Response to SingHealth data breach shows low awareness, rushed decisions

July 27th, 2018 | by Alfred Siew
Response to SingHealth data breach shows low awareness, rushed decisions

SCREENSHOT: SingHealth website

One of the most telling responses to last week’s revelation of the SingHealth data breach comes from a woman simply named Wendy in a news report.

“It seems like the hackers were targeting more prominent figures and not me, so I am less concerned now,” she tells The Straits Times.

You can hardly find a better quote if you want to show how little Singaporeans understand about the worst data breach to hit the country.

For several years now, the authorities have clamped down on companies collecting and exposing NRIC numbers. Here, exposed in an instant, are 1.5 million of them, belonging to a quarter of the population.

Yet, many people seem unperturbed that they are now open to widespread fraud. Their information can be used by a criminal to, say, call up a credit card company and steal more information. Or it can be used for insurance fraud.

Just because these incidents do not happen overnight – the data will eventually make its way to the seedier corners of the Internet to be sold to criminals – doesn’t mean people should be relaxed about having their personal data stolen.

While credit card information might seem more important, don’t forget that personal data like your IC number is permanent. This means a hacker has a record that he can use years later. The same with your address, which doesn’t change all that much.

If parts of the population do not grasp the seriousness of the issue, surely the authorities have to come out to educate them. Unfortunately, they themselves are struggling to come to grips with some realities.

Days after the attack was revealed, Deputy Prime Minister Teo Chee Hean said there should have been Internet surfing separation. In other words, computers connected to the Internet should not be linked to the SingHealth system.

Sure, that may have prevented this attack, which was said to have come through an Internet-connected machine, but would other types of attacks be kept out?

Clearly, no. There is no preventing a cyber attack over time because all it takes is one loophole or an angry employee to expose the most guarded secrets. Just ask the National Security Agency in the United States.

How we prevent an attack is important, but just as crucial is the way we respond to it, because there will be hackers who eventually get through.

There’s something to be learnt from the deadly terrorist attacks in London in 2017. After the dust settled, the British came out to go about life as normally as they could, wary but defiant.

Fortunately, Singapore has only faced a cyber attack. Yet, the response has to be to carry on with the important everyday business instead of closing doors or making things difficult.

By de-linking doctors’ and other healthcare workers’ machines from the Internet, the authorities are making it hard for them to do their work.

Internet segregation may seem like a good idea but put it into practice and you realise how much you cut off the data and information that flows through networks to enable our everyday lives.

This goes against the idea of a smart nation. The government itself is moving away from silos of information stuck at individual agencies so they can share citizen data and deliver better services.

Even the private sector is plugged in. Banks today can verify your income digitally with the government when you apply for a loan.

Internet segregation should be applied to the most sensitive systems, say, those containing military secrets. But a healthcare system that thrives on data for efficiency and efficacy?

More thought needs to be put into this. The productivity losses are not insignificant. The patient care that is affected has to be part of the equation.

Revealing the SingHealth data breach last week, government leaders talked about the need to carry on with Singapore’s smart nation projects. They should let doctors easily have the information needed to provide care by seeking a better solution,┬ánot simply the easiest one.

They should also consider remedies for those who are affected. As a senior IT architect, Lai Zit Seng, pointed out in a blog, similar data breaches in the United States have resulted in health insurance companies paying out millions of dollars to help patients monitor their credit.

If there is something to be optimistic about the events this past week, it is that some practices that had been put in place previously have worked.

The fact that the hackers made away with the personal data and prescription information but not data like doctors’ notes could mean they were either detected early or the data was stored separately.

An investigation is ongoing, but it is safe to say that you can expect more to have been exposed if SingHealth was less prepared.

Experience certainly helps. Earlier this week, the Monetary Authority of Singapore (MAS) told financial institutions to tighten up the way they verify customers, in light of the stolen data.

The industry learnt its lessons from the early days of Internet banking in the mid-2000s. Before banks started handing out two-factor authentication (2FA) tokens to people, hackers breaking into people’s accounts and transferring money out were a common threat.

Fortunately, the industry didn’t dump online banking and force people to go to ATM machines. Neither did it cut off technology in a bid to tighten up its security.

Quite the opposite, actually. Banks today are big users of cloud computing and are even dabbling with cutting-edge stuff like blockchain.

That should be the approach for other sectors as well. By beefing up systems – not disconnecting them – and by educating end users of the importance of data protection, they can still deliver useful digital services.

The current response to the SingHealth data breach seems to be: “Don’t panic, we have things under control.” That’s not quite right.

Don’t panic, sure, but you can’t have things under control. Better to let citizens know that a smart nation involves shared risks and responsibilities.

This means looking out for suspicious activities, turning on 2FA for their e-mail accounts and just being generally aware of fake messages tempting them to click on malicious links.

There’s no other way. Being prepared is part of being connected.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.