This blog is totally independent, unpaid and has only three major objectives.
The first is to inform readers of news and happenings in the e-Health domain, both here in Australia and world-wide.
The second is to provide commentary on e-Health in Australia and to foster improvement where I can.
The third is to encourage discussion of the matters raised in the blog so hopefully readers can get a balanced view of what is really happening and what successes are being achieved.
Saturday, July 21, 2018
Stark Graphic Outlines The Consequences Of The Singapore Breach!
I spotted this from SingHealth - was worth posting I thought.
What an amazing episode. A warning for all large data-bases.
It does not say they were not accessed, just not changed.
In the longer account is says:
"...hackers had gained control through breaching a frontend workstation, from which they then were able to obtain privileged account credentials to gain access to SingHealth's database."
In other words a user, which could have been a developer or an end user.
It could well have been a threat vector that an unsuspecting user had downloaded by clicking on a link they shouldn't have. That the reports say it was "deliberate, targeted, well-planned" suggest that it came from an email to one or more employees.
None of this is unusual or difficult. All users are potentially vulnerable, just requires good internet hygiene.
The concerning bit is Singapore is pretty hot when it comes to national cyber security, they have to be, there economy is built in part on technology and finance. I have seen some of their cyber operations and they are in a whole different ball park than the ADHA.
At least they know if a record has been altered, wonder if the Government HR system could determine is text within PDF had been altered under similar conditions
The MyHR sounds like a back door into more important Government systems, I do hope the ASD is across all this. The ADHA is a bit sloppy at best and I do not get a sense they really understand the system or the feeder systems all that well.
Read the answer to question 2 very carefully.
ReplyDeleteIt does not say they were not accessed, just not changed.
In the longer account is says:
"...hackers had gained control through breaching a frontend workstation, from which they then were able to obtain privileged account credentials to gain access to SingHealth's database."
In other words a user, which could have been a developer or an end user.
It could well have been a threat vector that an unsuspecting user had downloaded by clicking on a link they shouldn't have. That the reports say it was "deliberate, targeted, well-planned" suggest that it came from an email to one or more employees.
None of this is unusual or difficult. All users are potentially vulnerable, just requires good internet hygiene.
The concerning bit is Singapore is pretty hot when it comes to national cyber security, they have to be, there economy is built in part on technology and finance. I have seen some of their cyber operations and they are in a whole different ball park than the ADHA.
ReplyDeleteAt least they know if a record has been altered, wonder if the Government HR system could determine is text within PDF had been altered under similar conditions
ReplyDeleteThe MyHR sounds like a back door into more important Government systems, I do hope the ASD is across all this. The ADHA is a bit sloppy at best and I do not get a sense they really understand the system or the feeder systems all that well.
ReplyDelete