Infocomm Media Dev Agency (IMDA) Singhealth Cyber attack - remedial actions
The version of the COI report on the Singhealth cyber attack released to the public was disappointing. It did not explain how the team of hackers were able to retrieve the 1.5 million records over several months. 

The COI "believed" that the cyber attack was "state sponsored". They decided that their mode of operation should be kept secret. 

I do not understand and do not agree with the need for secrecy of their mode of operation. Other organizations can learn much from the details.

The glaring fact is: 1.5 million patient records and many outpatient records were retrieved by the hacker, or team of hackers, over a period of several months.
 
If the hackers had access to the database administrator's password, they would be able to download the entire database within a short time. They do not need several months to do their work.

I suspect that the hacker had access to the user credential. Using this stolen credential, they were able to retrieve and download the data, but it has to be done painstakingly. This is why it took several months.

When there are thousands of user credentials, it is easy for the hacker to steal some of them. We have to be aware of this possibility. This risk cannot be controlled through some vague recommendation to strengthen the controls.

This is how I would deal with the problem:

a) I would require every access to a patient record to be logged, with the identify of the user and the patient.
b) I would run a script every night to count the number of patient records that have been accessed. It should fall within an acceptable range.
c) If the number of accesses are exceptionally high, it probably indicates that there are unauthorized accesses, possibly by a hacker. This script will also identity the users whose credentials are used.
d) The report of excessive access can be sent to the operating level for the matter to be investigated. A copy could be sent to alert top management 

This method will catch the hacking and unauthorized access and will trigger immediately action by management. The user credential could be disabled.

The technical people can still focus on the technical aspects to prevent unauthorized access by the hackers. But the method that I have suggested should be implemented alongside.

We should not leave these matters only to technical people.

I have submitted this suggestion to the COI. Sadly, they decided not to invite me to give my views. 

Tan Kin Lian

 

Add Comment

---