Commentary: SingHealth data breach should give us pause to think what else might be vulnerable

Commentary: SingHealth data breach should give us pause to think what else might be vulnerable

As databases become more valuable, they will naturally attract the attention of hackers who wish to exploit them for commercial gain or other reasons, says one cybersecurity expert.

Deliveroo Foodpanda collage
Food delivery companies foodpanda (left) and Deliveroo. (Photos: foodpanda, Tang See Kit)

SINGAPORE: The SingHealth cybersecurity breach that affected 1.5 million patients last week was allegedly carried out by attackers scheming to get the Prime Minister’s health information.

The breach stirred up a discussion on social media, where netizens expressed frustration and lamented that this attack should cause Singapore to rethink its Smart Nation plans.

But as the old adage in cyberspace goes:

It is not if, but when, a system gets attacked.

In our push to become a digitised and Smart Nation, cyberrisks are an inevitable hazard we must manage. As systems become more connected, they create a greater surface area— some might even say “a tempting target” — for belligerent actors to attack us.

It has thus been encouraging that Prime Minister Lee Hsien Loong and Emeritus Senior Minister Goh Chok Tong have been steadfast and reassuring in their response, telling us that despite this setback, we must be bold and continue making strides in digitisation.

This incident is of course not isolated. As databases become more valuable, they will naturally attract the attention of hackers who wish to exploit them for commercial or political reasons.

However, hackers are also looking for the path of least resistance to achieve their objectives. To prepare ourselves, we should look at not just patching the systems at SingHealth but also identifying the sources of weakest vulnerability across the entire nation.

READ: Implement Internet separation? Let’s learn from industry best practices, a commentary

HOSPITALS EASY TO CRACK?

This breach involved data systems within a hospital. Although the details retrieved are worrying because they were personal details and information, it is hardly surprising.

patients
People waiting for their prescriptions. (File photo: TODAY)

As independent health care security researchers Scott Erven and Shawn Merdinger has shown, this is a global problem as hospitals around the world systematically leak information due to lacklustre patching and insecure device configuration. 

There is no malice in doing so, only that medical devices deployed are often optimised for usability (rightfully so), with security often as an after-thought

The most famous example of this is the pacemaker, which mimics the functions of a heart to allow an individual to survive without it. Although a significant medical breakthrough, news reports have highlighted that security was not built into the system, revealing vulnerabilities that could allow hackers to remotely alter information which could kill an individual.

Similarly, because medical professionals need to perform life-saving work that is time-sensitive, dealing with the complexities of using tech and IT may naturally be de-prioritised. In the UK, cyberattacks have halted operations of at least 16 hospitals last year, causing many industry watchers to call hospitals an “easy target”.

Even though SingHealth, and many other hospitals and healthcare providers in Singapore’s regional healthcare system, have made efforts to invest in cybersecurity measures, they are dealing with complex systems that need a lot of time to patch, and integrate into a workflow that might be at odds with how doctors work in order to optimise care for patients.

And with the National Electronic Health Records progressively rolled out since 2011, these healthcare systems involve not just doctors but nurses, pharmacists, and other healthcare staff including General Practitioners, polyclinic staff, therapists and technicians, just to name a few.

According to the Ministry of Health, healthcare professionals from over 1,200 healthcare providers have access to patient records under this system as of December 2017, which is a significant attack surface if appropriate access controls are not put in place.

A doctor inspects an x-ray machine at a hospital in Kiev
A doctor inspects an x-ray machine at a hospital. (Photo REUTERS/Valentyn Ogirenko)

READ: Worried your money in the bank will get stolen by hackers? Don't be, NTU prof says

EDUCATIONAL INSTITUTIONS AT RISK

Besides hospitals, one of the most vulnerable targets is educational institutions. Due to the large amount of research and information exchange carried out at these educational institutions, they are susceptible to attacks when students and staff visit non-secure sites or click on non-secure links to retrieve information (in downloading a journal paper from a free site instead of using a subscription for instance).

In cases where professors are performing groundbreaking or politically-sensitive research, professors and students can be targeted in cases of industrial or political espionage. Harvard, for example, has been hacked multiple times due to the value of its precious research data.

Just earlier this year, four local universities reported that their systems have been compromised. Even though no concrete details were released about the hack due to operational security reasons, experts interviewed suggested that the valuable research in these universities may have great commercial value.

Given the pioneering biomedical and defence research performed in labs around Singapore, we can reasonably expect more hackers trying to probe these systems.

FILE PHOTO: A researcher plants a semiconductor on an interface board which is placed under a micro
A researcher plants a semiconductor on an interface board placed under a microscope. (File photo: REUTERS/Kim Kyung-Hoon)

NATIONAL DATABASES NEED SECURING

Other than educational institutions, one should also worry about national databases held by the Government. The Government has done a fantastic job to provide reliable databases in order to deliver better services — our e-filing tax system under IRAS, for example, is much more accurate and updated than most governments.

In the last few years, in order to push out more citizen-centric services, government agencies such as HDB and the Silver Generation Office have also worked closely with each other to share information in order to provide public services more efficiently.

While the Government probably has a rigorous process to share, use, and destroy information, every instance of information-sharing creates a potential vulnerability.

Hypothetically, for example, in the Medishield Life scheme, if CPF has to match information about our insurance policies with private sector insurers, data has to be duplicated to facilitate better working and testing, which creates an added opportunity for precious information to be stolen.

MIND YOUR LIFESTYLE APP

Finally, one of the spaces to watch is also that of lifestyle apps. Singaporeans are increasingly reliant on applications like Grab and FoodPanda in daily living.

Knowing one’s commute or eating patterns can be of immense value to a hacker — the hacker can use one’s travel history to predict what time one will be at home, or answer security questions from the bank about the dates of your last travel.

Uber app
File photo of a person using the Grab app. (Photo: AFP/Mohd Fyrol)

Just last year, Uber announced that there was a massive data breach of 370,000 users in Singapore, which suggests that at least these many people in Singapore might now be susceptible to financial or commercial ransom.

As we move towards driverless cars, the situation could get more severe. As white-hat hackers Charlie Miller and Chris Valasek famously showed us, a driverless Jeep Cheroke can be hacked remotely through its internet connection, putting the driver potentially in danger on the highway. 

The growing number of hobbyists of drones could see their worst nightmare come true as their pride and joy are instead hijacked to become potential weapons or at very least instruments of mischief.

DON’T RETREAT

Risks are to be accepted and mitigated, but not be feared. Prime Minister Lee has shown astute leadership on this front, urging the country to press on with its digitisation plans.

In a digitised country like Singapore, unplugging ourselves is not the option — in cybersecurity terms, “security through obscurity” is a fool’s errand.

Instead, we should more aggressively push for companies and governments to adopt secure architecture practices, comply with international standards for data security, and enforce stringent data management standards.

As then FBI Director Robert Mueller said in 2012

There are only two types of companies: those that have been hacked, and those that will be.

The fact that we are targeted shouldn’t be cause for alarm; that it encourages us to retreat away from a digitised world, should.

Benjamin Goh is a passionate technologist and former Research Assistant to Harvard CTO James Waldo. 

Source: CNA/sl

Bookmark