Cyber Security For Health Data: Lessons From The Singapore HIV Data Leak
In late January 2019, the primary healthcare data of 14,200 people held by the Ministry of Health (MOH) in Singapore was compromised in a cyber security breach that highlights the importance of protecting such data.
The leak – carried out by American Mikhy Farrera Brochez on Jan 22 – saw the privacy of 8,800 foreigners and 5,400 Singaporeans and permanent residents who are listed on the country’s HIV registry shattered. Of the Singaporeans, 3,500 are alive.
This is cybercrime at a cruel scale. The most devastating part of this cyber security attack is the human element.
While the MOH in Singapore reached out to 2,400 of the 3,500 Singaporeans affected by the HIV data leak who are living with HIV, the data dated back to 1985 and contained a lot of contact information.
How did this data breach happen?
In the Singapore case, Brochez was able to gain access to the system because his partner, Ler Teck Siang, was the head of the MOH’s National Public Health Unit from March 2012 to May 2013. His partner had access to the HIV Registry for his work and Brochez was able to use this to breach the system in a bid to make a statement about his alleged treatment during time spent in prison
in Singapore on drugs and fraud charges.
What is the number one cause of cyber crime in the health sector?
Interestingly, research proves that the number one issue that causes cyber crime to occur in health sector businesses is culture – the way people use the systems. In fact, 56% of all reported data breaches in the health sector in Australia in 2018 were because of human error.
Even more interesting is the fact that nearly half of all of these instances included lost personal identifiable information. This includes personal data such as personal details (name, address email), financial details (how much one earns), medical details (about individual physical and mental health), details about a person’s ethnicity or sexual life, biometric data and even criminal records.
Cyber threats can be broken down into key areas. They are loss of systems and websites and loss of information, whether that is through external factors or internal threats, such as negligent employees, supply chain errors, or deliberate maleficence in all those groups.
We now find ourselves in an era where organisations, regardless of size and industry, are more interconnected today than at any time in our commercial history. Small to medium businesses, whether well-established or start-up, continue to grow and thrive in support of each other, or their larger corporate cousins.
The importance of protecting health data
Looking across the health sector in New Zealand and Australia, it is clear that the protection of primary healthcare data must be a paramount concern for all government and national government organisations (NGOs), who are the gate-keepers of such important information.
What is clear is that when it comes to primary health data, the financial cost of a cyber security breach is minimal compared to the emotional fall-out and that comes from an individual’s loss of privacy.
As the Singapore example shows, it is extremely upsetting for all involved.
There are also issues about the way this information could be leveraged to sully an individual’s reputation in the society in which they live. And it also raises concerns about the organisation to which the breach occurred.
Interestingly, CERTNZ – the organisation charged with receiving information on data breaches in New Zealand – reported that in the second quarter of 2018, they received 736 reported cyber breaches or attacks. However, even more interesting, is the statistic that of those attacked 507 were from businesses – an increase of 143 percent on the previous quarter.
While data legislation is yet to be rolled out in New Zealand until changes to the Privacy Act are made, Australia now employs compulsory data breach reporting. The legislation came into place there in February 2018 and quarterly reporting has seen a steady rise in the number of reported incidents which have met the thresholds set out under their legislation.
The Australia legislation only requires reporting by companies with turnovers of $3 million per annum or more, or companies working in the Health Industry and required to store personal identifiable data.
Yet even with these protections in place, there was recently a cyberattack on a private Melbourne hospital. That saw the primary healthcare data of 15,000 people hijacked and held for ransom.
What types of cyber crime target health data?
It should be noted that there are many different types of cybercrime currently targeting the healthcare sector. Malicious attacks include phishing, ransomware and other social engineering tools. These act on human emotions to either send information directly to the attacker or allow access to systems via the clicking of a link within an email, for example.
Culturally, there are many taboos around this type of sensitive healthcare information and now the Singaporean government are charged with the task of making their citizens confident that the data they hold is safe and secure.
These types of cyberattacks on the healthcare sector are also costly for finances.
The Cost Of A Data Breach Study – carried out in 2018 by the Ponemon Institute and sponsored by IBM Security – interviewed more than 2,200 IT, data protection and compliance professionals from 477 global companies who have experienced data breach over the past 12 months.
This study found the average total cost of a data breach is $3.86m with an average of $148 spent for every lost or stolen record.