The SingHealth cyberattack and the implications for financial institutions
In July 2018, news emerged that between 27 June and 4 July, hackers had infiltrated the IT systems of Singapore Health Services (SingHealth), the largest healthcare group in Singapore. The hackers illegally accessed and copied the non-medical personal particulars of 1,495,367 patients to servers hosted overseas.
Approximately 159,000 of the affected group, including Prime Minister Lee Hsien Loong and several government ministers, also had information on their outpatient dispensed medicines taken. The data stolen included the names, national registration identity card numbers, addresses, birth dates and information on gender and race belonging to patients who had visited SingHealth’s facilities between 1 May 2015 and 4 July 2018.
Investigations by the Cyber Security Agency of Singapore and the Integrated Health Information System – the technology agency for the public healthcare sector – confirmed that this was a “deliberate, targeted and well-planned” cyberattack and not the work of casual hackers or criminal gangs. In August 2017, a computer in the Singapore General Hospital running an outdated version of Microsoft Outlook became infected with malware, giving hackers a foothold in the public healthcare group.
The minister in the Singapore Government in charge of cybersecurity convened a Committee of Inquiry (COI) chaired by a retired judge to establish the events and contributory factors leading to the cybersecurity attack and the incident response. The COI concluded on 5 October 2018.
In January, the COI released its public report and its five key findings:
1. The relevant staff did not have adequate levels of cybersecurity awareness, training and resources to appreciate the security implications of their findings and to respond effectively to the attack.
2. Certain staff holding key roles in IT security incident response and reporting failed to take appropriate, effective or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack.
3. There were a number of vulnerabilities, weaknesses and misconfigurations in the SingHealth network and system that contributed to the attacker’s success in obtaining and exfiltrating the data, many of which could have been remedied before the attack.
4. The attacker was a skilled and sophisticated actor bearing the characteristics of an ‘advanced persistent threat’ group.
5. While cyber defences will never be impregnable and it may be difficult to prevent an advanced persistent threat from breaching the perimeter of the network, the success of the attacker in obtaining and exfiltrating the data was not inevitable.
The COI report makes 16 recommendations, comprising seven priority recommendations:
1: “An enhanced security structure and readiness must be adopted.” This included the following observations: cybersecurity must be seen as a risk management issue and not just as a technical issue; security should not just depend on just one line of defence; and gaps between policy and practice must be addressed.
2: “The cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats.”
3: “Staff awareness on cybersecurity must be improved, to enhance capacity to prevent, detect and respond to security incidents.”
4: “Enhanced security checks must be performed.”
5: “Privileged administrator accounts must be subject to tighter control and greater monitoring.”
6: “Incident response processes must be improved for more effective response to cyberattacks.”
7: “Partnerships [are needed] between industry and government to achieve a higher level of collective security.”
Given that SingHealth is not a financial institution, what is the relevance of all this to financial institutions in Singapore and elsewhere? Well, as the Singapore Government has pointed out, the lack of awareness shown by SingHealth is also a common issue with many private sector organisations: “The IT systems they run are growing too complex to manage well… The lessons here… are valuable for other organisations faced with such advanced persistent threats on a daily basis.”
These include “shockingly poor password hygiene and poor system maintenance”. In July 2018, the Monetary Authority of Singapore (MAS) directed all “financial institutions” in Singapore to tighten their customer verification processes and to conduct a risk assessment of the impact of the SingHealth incident on their existing control measures for financial services offered to customers, including transaction and inquiry functions.
Financial institutions were ordered to “take immediate steps to mitigate any risks that might arise from the misuse of the compromised information”, while the MAS stated it would “engage financial institutions on their risk assessments and mitigation steps”.
On 6 September, the MAS issued for public consultation its proposed requirements for financial institutions in Singapore to implement essential cybersecurity measures to protect their IT systems. The six measures are as follows:
• Address system security flaws in a timely manner
• Establish and implement robust security for systems
• Deploy security devices to secure system connections
• Install anti-virus software to mitigate the risk of malware infection
• Restrict the use of system administrator accounts that can modify system configurations
• Strengthen user authentication for system administrator accounts on critical systems.
Notwithstanding that the impetus for these measures was a cyberattack on a non-financial institution and resulted from, at least in part, “shockingly poor password hygiene and poor system maintenance” and was not the work of casual hackers or criminal gangs, the Singapore Government has taken a stance, saying: “The recent Singhealth data hack is a sobering reminder to us all that the conveniences offered by digital technologies have also exposed us to various vulnerabilities… It is especially crucial that we as a nation strengthen our cyber resilience in mission-critical industries like the financial sector.”
It is now incumbent on all financial institutions in Singapore to “conduct a risk assessment of the impact of the SingHealth incident on their existing control measures for financial services offered to customers”. The MAS has signalled that financial institutions will be audited on the steps they have taken.
According to Max Fulton from the newly established Risk and Compliance Services Asia, it needs to be understood that cyberattacks are more than just a technology issue. “Cybersecurity must also be seen as a risk management issue. Such attacks have adverse financial repercussions, with a potential loss to companies of customers and causing reputational damage in their market.”
The Verizon 2012 Data Breach Investigation Report highlighted that overall target selection is based more on opportunity rather than on choice and most victims fall prey because they are found to possess an often easily exploitable weakness rather than because they were pre-identified for attack. The report also found that, whether targeted or not, the great majority of victims succumbed to attacks that cannot be described as “highly difficult”.
One lesson that all financial institutions can take from the SingHealth incident is that information security is crucial, but that does not mean that it has to be expensive or complicated. International standard ISO 27001 sets out exactly what companies need to do. The ISO 27001 framework helps prevent data breaches and explains how to create an information security management system that companies can use to manage their information security responsibilities in one place and with relatively little complication.
While financial institutions can mitigate their losses with cybersecurity insurance, the insurance industry’s response and coverage is complicated and inconsistent as insurers try to come to terms with the exposures and the potentially massive sums that can be claimed on a cybersecurity loss.
Furthermore, the reputational damage and regulatory impact to a financial institution can be much more devastating and long term than more standard insurable losses, which reinforces the critical importance of risk assessment, robust defence and human resource management. For a business to determine what kind of insurance it may need, it will probably be necessary to perform a cybersecurity risk assessment and impact analysis, which brings us back to the MAS requirement to perform a risk assessment – the two can be done in tandem.