In a joint release on 20 Jul, the Ministry of Health (MOH) and Ministry of Communications and Information (MCI) said that 1.5 million SingHealth patients’ records were illegally accessed and copied by hackers, including the records of Prime Minister Lee Hsien Loong, whose records were said to have been “specifically and repeatedly” aimed at.
The announcement revealed that unusual activity was detected on one of SingHealth’s IT databases on 4 July and the activity was ceased immediately. On 10 July 2018, investigations confirmed that it was a cyberattack and MOH, SingHealth and Cyber-Security Agency were informed. It was established that data was exfiltrated from 27 June 2018 to 4 July 2018.
To try and understand more about the cyber-attack on SingHealth and how it might be possible to address the threats, TOC sought the opinion of Ralph Echemendia, a world-renowned Estonian cyber security expert, regarding the recent cybersecurity breach.
Echemendia, who is globally known by his alter ego “The Ethical Hacker”, is a computer hacking consultant and has taught major corporations and federal governments on how to better protect themselves from digital threats and security breaches.
He also assists some of the biggest names in Hollywood. His current mission is to help provide the world with a more secure digital experience through a safe-ware app under his development called Seguru.
Question: How concerned should those who had their particulars stolen be? Is there any possibility of fraud being committed with the details? According to government’s announcement, some of the details that were retrieved include name, number of identification, gender, residential address, and birth date.
Ralph Echemendia (RE): Of course they should be concerned. These data points are almost everything needed to commit fraud in a number of ways. We always tend to think that impact can only come from financial fraud, but imagine if you would if someone used this data to target individuals purely for the purpose of making their lives difficult. We must be aware that data can be used in ways we have yet seen the effects of in our daily lives.
The government revealed that the suspicious activities persisted a few days before it was discovered, and that the connection was terminated. But how much time really do cyber-criminals need to retrieve the info that they need?
RE: 24 hours is more than enough to exfiltrate that data.
It seems that the government had used a centralised server to store its database. Is there any security drawbacks in doing so and is there any better alternatives?
RE: This is the norm for most organisations. Whilst technology such as (de-centralised) blockchain exists, most [governments] have yet to implement such a model.
We understand from the current hospital staff that the IT system allows multiple logins at the same time, and also does not log users out in the event of prolonged inactivity*. What security risk(s) does it pose?
RE: Many security risks come from such policies. User logins can be hacked into and abused by allowing multiple logins. In addition, without proper logging and monitoring, such breaches can go undiscovered for days if not months.
What kind of security system can ensure the safety of sensitive data such as medical records, with only authorised personnel being allowed access but at the same time, still maintain connectivity to the Internet and not just the Intranet?
RE: Blockchain technologies can provide such functionality. Healthcare should be the first (outside of financial) to take advantage of said technologies.
Implementing blockchain technology into a medical record would provide several “features” that strengthen security and patient safety. For one, it could provide an audit trail. A log of its use and its location (computer and physical).
Secondly, it could provide the details on who has accessed the record from where and why. If records were stolen, their use would further implicate the thieves; rendering their use outside of legitimate sources worthless.
A medical record is probably one of the most justifiable places to use this technology outside of finance where a ledger of data use is truly valuable to security.
Countries adopting blockchain technology to safeguard information
Estonia, for example, is coming out with a technology called Keyless Signature Infrastructure (KSI) for the purpose of protecting all public-sector data, according to McKinsey & Company.
KSI creates hash values, which uniquely display large amounts of data as smaller numeric values. The hash values can be used to identify records, but not rewrite the information available in the records. The hash values are then stored in a blockchain, and later disseminated across a private and discreet network of state computers. A new hash value is affixed to the chain whenever changes are made to an underlying file, which renders the information unalterable later on.
It is said that transparency of the records is almost completely guaranteed. Any external or internal tampering can be detected and even avoided as the KSI will facilitate government officials’ surveillance of any changes made within multiple databases.
Currently, the electronic health records of all citizens of Estonia are governed using the KSI technology. Estonia has expressed its aims to extend KSI to all government agencies, as well as private-sector companies in the country.
*TOC has written to Ministry of Health for their comments on the IT system but has yet to receive a reply from the ministry