According to a recent news report by the Telegraph, cyber-criminals have managed to steal 1.5 million personal (non-medical) records from SingHealth – Singapore’s largest group of healthcare service providers. Singapore’s Prime Minister, Lee Hsien Loong, was amongst those who’s data was compromised.
During a press conference on Friday, July 20, the authorities claimed that the Prime Minsters’ records were “repeatedly targeted”. Due to the highly sophisticated nature of the attack, it is believed that the attack was a form of espionage – although no official statements have been made regarding to who was behind it. PM Lee made an announcement on Facebook saying “I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me”.
This is not the first time that Singapore has been hit by a cyber-attack. The infamous hacking group, Anonymous, launched a series of attacks in 2013, over what was allegedly a protest against Government censorship. The attack comes after plans to launch the National Electronic Health Record (NEHR) project, which is designed to enable better sharing of patient information amongst healthcare organisations. However, the NEHR project is now hold until further notice.
How Did the Attack Happen?
Data was stolen between June 27 and July 4, 2018, which suggests that it was a form of Advanced Persistent Threat (ATP). Investigations following the attack uncovered a malware infection on one of SingHealth’s computers, which hackers used to gain access to the outpatient database. SingHealth has imposed temporary restrictions on internet usage, and other healthcare organisations are said to have done the same. Since July 4, other measures have been implemented, such as changing passwords, and monitoring/blocking suspicious connections to the network. No further disruption has been reported as of yet.
How Can This Be Prevented in the Future?
Malware infections are the bane of security teams worldwide. Since malware attacks are usually caused by negligent employees, they are very difficult to prevent. Naturally, one of the most effective ways to reduce the threat of malware is to ensure that all employees are sufficiently trained to identify suspicious emails and websites. There are a number of other measures that organizations should take including:
- Scanning email attachments
- Using the latest antivirus software
- Keeping all software up-to-date
- Isolating web browsing sessions from the network
- Maintaining a firewall which uses malware sandboxing
- Preventing files from executing in AppData/LocalAppData folders
- Disabling Remote Desktop Protocol (RDP)
However, such measures are only so effective at preventing malware infections. According to Leonard Kleinman, chief cyber security advisor of APJ at RSA, “having better visibility into the enterprise IT environment is a fundamental first step”, and that “we have to stay vigilant when it comes to understanding how and what kind of data we are protecting, where it is located, and what kind of security controls we have in place to protect it”.
It should be noted that, relative to international standards, SingHealth did well to detect the breach in a timely manner. After all, the average “dwell time” for a cyber-attack is approximately 229 days, according to Crowdstrike.com.
Organizations need to focus more of their attention on discovery, classification, and auditing of sensitive data. They must also continue to keep up-to-date with the latest tools and technologies if they are to detect and respond to APTs in a timely manner. Solutions such as LepideAuditor provides healthcare organisations with real-time alerts when important information is accessed in a way that is not typical for a given user. Although we don’t yet know the specific details about who is responsible for the attack, or how the data was leaked, it’s likely that there would have been tell-tale signs of a compromise, which could have been brought to the attention of SingHealth’s security team sooner than it was.