Lessons you can take from the SingHealth data breach

Last week, the CSA (Cybersecurity Agency of Singapore) presented its findings regarding July’s SingHealth data breach. The incident affected 1.5 million people – just under a third of the country’s population – with criminal hackers accessing patients’ names, dates of birth, NRIC (National Registration Identity Card) numbers, gender and race.

About 160,000 patients, including Singapore’s prime minister Lee Hsien Loong, also had information related to their outpatient prescriptions stolen.

The breach was initially described by the Ministry of Communications and Information and the Ministry of Health as a “deliberate, targeted and well-planned cyberattack”. However, neither the CSA nor Solicitor-General Kwek Mean Luck is letting SingHealth off the hook, with the organisation facing heavy criticism for its poor cyber security practices and response to the breach.

Here is a list of mistakes that the CSA found during its investigation.

  1. SingHealth used unpatched software

The attackers used a publicly available hacking tool to access a SingHealth employee’s computer. They were able to do this because the computer was running an unpatched version of Microsoft Outlook.

Microsoft is very efficient when it comes to patching – so efficient, in fact, that industry insiders often refer to its regular updates as ‘Patch Tuesday’. The organisation’s attentiveness shouldn’t be a surprise, given that its products are used by more than a billion people worldwide. Should a criminal hacker find an exploit, pretty much every computer-using organisation in the world would be at risk.

But patches only work if the organisation applies the update. In this case, HealthSing didn’t, and they only have themselves to blame. It’s even more frustrating when you consider how simple it is to implement a patch management system.

  1. It took a year to identify the breach

The attackers accessed SingHealth’s network as early as August 2017, but the breach wasn’t identified for almost a year. During that time, the crooks distributed malware and infected other computers.

Nobody is expecting organisations to spot breaches immediately, but the sooner a problem is identified, the quicker you can respond and the less damage you’ll suffer. According to the 2018 Ponemon Cost of Data Breach Study, the average cost of identifying a breach within 100 days was US$5.99 million (SG$8.3 million), but for breaches that took longer to identify, the average cost rose to US$8.7 million (SG$12 million).

The best way to detect breaches quickly is to monitor your organisation and the threat landscape. Breach detection tools can be used for automated checks, but you should also consider employing security analysts to manually review network-level telemetry, logs and events from underlying infrastructure, applications and security systems. Analysts can also use threat-sharing intelligence to look at current threat trends and prepare accordingly.

  1. Employees used weak passwords

One of SingHealth’s local administrators used the password ‘P@ssw0rd’. Criminals are well aware that people use simple substitutions (such as the numeral ‘0’ for ‘o’) and, therefore, the apparently ciphered ‘P@ssw0rd’ isn’t much harder to crack than simply using ‘password’ – the world’s second most common password.

The key to good password practices is finding the right balance between security and memorability. It’s no good creating a near-unbreakable password if you need to write it down to remember it. That will make it painstakingly complicated for you to log in every time you use the account, and it will leave you vulnerable to someone seeing it.

The simplest solution is to create a mnemonic, such as taking the first character and punctuation mark from each word of a sentence. So, for example, ‘The 50-year-old man caught the 15:50 train’ becomes ‘T50-y-omct15:50t’, which How Secure Is My Password says would take 45 trillion years to crack.

Alternatively, you might find that length alone is an effective method for security. Each character you add to a password creates one more element that a criminal hacker needs to correctly guess. A password such as ‘PurpleMonkeyDishwasher’ avoids predictable patterns by using a series of unrelated words and would take 45 quintillion years to guess. Throw in a numeral at the end (you know, just to be safe), and it’ll take 133 sextillion years to crack.

But why stop there? Make it ten numerals and you’re looking at a password that’ll take 2 duodecillion years to crack. What’s good about this ploy is that it can turn terrible (but memorable) passwords into surprisingly effective ones. You could do worse than ‘Password0000000000’. But we’d still suggest that you avoid using ‘password’ in your password.

Effective information security with ISO 27001

As we’ve shown here, information security doesn’t have to be complicated. The international standard ISO 27001 shows you exactly what you need to do. Its framework helps you prevent data breaches and create an ISMS (information security management system), which you can use to manage your information security responsibilities in one place and with as little hassle as possible.

You can learn more about ISO 27001 by reading our free green paper: Implementing an ISMS – The nine-step approach.

This guide explains how an ISMS can help your organisation and gives you an overview of nine things you need to do to successfully implement, maintain and certify to ISO 27001. It covers:

  • Important considerations for every step of the ISMS process;
  • The challenges you’ll face when creating your ISMS; and
  • A tried-and-tested implementation approach that will save you time and money.

The steps outlined in this green paper cover the full extent of the project, from initial discussions with managers through to testing the completed project and pursuing accredited certification.

Download your free copy >>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.