Singaporeans' stolen SingHealth data exposed to identity and tax fraud

The SingHealth cyberattack affected over 1.5 million Singaporeans, specifically 160,000 patients.

About 1.5 million patients that visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have had their non-medical personal particulars illegally accessed and copied. Information on the outpatient dispensed medicines of about 160,000 of these patients was also withdrawn.

Considered Singapore’s largest cyberattack, the entities also stole the information of prime minister Lee Hsien Loong as well as other ministers of the government.

Sid Deshpande, research director at Gartner, explained how the initial statements indicate that a front-end workstation was compromised, followed by privileged access credentials being used to access a database. “Attackers are usually after administrator credentials because these often enable direct access to sensitive data,” he said.

Olli Jarva, managing consultant of software integrity group Synopsys, added that healthcare data has grown its value such that hackers are now willing to go the extra mile to obtain it. “This has been a growing trend over the past few years, such that healthcare data has outgrown the value of credit card or social security numbers,” he said.

Deshpande warned that the most immediate threats people will face are that of identity fraud, financial fraud, and tax fraud. "Data contained in healthcare records is more permanent than credit card information for example so citizens need to be alert to scams resulting from social engineering efforts," he added.

"Generally, information contained in medical records is more ‘permanent’ than financial information like credit card numbers – so this type of information likely fetches higher payouts on the dark web. It could also be sponsored by nation states that have interests inimical to Singapore’s," he said.

However, Deshpande noted how the cyber attack defence was able to get perform good detection and response capabilities. “Attackers usually intend to stay dormant in systems to avoid detection and cause further damage, so the fact that the breach was detected this early actually shows that the security teams, in this case, were actively monitoring systems to detect incidents,” he added.

Still, Jarva noted that from a security standpoint, the healthcare industry shares the same shortcomings as other enterprises, but with some added obstacles. Aside from the lack of resources, the industry also has to deal with an “extremely heterogeneous environment.”

“Whilst healthcare organizations may standardize on laptops and IT servers, providers also manage multiple devices that are attached to the network. These can include drug infusion pumps, imaging devices like MRI and CT scanners, and treatment software (such as those used to manage implantable pacemakers),” Jarva said.

Typically, large computer systems are part of a bigger project developed and delivered by System Integrators (third parties), where the supply chains can get complicated.

“This compounds the challenge to manage security, as different parts of the system may have different third-party software components and inherent vulnerabilities, and often, may not be properly identified and patched early enough. This isn’t a challenge that is unique to healthcare, it is a challenge that every large organization goes through,” Jarva added.

PwC Singapore digital trust leader Tan Shong Ye noted how an organisation’s future investments can focus on strategy, process, technology, people, and culture. “With the increase in emphasis on digital and information comes the need for cyber risk assessments to keep personal data, client data and intellectual property safe,” he said.

As a final measure, Tan reminded that cybersecurity hygiene should be a personal responsibility and a skill that everyone should pick up. “This includes installing anti-virus/malware software, ensuring that passwords are secure, checking that strong 2-factor authentication are required for sensitive on-line transactions, and to be careful of phishing emails that could cause malware to be installed on your computer without your knowledge, increasing the risk of data to be stolen,” he concluded.