[SingCERT] Technical Advisory on Measures For Protecting Customers’ Personal Data
Published on Friday, 20 July 2018 17:31
SingHealth’s database containing patient personal particulars and outpatient dispensed medicines has been the target of a major cyberattack. About 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have had their non-medical personal particulars illegally accessed and copied. The data taken include name, NRIC number, address, gender, race and date of birth. The records were not tampered with, i.e. no records were amended or deleted.
The Integrated Health Information System (IHiS), which is the technology agency for the public healthcare sector and runs the public healthcare institutions’ IT systems, has implemented further measures to tighten the security of SingHealth’s IT systems. These include temporarily imposing internet surfing separation. They have also placed additional controls on workstations and servers, reset user and system accounts, and installed additional system monitoring controls. Similar measures are being put in place for IT systems across the public healthcare sector against this threat.
SingHealth will be progressively contacting all patients who visited its specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018, to notify them if their data had been illegally exfiltrated.
Reviewing Personal Data Policies
Companies may collect customers' PII information for various reasons. These companies need to take the appropriate steps to safeguard the information. These steps may include but is not limited to:
Ensure that any sensitive data is encrypted, and limit access of employees and other stakeholders by their roles. Passwords that are stored should be encrypted.
Companies should review their data retention policies on the duration and the types of PII data that should be stored. To further limit data exposure, companies are advised to purge customer's PII if it is not required anymore, such as accounts which have been terminated.
The Personal Data Protection Commission (PDPC) has published a guide to help organisations develop or improve their data protection policies and practices. PDPC in partnership with CSA, has also published a guide to aid organisations in securing personal data. Enterprises may refer to these guides for information and good practices that organisations should undertake to improve and protect personal data.
Recommended Security Measures
Companies are strongly encouraged to review their systems and be vigilant to suspicious activity. The following are immediate measures that the companies can adopt:
1. Review Domain Administrators Accounts
Domain administrators have full control of the domain. Review and strictly manage domain administrator accounts, and disable inactive accounts when they are no longer in use.
2. Disable PowerShell for Standard Workstations
PowerShell can be exploited by attackers to execute malicious commands and scripts. Consider disabling PowerShell if it is not required by standard user workstations.
3. Monitor for Unauthorised Remote Access or Database Access
Be on the look-out for suspicious SQL queries, especially those that return voluminous information relative to the size of your database. Remote access should have strong login passwords and be limited to authorised users.
4. Tighten Control for Long-Running or Decommissioned Endpoints
Monitor long-running endpoints, such as 24/7 kiosks, for signs of infection. Decommissioned endpoints should be taken offline when no longer in use, as attackers could exploit these endpoints which may have outdated software and virus definitions.
5. Employ Strong Endpoint Protection
Consider enterprise-wide application whitelisting for standard users. Whitelisting restricts standard users to a list of approved applications, while preventing all other applications from running, including malicious software that antivirus software may not have definitions for.
6. Keep systems up-to-date
Apply software updates and security patches as soon as they are available to fix known vulnerabilities that could be exploited by attackers or malicious software.
Cyberattacks continue to be a prevalent threat. Companies need to heighten their online vigilance to evolving cyber threats and adopt precautionary measures to safeguard their company’s data. As a business enabler, cybersecurity should not be an afterthought. Strengthen your organisation’s cyber defence now by adopting six ‘Essentials’:
The six Essentials are featured in Be Safe Online, a handbook to help companies enhance their cyber defence capabilities and digital risk management, so as to better protect themselves against the increasing frequency and sophistication of cyber-attacks. The Be Safe Online Handbook can be downloaded from CSA’s website at https://www.csa.gov.sg/gosafeonline/resources/be-safe-online-handbook.