Singapore just experienced the biggest medical data breach in history!
On June 27th, SingHealth, Singapore’s biggest network of healthcare was caught under a magnus data breach. The breach compromised the data of about 1.5 million patients, including the Prime Minister Lee Hsien Loong, for almost a week.
In the investigation, the Singapore government found out that hackers didn’t tamper with the records, rather they tried to extract their medical database. The data obtained in the breach included names, addresses, gender, race, date of birth and patients’ national identification numbers. An official report claims that the hackers also targeted outpatient medication data. The patients who had visited the clinic from May 1, 2015 and July 4, 2018 were mainly affected.
The hackers tried to access the patients’ data by compromising a single SingHealth workstation with malware. After which they were then able to obtain privileged account credentials with which they accessed the patient database. Post the breach, the hospital staff was banned from assessing the internet on all 28,000 of its work computers.
What immediate precautions were taken?
SingHealth immediately started to progressively contact all the patients who had visited its specialist outpatient clinics in the order to notify them if their data has been extracted. The patients were informed that they will be receiving an SMS alert regarding the breach. Also, the patients were able to visit the official website in order to check if they were affected.
How healthcare organizations can become pro-active towards such incidents?
Organizations need to thoroughly conduct a review of their public healthcare system. This can be achieved with support from third-party experts, to effectively improve the prevention, detection and response mechanism. They need to adapt a holistic approach towards end to end cyber security services. Along with it they need to focus on three most important pillars of cyber security, i.e. People, Process, and Technology.
Organizations has specific information security compliance duties that cannot be neglected. Compliances like HIPAA and ISO 27001 are considered important to comply. Failure to adhere to information security standards can result in a range of costly penalties from civil fines to prosecution in criminal court.
Organizations should also create robust cyber security policies, IT system controls and organizational and staff capabilities. Advisories can be sent to all the public and private healthcare institutions, on the latest cybersecurity precautions and measures to be taken.
Security attack simulation and awareness tool like ThreatCop, are capable of reducing the overall risk posture of an organization from the people point of view. This tool effectively helps companies to strengthen their weakest link, the people, to increase the cyber resilience with measurable results.
Healthcare records are often been targeted because of the valuable patient data they possess. Many businesses and governments in South East Asia face cyber threats, few are able to recognize the scale of the risks they pose. The Singapore attack serves as a bell ringer that countries and government health services are still being targeted by hackers around the world.
