SINGAPORE: Last Friday (Jul 20), the public learnt about SingHealth’s cyber breach that affected 1.5 million patients. The alleged intention of the breach was to get the Prime Minister’s medication information.
According to Cyber Security Agency of Singapore chief executive David Koh, this was a “deliberate, targeted, and well-planned” attack, suggesting that Singapore’s infrastructure was being targeted by malevolent actors.
Prime Minister Lee Hsien Loong has shown astute leadership, urging the country to press on with its plans of going digital, to build a secure and smart nation.
The challenge, however, is that personally identifiable information does not change over time; once compromised, it cannot be reclaimed from bad actors.
Hacks on the US government today, for example, can be traced back to information lost during the massive hacks on the Office of Personnel Management discovered in 2015.
This cyberattack, and others that may follow, might make citizens more vulnerable. If the instances of data loss increase and adverse impact on citizens rises significantly, Singaporeans would need much more than a statement of assurance to continue believing in Singapore’s Smart Nation plans.
Health Minister Gan Kim Yong has announced, for now, that the solution to making the hospital more secure is through implementing Internet separation.
As a tool to limit the inflow and outflow of data, Internet separation will certainly reduce the number of potential entry points into a system, giving information assets slightly better protection than before.
It may help to improve data security within the hospital, as Deputy Prime Minister Teo Chee Hean has pointed out.
INTERNET SEPARATION IS NOT A CURE-ALL
However, Internet separation is not a “one size fits all” solution for all Internet breaches.
Firstly, Internet separation creates usability challenges that may be sub-optimal. Asking a doctor to toggle between computers or systems would hinder the doctor’s ability to process consultations faster and potentially hurt doctor-patient interactions.
Furthermore, Internet separation may not be applicable to many situations. Just consider the cyberattacks on four local universities uncovered earlier this year where unsuspecting users directed to a phishing website were found to be the cause.
It would be untenable and unproductive to get students to use separate devices for school work.
Similarly, in our desire to implement driverless cars, it would be prohibitively expensive to institute a separate network for them and still expect them to function effectively.
LOOK TO INDUSTRY STANDARD PROTECTION MEASURES
Perhaps we should consider other industry standard techniques already in the market that can improve security without compromising usability.
Most advanced digitalised companies, for example, employ secure IT architecture design in their systems.
A secure IT architecture system defines a rigorous set of protocols, process and technical controls that define how information flows across systems within a company.
For example, the architecture would specify encryption standards and firewalls that guard against unauthorised access to private networks connected to the Internet. This allows frontline users to still use the Internet, without being afraid that their actions online might compromise the entire company.
Furthermore, secure IT architecture systems adhere to a list of guiding security principles that have been endorsed by leading industry players.
These principles include using secure default passwords, securing the weakest link, and avoiding “security by obscurity” — the process of trying to be secure by unplugging one’s systems from the Internet.
LOOK TO INDUSTRY STANDARDS
There are internationally recognised standards that companies can adhere to in order to build a robust system — ISO 27001, for example, helps companies identify, analyse and address its information risks.
IEC 27033 gives companies a manual to create a secure network architecture in day-to-day business dealings, such as securing communications between networks through gateways and firewalls.
Finally, the US National Institute of Standards and Technology cloud computing security standards help companies design a secure reference architecture even if their operations requires processing information in the open cloud.
These standards try to assist companies to build secure systems without necessarily clamping down on Internet access or compromising the usability of the systems.
Going forward, we might consider encouraging companies to adhere to such standards in order to promote an open digital space that is built on secure foundations.
Nevertheless, even though an IT security architecture can create security without significantly sacrificing usability, defining the network dependencies and vulnerabilities takes time, making it a great “peacetime” solution before a hack happens.
Internet separation, on the other hand, potentially presents a rapid fix post-hack that can quickly stop the bleeding and get business back to normal as soon as possible.
LOOK AT THE ECOSYSTEM, NOT JUST THE CYBERATTACKS
Perhaps the issue here is that cyber incidents are all too often seen as a problem of dealing with cyberattacks. If we similarly framed health issues as viral infections, we could miss out more fundamental solutions which address the root cause, such as boosting patients’ immune systems or adjustments to their lifestyles.
But if we reframe the issue of cyberattacks by looking at our current security and protection systems, we can have targeted initiatives to improve cybersecurity “lifestyles” rather than be fixated with specific viral events.
Such measures might require deeper and heavier fundamental investments, but let us not be penny-wise and ultimately pound foolish.
Benjamin Goh is a passionate technologist and co-author of IEEE's paper A Principles-Based Approach to Govern the Internet of Things (IOT) Ecosystem.