SingHealth cyberattack likely to be state-sponsored; Medical data a goldmine for hackers, say experts

SINGAPORE — The cyberattack on SingHealth is likely to have been state-sponsored, given the type of data that was taken and the amount of resources required to mount such a breach, cybersecurity experts said.

The authorities did not identify any suspects, and the experts declined to speculate on the source of the attack. Media reports and studies in recent years have identified China, Russia, Iran, North Korea and the United States as among the countries with the capabilities to mount sophisticated online attacks.

Although some experts were divided on the commercial value of personal data, most agree that it all boils down to what the hackers do with the information.

On what the data obtained could be used for, some experts TODAY spoke with said personal data could be sold for large sums on the Dark Web — an encrypted data market network – whereas the stolen medication records of Prime Minister Lee Hsien Loong and other ministers could be “used to cause instability within the country”.

Mr Eugene Tan, associate research fellow from the S. Rajaratnam School of International Studies said: “I do think that it is a nation state (behind the attack) because of the type of data that was exfiltrated, which has a low chance of being monetised. Most cyber incidents that hospitals face are ransomware attacks, which cripple systems for financial gain.”

Mr Tan, who specialises in cyberspace security issues and Singapore’s foreign policy, said that this attack was “different”. “If it were really targeted at PM's records, it is for a political motive, not a monetary one. The question to ask is who will benefit from this modus operandi.”

“For a state actor, (attempting to access) another leader's medical records may have political purposes,” he added. “For example, if a leader has recently gone to a doctor and gotten a bad diagnosis, and cannot publicly reveal his condition, the other state may use this to their advantage, like delaying some project or meeting in hope that there is a change in the status quo,” he said.

Senior regional director (Asia Pacific & Japan) of security intelligence company LogRhythm, Ms Joanne Wong, said: “We certainly cannot discount the possibility that it could be state-sponsored. Singapore has invested significantly in cybersecurity, so for a breach to happen, it would have to be well co-ordinated and backed by significant resources.”

She added that “health records of Singapore’s leadership could be used to cause instability within the country by casting doubts on the health status of our leaders”.

Ms Wong said that coercion and blackmail are some examples of how the data can possibly be used.

“Medical records could also be used to question if our leaders are fit to govern the country if they find something within the records. This is of course dependent on what information they managed to obtain,” she said.

On Friday, authorities announced that hackers broke into SingHealth's IT systems last month and stole data of 1.5 million patients, as well as records of the outpatient medication given to 160,000 patients – including Prime Minister Lee Hsien Loong and other ministers.

The data was stolen over a one-week period from June 27 to July 4. The Ministry of Communications and Information (MCI) said the Cyber Security Agency's (CSA) investigations have established that “the attack was deliberate, targeted and carefully planned” and was “not the work of casual hackers or criminal gangs”.

Health Minister Gan Kim Yong said there has so far been “no evidence” of misuse of the patients’ information but the authorities “will continue to monitor” if the data is exploited.

Chief executive of the CSA David Koh said that there is “no evidence” that PM Lee’s medication record “has been used for other purposes or if it has been put, for example, on sale for other purposes on the internet”.

“We are watching to see if anything appears on the Internet, both in the open, or on some of the less well-known websites… but considering the type of data that has been exfiltrated – only basic demographic data – it is from our professional experience (that it is) unlikely that these would appear because there is no strong commercial value to these types of data,” said Mr Koh.

Some experts TODAY spoke with however, suggest that such data has increasingly become more valuable than financial data in recent years.

Mr Ali Fazeli, director of security consultancy and advisory at cyber-security firm Infinity Risk Control, said that medical data such as medicine records can be used by pharmaceutical companies.

“Companies can use it as a marketing material, to research and identify for example, what kind of illnesses and sickness is common in Singapore. If you’re a pharmaceutical company… you’ll know what to sell, and who to sell them to,” he said.  

In last month’s attack, the records of the medicines given to 160,000 people were stolen. The Ministry of Health and MCI assured Singaporeans that the affected data had not been tampered with. "No other patient records, such as diagnosis, test results or doctors' notes, were breached," they added in the joint statement.

Had the hackers succeeded in getting deeper medical records, RSA chief cyber security advisor for Asia Pacific and Japan, Leonard Kleinman said: “On the Dark Web, such data can fetch a high price. Each entry can be sold for fifty to a hundred dollars higher than stolen credit card data.”

“Medical data contains a trove of information – from personally identifiable data to financial details – that can be used to create a highly sought-after composite of an individual,” he said

Citing a 2017 cost of data breach study done by independent US research firm Ponemon Institute, a lost or stolen healthcare record fetches US$408 (S$556), said Mr Kleinman.  

He noted also, that the fallout of such incidents might not happen immediately. “It could take months for the data to be first sold, then used. Given the nature of this attack, it is hard to say exactly what the end game is, especially when the attackers haven’t identified themselves.”

Mr Olli Jarva, managing consultant of software development firm Synopsys concurred. He said that healthcare data is the “item that everybody is after”.

“The healthcare data breach outlines a new reality. Today, we are beginning to see a new and scary fact - healthcare data has grown its value such that hackers are now willing to go the extra mile to obtain it,” he said.

In 2015 for example, the US saw one of its largest health security breaches. About 79 million people’s personal information were compromised after the country’s largest insurance company, Anthem Inc, was hacked.

Cybersecurity experts like Mr Fazeli said that it was “highly probable” that the hacker attacked via a malicious email. “It is likely in these kinds of attacks, that the attackers would target a human – the weakest link. There is a high possibility that a malicious email was sent to somebody that perhaps had close enough access to the database.”

Mr Jarva noted that the overall trend in the healthcare industry is that there is a lack of resources and shortage of staff to deal with IT threats.

“When we move forward, with new ways of writing applications, especially in dealing with (large databases like) cloud systems, different skillsets are needed and what was relevant 10 years ago might not be relevant now. More needs to be done to train developers in understanding security applications,” he said.

WHAT NEXT?

The experts said that it is a lesson for both users and organisations to learn how to better build their databases and to not only focus on perimeter defences.

Mr Jarva said: “When we are designing and building the systems to be resilient for cyberattacks, we have to start building security from within, rather than only relying on perimeter defence. This means that before a single line of code is written, we have already started to map down potential security problems from the design standpoint.”

Such security breaches, though unfortunate, are not unexpected events added the experts, saying that it takes a concerted effort by healthcare institutions, contractors, the Government and patients to ensure a secure system.

Mr Tan said: “People play a big part in our cyber defence. The fact that the hackers got in through a front end workstation means that users may not be adequately trained in cyber hygiene techniques. We would do well to invest more on cyber education and review our processes on how we use, store, and access data.”

Ms Wong added: “Internal education for employees on cybersecurity is one way to ensure everyone is vigilant. For instance, they should be educated on what the potential risks are when they start connecting their own personal mobile device to the company network or open emails from unfamiliar sources.”