After Singapore’s healthcare hack: Next steps for officials

By GovInsider

Abdallah Zabian, General Manager for Security at DXC Technology in Asia, gives his recommendations.

As Singapore announced that its healthcare system has been hacked, GovInsider reached out to a leading security figure to see what the government can do next.
Abdallah Zabian is General Manager for Security at DXC Technology, Asia. He shares what lessons governments can learn and how security policies can be improved.

What are the lessons learnt on crisis communications?

“The way the Singapore Government managed it and the messaging was correct,” Zabian says. The government stopped information from going out immediately after the attack, allowing them time to launch an investigation right away and monitor the hackers.

“You do want to watch what the hackers are doing and what they're looking at and what they're going after, before taking final action which will alert them that you know. You also want to be able to use various techniques in order to mislead them and properly go after them,” he explains

Another crucial aspect is that the response was coordinated across the government - involving ministries and officials in charge of health, cyber security, and critical information infrastructure protection and digital service policies. “Everybody’s involved in how they handled it and what they announced,” Zabian says.

It was also the “right decision” for the Prime Minister to publicly stand by the protocols. After the attacks were made public, Prime Minister Lee Hsien Loong revealed that he was “asked to be included” in the electronic health records system. The alternative was “to keep mine in hardcopy for security reasons”, he wrote. The Prime Minister’s outpatient medication data were among the records stolen, after they were “specifically and repeatedly” targeted.

How can data and security policies be improved?

There are three key policies that should be reviewed as part of the government-wide inquiry into the hack, Zabian recommends.

First, security policies must be “all encompassing”. For instance, healthcare agencies should be included in Singapore’s internet separation policy, he says. This policy introduced two years ago air gaps workstations with access to citizen data and bans officials from accessing the internet on these machines. “I do recommend this especially if this is a targeted attack, because the attacks are not going to stop – and due to the sophisticated nature of their attacks, it’s very difficult to stop them,” he explains.

Second, “we need to reconsider the architecture and the design” of the technologies that are currently being used. As part of this, “all citizen data should be encrypted, whether it is data in motion or data at rest”, he says. This would ensure that in the event of an attack, hackers will not be able to draw any valuable information from the stolen records.

Third, Singapore should re-educate all users and consistently update them on new threats, particular “super users” with high levels of data access. “If you are a super user with a high level of credential, then you should have the right level of training and awareness” Zabian says. For instance, all users must understand that they play a critical role in protecting citizens’ data, including basic steps like ensuring they do not open personal emails, links or visit unsecure websites on machines that contain this information.

How can attacks be better monitored?

Artificial intelligence can help governments monitor and identify possible threats quicker than humans would on their own, Zabian says. In the case of the Singapore hack, it was stated that the database administrators detected unusual activity sometime after hackers began data exfiltration. “If you have an attack monitoring solution with right uses cases, it would enable you to see these types of anomalies,” he says.

There are two key things to keep in mind here. First that it is critical for these monitoring systems to be “tuned” to the right level of sensitivity and situations in which to trigger alarms, he adds. For instance, AI systems need to be trained to alert officials to certain patterns in the way people access data - including when, where, how and what data they access. It can raise and alert of suspicious behaviour for a human to check and take the final call.

Second is to ensure that all the devices across the healthcare system are interconnected to the monitoring system so cyber security officials are “looking at it holistically, and not in silos”, he adds.

“I agree with the steps that the government has taken to remediate the situation and with the proposed way forward,” Zabian says. He encourages all citizens to “support the government in these situations and not be fearful” - or we will play right into the attacker’s hands.