The Office of the Australian Information Commissioner (OAIC) released its quarterly report on data breach notifications yesterday, and unsurprisingly, healthcare providers were the largest source of reported data breaches (20% of all notifications).
Of the notifications made by healthcare providers, 59% (29 reports) of breaches occurred due to human error, and of these, almost half (45%) of human error breaches involved sending personal information to the wrong recipient.
41% (20 reports) of breaches occurred due to malicious or criminal attack, and of these, 40% of malicious or criminal attacks were cyber incidents. A further 45% were due to direct theft of paperwork or data storage devices.
For the healthcare industry, 75% of cyber incidents resulting in a breach were due to stolen credentials, phishing or other hacking.
Add to this the recent public debate around the security and privacy of the government’s My Health Record, and the warning signals are clear – healthcare providers need to be prepared for data breaches and possible public scrutiny.
The recent cyber attack on Singapore Health Services is an example of the complexities of securing healthcare records.
Case study of a data breach: Singapore Health Services
In a sophisticated attack, hackers infiltrated Singapore Health Services (SingHealth) and stole personal details of 1.5 million patients. While in SingHealth’s systems, hackers also took outpatient prescriptions of 160,000 people – including Singapore’s Prime Minister.
How did they do it?
The hackers infiltrated an internet-connected workstation and obtained privileged credentials. With these credentials, hackers covered their tracks as they moved across the network to find both additional entry-points and a database containing personal information.
The hackers had access to the system for a week before database administrators noticed the suspicious activity and commenced response activities. Containing the threat proved difficult as the hackers began to regain access to the system through previously identified entry-points.
Health administrators had to take drastic action, temporarily disconnecting workstations from the internet and even preventing all 28,000 staff from browsing the web while forcing them to change their passwords. Outgoing connections were also tightly filtered, network servers were reset and heightened monitoring was implemented. Eventually, the additional monitoring and tightened controls eradicated the hackers from the system.
The Ministry of Health has since directed a full cyber security review of Singapore’s public healthcare system, with the Minister-in-Charge of cyber security planning to establish a Committee of Inquiry. Singapore’s Cyber Security Agency is now working across private and public sectors to enhance information security ahead of the upcoming ASEAN summit.
Timeline of a data breach
|27 June 2018
- A front-end workstation was infected with malware
- Administrative/privileged credentials were harvested
- Attackers used the workstation to move throughout the network
- Attackers performed reconnaissance to identify additional entry-points, to ensure they could regain access if they were caught
- They found and gained access to the affected database, using the stolen administrative/privileged credentials
- The attackers obfuscated their activity
- Publicly/commercially available attack tools were used
- The Personally Identifiable Information (PII) of 1.5million patients who visited some clinics between May 1 2015 and July 4 2018 were affected
- Records from five hospitals (including Singapore General Hospital), three National Centres and ten clinics were affected
- Records included full name, address, gender, race, date of birth and National Registration Identity Card (NRIC) numbers
- No records were tampered with (i.e. altered or deleted).
|4 July 2018
- Database administrators from the Integrated Health Information Systems agency (IHiS) detected unusual activity
- Heightened monitoring was enacted, which detected further malicious activity
- Containment activities commenced
- Threat was originally contained, but previously identified entry-points allowed attackers to regain access.
|10 July 2018
- Forensic investigation confirms it was a targeted cyber attack
- SingHealth informs the Ministry of Health (MOH) and the Cyber Security Agency (CSA).
|12 July 2018
- SingHealth lodges a police report.
|20 July 2018
- Singaporean authorities announce that the country’s largest healthcare group, SingHealth, was targeted by a major cyber-attack which resulted in a data breach.
Healthcare is a natural target
There are a number of distinctive attributes that make the healthcare sector an attractive target for cyber adversaries. The unique nature of healthcare organisations often makes them viable targets for threat actors of varying capability and intent. Sensitive medical records, personally identifiable information and unique personal identifiers coupled with traditionally open network environments can expose healthcare organisations to a range of cyber threats.
As threats continually evolve, it is important for healthcare organisations to understand what these threats are, what they seek to achieve and how they will attempt to do so. Understanding the motives of cyber threat actors and the risks they pose helps decision-makers implement appropriate controls to best protect valuable information assets.
Traditionally open network environments
It makes sense that healthcare providers operate on an ‘open-access’ principle. Consider what you see when strolling down a hospital corridor – computers are openly accessible next to bedsides, within reach of the general public. That’s also for good reason. If doctors and nurses had to input a complex password, receive a verification text-message, and input a six-digit code to access a patient’s records, this could certainly cause problems in a medical emergency requiring urgent attention and care.
While hospitals typically provision access to patient records with convenience balanced over security, it’s important to consider the doctor’s clinics, medical facilities and treatment centres which handle sensitive medical records every day. These organisations provide important healthcare services but often have less stringent convenience requirements: they’re not hospitals dealing with life-threatening emergencies on a day-to-day basis. Unfortunately, the ‘open-access’ principles seem to be transferred into healthcare peripheries. It’s important to remember that while it’s easy to share medical records between service providers, there’s no guarantee that each of them implement equally as effective cyber security protections over the data they hold.
It’s not just organisations that experience the impacts of a data breach
While it’s easy to place the focus of a data breach’s impacts on the company affected, it is important to remember the human consequences for those who have had their data breached. It’s also necessary for individuals to understand the inherent risks involved in handing over healthcare information, including electronically. The negative consequences experienced through a compromise of medical records can be high. Medical and health records are prized by cyber criminals for a number of reasons. Firstly, medical and health records contain personal information which can be used to enable fraud.
Secondly, they may contain sensitive and/or embarrassing information which can be leveraged to facilitate blackmail. Lastly, while contact information (such as emails, addresses and telephone numbers) may change, health and medical records are typically lifelong artefacts which can be exploited over a long period of time.
The three key takeaways for healthcare providers
- Review your risk – check your access points and make sure your IT security is appropriate for both your operating environment and the sensitivity of data being stored.
- Train your staff – cyber security awareness training will help to reduce the possibility of data breaches due to human error.
- Have a plan in place – treat a data breach as a likely risk and be prepared. Involve the different layers of your organisation – especially executive management and the board – explore a comprehensive cyber insurance policy, and be able to respond.
BDO Cyber Threat Insights Report on Healthcare sector
The latest BDO Cyber Threat Insight Report focuses on other recent cyber events in the healthcare sector and the latest attack tools, techniques and malware that adversaries are using for targeting the healthcare sector.
BDO provides a full range of cyber security services – please contact us to help your healthcare organisation navigate this ‘new normal’.