Singapore’s Healthcare Cyber-Attack Exposes a Defenseless Industry

Singapore’s Healthcare Cyber-Attack Exposes a Defenseless Industry

The city-estate of Singapore has been hit by the major cyberattack ever registered on the country’. The hackers aimed to breach the security of Singapore’s largest health care institution, SingHealth, and were able to seize more than 1.5 million personal data along with the details of prescriptions for 160,000 others.

The attack was “well planned” and perpetrated by “extremely skilled and determined” criminals, as stated by the country’s Prime Minister Lee, and supported by “huge resources” behind them. “This was a deliberate, targeted, and well-planned cyberattack,” he added.

Cyber-criminals’ targeting the healthcare sector in particular, one that has been recently hit elsewhere in multiple times, opens a new front for hackers. Criminals have seen how personal data held by these enterprises, whether public of private, are less protected than those in the financial sector while the attractiveness of that info can be well sold or used against their owners.

In fact, in 2017, more than half of all cyber-attacks were aimed to this sector. It is a growing risk that we face everyday and public institutions have to make sure that they provide all resources needed to stop this different epidemic.

In all of this, we contact  Olli Jarva, Managing Consultant at Synopsys’ Software Integrity Group, to know more about this specific attack, why the cyber-criminals are targeting healthcare more often and how the industry is gearing up for the upcoming future.

Value of Healthcare and Medical Data now more valuable than credit card or financial information 

The healthcare data breach outlines a new reality. Today, we are beginning to see a new and scary fact – healthcare data has grown its value such that hackers are now willing to go the extra mile to obtain it. This has been a growing trend over the past few years, such that healthcare data has outgrown the value of credit card or social security numbers. Are healthcare providers aware of the value of the data they are storing?

Time to build security into applications that store healthcare data

Today’s news pointed out that “Unusual activity was first detected on July 4, 2018, on one of the SingHealth’s IT databases”. When we are designing and building the systems to be resilient for cyber-attacks, we have to start building security from within, rather than only relying on perimeter defence. This means that before a single line of code is written, we have already started to map down our potential security problems from the design stand point. Application security problems can be divided to two parts, Flaws and Bugs. To catch most of these software security problems, we need to identify them early on so that they would not come back to haunt us later on. We have to stay vigilant when it comes to understanding how and what kind of data we are protecting, where it is located, and what kind of security controls we have in place to protect it. We need to “Shift-left” with our thinking when it comes to security and tackle those issues earlier on in our Software Development Lifecycle. If we leave these problems for later, the cost of fixing and reacting to breaches would be extremely costly and the effects may not devastating.

Complex Supply chains

Typically large computer systems are part of a bigger project developed and delivered by System Integrators (third parties), where the supply chains can get complicated. This compounds the challenge to manage security, as different parts of the system may have different third-party software components and inherent vulnerabilities, and often, may not be properly identified and patched early enough. This isn’t a challenge that is unique to healthcare, it is a challenge that every large organisation goes through. 

Challenges in Healthcare industry in overall 

When it comes to cyber security challenges in the healthcare industry, it is a different environment to defend and secure.

From a security standpoint, the healthcare industry shares the same shortcomings as other enterprises, but with some added obstacles:

  • Lack of security resources, financial resources, and expertise, to correct this weakness.
  • Dealing with an extremely heterogeneous environment. While healthcare organisations may standardise on laptops and IT servers, providers also manage multiple devices that are attached to the network.  These can include drug infusion pumps, imaging devices like MRI and CT scanners, and treatment software (such as those used to manage implantable pacemakers).
  • Systems in different parts of a healthcare organisation may not play well with each other. Like any large organisation, a healthcare organisation may have multiple business or operations units, and each unit may procure software solutions that best meet their needs, but may not have uniform cyber security effectiveness. Electronic Health Records (EHRs) promise to help practitioners and patients by simplifying the sharing of information.

In this heterogeneous industry, where responsibilities fade between institutions, a centralized and well resourced database network is crucial to avoid new attacks. Although they will be coming, it is important that various layers of security is also added to the database and so attackers can find more barriers in their task. The more difficulties they find, they more likely they desist in their criminal intentions.