How Government Data Incidents Could Have Been Prevented

 

The impact of past breaches of government data would have been minimized – or the incidents even prevented – if data security measures announced yesterday had been in place, said Senior Minister Teo Chee Hean. These various data security incidents, like the cyber attack on SingHealth last year which saw the data of 1.5 million people stolen, had prompted the Government to set up the high-level Public Sector Data Security Review Committee. Yesterday, it announced a host of recommendations, which the Government has accepted and will implement across most of its systems by the end of 2021, with the rest by the end of 2023. Here is a look at how some of these breaches could have been prevented with these new recommendations:

 

 

1. Singhealth Cyber Attack In 2018

 

 

In what was Singapore’s worst cyber attack, the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong, were stolen by hackers in June last year.

A skilled attacker managed to enter SingHealth’s system, get past its defenses and move around in the network without anyone noticing.

Reporting of the incident was delayed by the information technology security team, which gave the attacker more time to steal the data.

 

 

How would the measures have helped?

 

 

• Monitoring access of authorized and privileged users of the health data would have flagged unauthorized use of such accounts. The lack of monitoring meant that the attacker’s unauthorized use was not detected.
• Increase in training for IT security staff would have enabled them to better recognize the signs of an attack and handle it.
• Enhancing the data incident management framework would have ensured that any suspected incident was promptly reported.

 

 

2. HIV Registry Leak In 2019

 

 

Between 2012 and 2013, a copy of the HIV registry was downloaded onto a thumb drive, and the data was leaked on the Internet this year.

The confidential details of over 14,000 people on the HIV Registry were illegally made public by American Mikhy Farrera-Brochez.

He had obtained the information through his partner, Ler Teck Siang, a doctor who was head of the Ministry of Health’s National Public Health Unit and who had access to the data.

 

 

How would the measures have helped?

 

 

• Unusual activity such as downloading of the registry would have been detected, and downloading of the data to an unauthorized device like a thumb drive would have been disabled.
• Digital watermarking of the files would have helped in identifying the source of the leaked file.
• Replacing names and details on the registry with unique identifiers, also known as tokenisation, would have prevented identification of individuals.

 

 

3. Leakage Of Data Of Over 1,900 Pupils From Henry Park Primary School In 2015

 

 

A Microsoft Excel spreadsheet containing pupils’ particulars was mistakenly sent out to some 1,200 parents, as the officer did not check the e-mail recipient list.

This document contained the names and birth certificate numbers of all 1,900 pupils in the school, along with the names, phone numbers and e-mail addresses of their parents.

 

 

How would the measures have helped?

 

 

• An e-mail data protection tool would have alerted the officer that sensitive data was being sent to external parties.

 

 

4. HSA Blood Donor Database Exposure In 2019

 

 

Secure Solutions Group (SSG), a vendor for the Health Sciences Authority (HSA), improperly stored the data of over 800,000 blood donors on an unsecured server for more than two months.

There were inadequate safeguards in place to prevent unauthorized access.

 

 

How would the measures have helped?

 

 

• With better accountability of third parties that handle government data and a framework to manage them, the HSA could have better monitored and audited SSG’s data security performance and identified unsafe practices.

 

 

Source: straitstimes.com