Singapore's Health Institutions Hit By Unprecedented Data Breach

According to Singapore’s local media, the country has just suffered its largest cyber attack in history. The health data of 1.5 million patients (out of a total of 5.6 million citizens) was hacked by what are believed to be state-sponsored attackers targeting prime minister Lee Hsien Loong.

Singapore SingHealth Hack

The attackers infiltrated SingHealth, Singapore’s largest group of healthcare institutions with four hospitals, five national specialty centers and eight polyclinics. They also targeted two other polyclinics that used to belong to SingHealth. At a conference today, the authorities said that the PM’s health data was "specifically and repeatedly targeted."

The malicious actors stole data of 1.5 million patients that have visited the above institutions in the past three years. The stolen data included names, identification numbers, addresses, gender, race and dates of birth. Over 160,000 patients also had prescriptions stolen.

According to the authorities, the attackers didn’t tamper with the data. Furthermore, the state-sponsored actors weren’t able to steal diagnoses, test results and doctors' notes.

How The Attack Happened

The attackers first infected a front-end workstation with malware and were then able to gain access to the database. SingHealth has reacted by imposing a temporary ban on internet browsing on the 28,000 work computers.

SingHealth’s IT team first noticed unusual activity on July 4 and then took steps to block the attackers’ connections and their changing of passwords. But by then it was already too late, as the attackers had stolen the data of the 1.5 million patients.

An Unprecedented Data Breach

The health minister Gan Kim Yong and the minister for communications and information S. Iswaran described the data breach as the most serious and unprecedented breach in Singapore’s history. The chief executive of the Cyber Security Agency of Singapore, David Koh, added that “this was a deliberate, targeted and well-planned cyber attack.”

Iswaran, who is also in charge of the country’s cyber security, will convene a Committee of Inquiry (COI), chaired by a retired judge, to conduct an independent review of the data breach.

What SingHealth Could Have Done Better

We don’t know all the details about SingHealth’s infrastructure, but it sounds like it was still relying primarily on perimeter defenses instead of strong end-point security to protect its data.

An organization that relies on perimeter defenses alone is an organization that only attempts to stop the attackers from gaining access  to the network. However, if the attackers succeed in bypassing those defenses, it’s game over.

This is why Google and other companies have started moving towards an end-point security model, where each device in a network implements a strong multi-layered security architecture and users are only given the privileges necessary for their jobs. In that scenario it becomes much more difficult for an attacker to infect a random machine and take over the whole network.

Singapore’s government is now second-guessing its “Smart Nation” plan, which is a project meant to implement more digital services and allow institutions to share data about citizens. However, Iswaran is hopeful that the digital projects can be resumed once the SingHealth data breach issue is fully resolved.

SingHealth said that it will be contacting all of the affected patients about the data breach over the next few days.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • hok
    Serves them right, the SG government was quite arrogant a few years ago when people brought this up about security when they had plans for the FULL Digital integration of peoples health records...stupidity is the greatest educator.
    Reply
  • stdragon
    Those workstations should never had internet access to begin with. If it's needed, then a secondary computer should be used that's air-gapped from the rest of the network with only access to the database. That way, a malware infected machine has zero chance to access the records, let alone upload them over the internet.

    IT director and CIO need to be fired
    Reply