IOTW: Medical data of more than 73,000 patients shared in Singapore breach

One of the largest and most successful ransomware attacks of recent months occurred in the small, wealthy nation of Singapore, when attackers harvested the medical records of a possible 73,000 patients at specialist ophthalmology clinic Eye & Retina Surgeons. The breach included personal medical records, including serious illnesses and treatments.

Healthcare data is a high-value trade item on the dark web, with a recent report by research group McKinsey estimating that Asia-Pacific’s digital healthcare price tag could rise by US$37bn in the next four years. Yet many healthcare providers, no matter their size, often do not pay as much attention to cybersecurity when compared with other heavily data protected industries.

The facts

According to a sternly-worded notice issued by Singapore’s Ministry of Health (MOH), Eye & Retina Surgeons notified it of the 6 August attack a week after it occurred. An August 2021 update to the country’s Notification of Data Breaches Regulations 2021 said that all organizations that have a breach that “results in significant harm to individuals” or “of a significant scale” are obligated to report it to the Personal Data Protection Commission.

The attack was made by an undisclosed ransomware group for an also undisclosed amount and targeted the clinic’s servers and management systems. Upon recognizing the breach, the clinic allegedly acted quickly to plug it, notified the police, the Commission and the Cyber Security Agency of Singapore, who is advising on how best to prevent this occurring with the clinic’s data in the future.

This is one of the largest breaches in the Asian nation’s history, with the largest also being in the healthcare sector, when unknown state actors harvested 1.5 million patient’s data from the country’s largest healthcare group, SingHealth. The breach, committed by individual hackers, specifically targeted Prime Minister Lee Hsien Loong’s personal information.

Lessons learned – good healthcare includes good cybersecurity

The Ministry of Health’s admonishment in its press release on the subject is a good place to start. It states: "It is only through the disciplined maintenance of a safe and secure data and IT system that healthcare professionals will be able to deliver accurate and appropriate care and uphold patient safety."

Under Singapore’s Hospitals and Medical Clinics Regulations, licensed health premises have an even more stringent obligations to their customers, and “have to implement adequate safeguards to protect medical records against unauthorized access and ensure that such safeguards are effective”.

In fact, it is so important that the Ministry issued a set of Healthcare Cybersecurity Essentials guidelines in August 2021 to remind all licensees to establish and constantly review their security safeguards, implement new measures as necessary and adopt best practices to secure their IT systems.

The Ministry’s statement concluded: “Following this incident, MOH will be reminding all its licensed healthcare institutions to remain vigilant, strengthen their cybersecurity posture, and ensure the security and integrity of their IT assets, systems and patient data.”

Quick tips

• Conduct a thorough review of your healthcare institution’s systems, including servers and management systems.
• Consider a new approach to your IT security health – because of a renewed focus on data protection in the industry, including, in some states, heavy fines for a lack of reporting, there is no time like the present to remember that a duty of care includes the right to privacy.
• Create data backups so that your vulnerability to literally being held to ransom is lowered.
• Consider cloud-based technologies – cloud-based architectures are more difficult to exploit. In addition, cloud storage solutions allow you to restore older versions of your files.