Singapore Take Steps to Enhance Health Data SecurityAfter SingHealth Breach, IHiS Announces Steps to Secure Itself
Integrated Health Information Systems - Singapore's central agency for IT in its healthcare sector - has announced a slew of measures to help strengthen cybersecurity across the nation's public healthcare system. But some security experts say it will be critical for the agency to monitor whether its steps are actually proving to be effective.
See Also: The Global State of Online Digital Trust
The agency's action comes in the aftermath of the SingHealth data breach in July, which affected 1.5 billion patients. A four-member Committee of Inquiry is investigating that breach, which has been described as the most serious breach of personal data in Singapore's history.
Among those affected was Prime Minister Lee Hsien Loong. The hackers targeted his personal medical information.
The moves announced by IHiS include the use of two-factor authentication for local administrators and complex passwords managed centrally, as well as added training for the security team to boost their understanding of advanced hacker tools.
IHiS also says it has initiated measures to enhance its capability to prevent, respond and detect cyber threats. This includes expediting the planned implementation of client advanced threat protection to help block threats based on exploit techniques and sophisticated malware. As of October 26, that technology had been deployed in more than 6,000 servers and over 60,000 endpoint devices, the agency reports. Full deployment is expected to be completed by the end of the year.
Some security practitioners say the agency's implementation of advanced threat protection is long overdue because it helps track persistent threats.
The agency is also studying the possibility of using a virtual browser solution, where staff can only access reproduced content on the web to minimize risk of downloading or executing malicious files that may reside on the original sites.
"A trial was carried out earlier to assess the technical feasibility of the virtual browser solution and test the compatibility with corporate applications," IHiS says. "A pilot with a small group of users will be conducted to evaluate the user experience and further assess the security of the solution. The pilot is expected to complete by mid next year."
Aloysius Cheang, board director and EVP, Asia Pacific at Centre for Strategic Cyberspace + Security Science, a U.K. think tank for cyber centric leadership, on IoT security and solutions, says, however, that it's "important to keep in mind that if ATP is getting implemented then measures such as virtual browsers are not going to be helpful as it may open up loopholes to be exploited." He says the agency must also implement data encryption steps.
IHiS also has implemented Temporary Internet Surfing Separation across the public healthcare sector. This means that the computers that are connected to internal networks will not have access to the internet. This will help isolate any problem and make policies and procedure much easier to enforce, some security experts say.
Among the other steps the agency is taking:
- To further prevent the use of weak passwords, IHiS is enhancing the access management capability to manage complex passwords centrally and automatically update and protect administrator accounts. More stringent restrictions will also be imposed on administrative access to servers within the network. The access management will be boosted with threat analytics to provide earlier detection of suspicious account activities;
- To secure the network against unpatched equipment, the access control will be enhanced to allow only authorized devices that are patched with the updated anti-virus and anti-malware signatures to join the network;
- The agency is enhancing security for its Allscripts Sunrise Clinical Manager system. IHiS is enhancing the infrastructure to strengthen security and reduce the risks for the SingHealth SCM database. Database activity monitoring is being enhanced with more comprehensive blocks and alerts on execution of bulk queries;
- A comprehensive review of cybersecurity safeguards for key systems, including the electronic medical record systems for all public healthcare clusters, will be conducted.
Need for Monitoring
"It is good to see some concrete steps being announced," says Nitesh Sinha, founder and CEO at Sacumen, a security product developing company in India. "Having said that, these measures will prove effective provided there is regular monitoring and review. So, asset management becomes an important first step in this regard."
Sinha also suggests that the agency needs to take additional steps, including implementing a "data masking solution to ensure that sensitive data leakage does not happen during application development and maintenance. Also, they can look to incorporate tools that monitor the presence of PII data across log sources. Implementing secure SDLC processes is important as well."