisations can mitigate future risks by ensuring best security practices are adhered to. Ehrenfeld explained it very well.
In a recent study (Gordon et al., 2017), Protecting our information systems and our health data is critical to ensuring the safe delivery of health care. Unfortunately, protection against the myriad threats to healthcare data is sophisticated, and there is no silver bullet. More suggestions can be found on the link above.
Conclusion
The healthcare sector is complex, fragmented, and chronically short of resources, yet it holds vast amounts of sensitive and valuable data in vulnerable systems. Cybersecurity is not just about protecting data; it is fundamental for maintaining patients’ safety, privacy, and trust. Effective cybersecurity must become an integral part of healthcare systems, a pillar of regulation, and the subject of future research strategies. We must urgently develop reasonable standards and solutions that are specific to the healthcare sector, agree on clear lines of responsibility and governance, and commit appropriate resources to the provision of adequate security. (Martin, Martin, Hankin, Darzi & Kinross, 2017).
Based on the Singapore Government Official statement made earlier by the Ministry of Health Singapore; the Integrated Health Information Systems (IHiS), with CSAÔÇÖs support, has implemented further measures to tighten the security of SingHealthÔÇÖs IT systems. These include temporarily imposing internet surfing separation. We have also placed additional controls on workstations and servers, reset user and systems accounts, and installed additional system monitoring controls. Similar measures are being put in place for IT systems across the public healthcare sector against this threat.