Story image

SingHealth breach hits 1.5 million patients after 'deliberate, well-planned attack'

23 Jul 18

Singapore healthcare provider SingHealth was of a major cyber attack that occurred between June 27 and July 4 this year.

SingHealth says at least 1.5 million patients who visited any SingHealth outpatient clinic or polyclinic between 1 May 2015 and 4 July 2018 may be affected by the breach.

The attackers accessed and copied non-medical personal information, including names, NRIC numbers, addresses, genders, races, and dates of birth. In addition, the attackers also stole information about outpatient dispensed medicines belonging to 160,000 patients.

SingHealth is contacting all patients who visited clinics within the 1 May 2015 – 4 July 2018 timeframe to inform them if their data has been affected.

 “The records were not tampered with, i.e. no records were amended or deleted. No other patient records, such as diagnosis, test results or doctors’ notes, were breached. We have not found evidence of a similar breach in the other public healthcare IT systems,” a statement says.

The breach was discovered by Integrated Health Information System (IHiS) database administrators on July 4 and immediately worked to stop the breach and put extra security in place.

Further information from the Cyber Security Agency of Singapore (CSA) shows that the attackers accessed the SingHealth IT system through a breach in a front-end workstation.

“They subsequently managed to obtain privileged account credentials to gain privileged access to the database. Upon discovery, the breach was immediately contained, preventing further illegal exfiltration.”

On July 10, The Ministry of Health, SingHealth, and CSA were informed after investigations confirmed the attack.

On July 12, SingHealth lodged a police report, and police investigations are ongoing.

“With heightened monitoring, further malicious activities were observed. However, no further illegal exfiltration has been detected since 4 July 2018. All patient records in SingHealth’s IT system remain intact. There has been no disruption of healthcare services during the period of the cyber attack, and patient care has not been compromised.”

IHiS and CSA have also included further security measures including internet user and systems account resets, additional workstation and server controls, system monitoring controls, and internet surfing separation.

“Similar measures are being put in place for IT systems across the public healthcare sector against this threat.”

The CSA and IHiS are investigating the incident and say the attack was not the work of casual hackers or criminal gangs, but it was deliberate, targeted, and well-planned.

They further say that the attacker repeatedly targeted Prime Minister Lee Hsien Loong’s personal information and information about his outpatient dispensed medicines.

According to cybersecurity experts from Sophos and Bromium, the breach is 'very serious'.

“The data stolen in this breach is an identity thief's goldmine," comments Sophos senior technologist Paul Ducklin.

"It's a startling reminder to all Singaporeans that there is no such thing as 'cyber attackers would never care about little old me' – once your data is scooped up in a cybersecurity blunder of this sort, you simply can't control where it will go next. Anyone affected in this breach has no choice but to assume that their personal information will end up for sale in the cyber underground, ready for active abuse by cybercrooks.”

Bromium EMEA chief technology officer Fraser Kyne adds,  “This is a very serious breach given the sensitivity of the data accessed, and the sheer volume of records. It appears the initial infection came through a single user endpoint being infected with malware, which then worked its way through the network. This once again highlights how today’s cybersecurity is a house of cards – it just takes one person to click on the wrong thing for the whole thing to come crashing down. Only when we admit that we cannot detect and stop threats, and instead start focusing on minimising harm, can we ever hope to disrupt hackers. The simple fact is that if the endpoint was isolated, then the hacker would have had nowhere to go and nothing to steal."

“Yet it also highlights the fact that we can no longer trust our networks or most of our endpoints. Hackers will inevitably find a way in. Air-gapping can be an effective solution, but it is impractical when you have multiple employees trying to access a business critical application. Instead, we need to shrink protection to application level. By protecting applications that store our most sensitive and critical data, even if the device or network is compromised, that application cannot be touched as it will be invisible to the device and network.”

The Ministry of Health is now instructing IHiS to review the public healthcare system and its security, with input from third party experts.

They will be focusing on cyber threat prevention, detection, and response across cybersecurity policies, threat management processes, IT system controls and organisational and staff capabilities. 

 “All patients, whether or not their data were compromised, will receive an SMS notification over the next five days. Patients can also access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.”

Advisories have been sent to all healthcare institutions, public and private, on the cybersecurity precautions and measures to be taken.