Forget cryptocurrency, cybercriminals want your health records more

COVID-19 has forced many Singaporeans to further rely on technology for work, educational and communication purposes. Whilst this has helped with managing tasks and obligations, it has created more opportunities for hackers. In fact even before the pandemic, the Singapore Cyber Landscape 2019 report released by the Cyber Security Agency of Singapore found that cybercrimes account for 26% of all crimes in Singapore.

Incidents of cyberattacks and hacking continue to escalate throughout the region however the SingHealth data breach in 2018, where hackers stole personal information of 1.5 million patients, is still remembered as one of the nation’s worst cyber breaches.

The dark web has made the illicit sale of health care information now more valuable than ever before. Millions of medical records are being sold on the black market, putting both patients and health care organisations at greater risk of data compromise. The race to develop a COVID-19 vaccine has merely escalated global online criminal activities, with media reports of research organisations in the UK, US, Canada and Japan being targeted by state-sponsored cyber cybercriminals.

Why would a cybercriminal want to steal your medical records?

According to the Ponemon Institute’s 2020 State of Password and Authentication Security Behaviors Report,  59% of individuals are most concerned with protecting health-related information — and rightfully so. There are many different reasons why medical records are of value for a cybercriminal. A cybercriminal may try to use your private health care or Medishield, Medisave or Medifund in order to access benefits. Your personal records can also be used as a form of identity to deceptively obtain credit in your name and in rare situations, stolen medical records can be used for extortion purposes. This is similar to what we have seen in the media when celebrities are being blackmailed by cybercriminals who have threatened to make public private images of the celebrity, which have been illegally obtained through hacking.

According to the 2020 Vision Report by CyberMDX, highly sensitive personal information in health records can sell for as much as US$1000 per health record. In contrast, tax file numbers cost about US$22 and stolen credit cards sell for just US$1.50–$4.50, according to Ernst and Young.

With governments around the world implementing COVID related restrictions, such as the earlier circuit breaker measures in Singapore, this has led to more people turning to fitness and health apps to help them track and maintain their health – including Singaporeans. This means more attack points and greater opportunities for cybercriminals.

In times of crisis, hackers thrive on fear, uncertainty and doubt to trick unsuspecting or distracted users into revealing sensitive credentials or downloading malware. To make matters worse, the interconnected nature of the health ecosystem means a breach can have a detrimental and far-reaching effect throughout the health care system. As more third parties enter the health supply chain, the potential problem will continue to escalate.

New cyberattacks against health care organisations across the world are reported every week. Such attacks are caused by malicious insider threats which pose significant threats to health care organisations. Factors like poor internal processes and ransomware are some causes, according to a report by Carbon Black.

Email also continues to be a primary attack vector, as most phishing attempts are executed via email. For example, in June this year the Ministry of Manpower (MOM) issued a public warning to businesses of a planned phishing campaign using a fake MOM e-mail address with COVID-19 support fund as bait.

Protection yourself with strong authentication

Better awareness and understanding of cybersecurity risks, strategies and operations in the boardroom and at the executive manager level is essential to the overall functioning of cyber-resilient health care organisations. Health security professionals must be empowered to work proactively to prevent malicious attacks and data breaches, which starts with standard risk management processes.

Strong multifactor authentication (MFA) is the first line of defence to ensure that sensitive information can be securely accessed, and is a critical component of any enterprise risk management strategy. MFA not only needs to safeguard internal employees but external partners, vendors, and contractors as well – poor authentication processes from a third party vendor could undermine an organisation’s entire security foundation.

Not all MFA is equal, making it critical for health care organisations to consider user preference, authentication scenarios, and physical points of entry when selecting and implementing MFA tools and workflows. For example, many health care workers access accounts from mobile devices, on shared workstations, or even in mobile-restricted environments where phones are not permitted.

MFA approaches can be categorised on a continuum from good to best with many common authentication methods — such as SMS codes and mobile authenticator apps — still leaving users vulnerable to human error, poor usability, or phishing attacks. A recent Google study found the most effective authentication mechanism to prevent account hijacking is a physical security key. It offers 100% protection and offers both a high level of security and usability. 

Ultimately, cybersecurity solutions that are reliable, easy to use, and flexible are critical for health care organisations to mitigate security risks without hindering productivity and should not be considered as an afterthought. Proactive deployment of a strong security foundation, beginning with strong authentication, is key to combat cyberattacks.