TL;DR – It’s not just about stolen medical records.
Unless you’ve been living under a rock, you should know that Singapore has just suffered our most major cyber attack.
In late June, hackers broke into SingHealth’s IT systems to steal the data of 1.5 million patients, including data of PM Lee.
The Ministry of Health (MOH) and Ministry of Communications and Information (MCI) said in a joint press statement:
“The attackers specifically and repeatedly targeted Mr Lee’s personal particulars and information on his outpatient dispensed medicines.”
So some medical data got stolen. So what? Need to be worried meh? Steal for what? Got use meh? Perhaps PM Lee’s medical history could be used to… embarrass him.
But… really? Go through all those efforts to… embarrass him? Isn’t that a bit too excessive?
Yes, medical histories are actually valuable.
Those can be sold. People who buy those data can use those profiles and histories for normal fraud stuff or to get a brand new healthcare plan for themselves. That’s why in USA, roughly one out of every three Americans had their health care records compromised.
Medical histories valuable enough to use so much resources to get?
But in and of itself, that probably doesn’t warrant the amount of effort and resources that went into the SingHealth hacking.
After all, as was emphasized in a joint statement by the Cyber Security Agency (CSA) and Integrated Health Information Systems (IHiS):
“This was a deliberate, targeted and well-planned cyber attack. It was not the work of casual hackers or criminal gangs.”
Some cybersecurity experts have gone even further to suggest that the hack was the action of a nation-state
Mr Eric Hoh, Asia Pacific president of cybersecurity firm FireEye, said the cyberattack was “very different” from those by typical cybercriminals who generally sell the stolen data or use it for ransomware. He explained:
“This was an advanced persistent threat (APT) and the nature of such attacks are that they are conducted by nation states using very advanced tools.”
Mr Hoh further elaborated that the perpetrator carried on trying to access SingHealth’s network even after detection, which is the “typical signature” of a nation-state actor.
Acronis’ lead security researcher Ravikant Tiwari agreed, saying that stolen medical records are most commonly used for aiding in spying if the target is a high-ranking official.
Regardless of how the stolen medical information is used, I think the biggest problems arising from this incident has nothing to do with the medical histories themselves.
The biggest problems arise from the shock and fear that the incident has caused.
Dress rehearsal for something bigger?
First concern is whether this is just a dress rehearsal for something bigger, something more sinister.
Are the culprits just sending a message with this hack? It could be them telling us: “Today I can hack your medical systems. Tomorrow, it’ll be something more deadly”.
And even if they can’t really do more harm than stealing medical histories, planting that seed of doubt alone is already harmful.
There are also people now asking that we stop the effort to implement the National Electronic Health Record (NEHR). Because if someone can hack SingHealth, who’s to say someone won’t hack the NEHR? Then that’ll be all the medical records of all Singaporeans. Isn’t that worse? Better don’t do have that system. Roll back to pen and paper records.
And that would be such a waste.
There is so much good that can be done with the NEHR. It’ll make the delivery of healthcare more efficient and effective. Doctors across different domains can collaborate better and treat the root cause of the medical problem rather than just treat the symptoms.
And causing us to lose confidence in government?
Then there is the loss of confidence in the government. There are already people blaming the government.
Some have made the rather stupid statement that this is what happens when you let PAP run the country for so long – the PAP government gets complacent, slips up and thus allowing for these things to happen.
If I am a nation-state who’s unfriendly to Singapore, this is precisely what would be useful to me – causing citizens to lose confidence in the government – so that I can then go in and influence the citizens to change the government to one that I can more easily manipulate.
Our response matters
And if we allow ourselves to be manipulated like that, then we are all really stupid. Yes. It’s terrible that a cyber attack had been successful.
But even USA, supposedly the world’s only superpower and most technologically advanced country, has succumbed to cyber attacks. The Securities and Exchange Commission (SEC), America’s chief stock market regulator, admitted in 2017 that hackers had infiltrated its database that stores public company financial filings, potentially allowing intruders to trade on inside information.
In 2015, the Obama administration revealed that the sensitive personal data of 21.5 million Americans were stolen when two attacks resulted in colossal breach of US government computer systems.
So it’s got nothing to do with the PAP government. As PM Lee pointed out in his Facebook post, our government systems come under attack thousands of times a day. It’s not a matter of if, but when, one of those attacks is successful.
And, as much as we prevent it, as much as we try to minimise the impact, how we react and respond to the incident is just as important.
If we lose confidence in ourselves, in our government, in the people in the security agencies who have worked and are working hard to defend our interests, then the attackers have won.
But if we come together, learn from it, realise that cybersecurity, just like our fight against terrorist threats, is an ongoing battle and that we all have a role to play, then we would have denied the attackers their victory.
I’m not saying that the government shouldn’t do anything. The government has already said that it takes a serious view of this incident.
It will take immediate action to strengthen our public sector IT systems and databases against similar cybersecurity attacks. And a Committee of Inquiry will be formed to conduct an independent external review. We will get to the bottom of this.
In fact, CSA already knows who’s behind it. But because of operational security reasons, CSA can’t reveal who the culprit is.
So, yes, it’s terrible some really organised group of people have succeeded in stealing some of our medical histories. But let’s not allow them to scare us, spread disunity amongst us, and stop us from progressing.
Let’s deny them a complete victory.
(Featured image via)