A major data breach at Phetchabun Hospital last week served as a loud wake-up call to state and private organisations to pay attention to their cybersecurity measures, as experts warned cybercrimes could become more commonplace in the years to come.
The breach involved the data of 10,095 patients, including their names and dates of admission and discharge.
The theft is the latest in a series of high-profile cybercrimes in Thailand in recent years, including a ransomware attack on Saraburi Hospital as well as data leakage from e-commerce operators, Krung Thai Bank, Bangkok Airways, CP Freshmart and Bhumirajanagarindra Kidney Institute Hospital.
Organisations are urged to provide digital skills training for staff, deploy security technology that can defend against threats, and respond effectively when incidents occur.
Thailand was ranked 44th out of 193 countries in the Global Cybersecurity Index 2020 commissioned by the International Telecommunication Union, which gauges how countries commit to cybersecurity, down from 35th in the 2018 report.
HEALTHCARE SECTOR TARGETED
Sutee Tuvirat, a member of the Thailand Information Security Association and Thai Medical Informatics Association, said the government and affected organisations must tell the truth about the incidents and bear responsibility for damage inflicted on data owners.
He said the healthcare sector holds a huge amount of patients' sensitive and personal information, which is why hackers have been targeting this sector globally.
In 2018, Singapore suffered its most serious breach when the personal data of 1.5 million patients was compromised, including that of the country's prime minister Lee Hsien Loong.
For organisations suffering from data leakage, they need to quarantine the system and deal with contamination to ensure they are in full control of data, said Mr Sutee.
They also need to have digital signatures for data back-up and restoration.
"When you lose personal data on the internet, they can use your identity-related information to open bank accounts for money laundering, and this can have a lifetime effect," he said.
Organisations that have customer data leaks must offer compensation and urge data owners to secure themselves, said Mr Sutee.
Thailand has agencies designated in the Cybersecurity Act and Personal Data Protection Act (PDPA) to deal with cybersecurity problems, but they are part of a bureaucracy and do not move fast enough to tackle breaches, he said.
"To comply with the laws, state and private organisations must allocate enough budget to install proper cybersecurity systems and recruit experts to oversee their systems," said Mr Sutee.
He said many companies just rely on IT staff to take care of their cybersecurity system, which is a different type of work.
"Companies need to have someone who can police their network checkpoints to watch who comes in and out. This is the job of cybersecurity experts," said Mr Sutee.
ASIA VULNERABILITY
Gen Bunjerd Tientongdee, a former member of the National Cyber Security Committee (NCSC), said the world is experiencing a surge in cyber-attacks, particularly via ransomware, with cybercriminals preying on organisations for huge ransom payments.
In May, the "DarkSide" cybercriminal gang compromised Colonial Pipeline's networks on the East Coast of the US demanding a ransom. The incident caused the pipeline, which supplies half of the East Coast's petrol, to go down for several days, which led to fuel shortages.
In June, authorities said they had recovered most of US$4.4 million ransom paid to the gang.
Cybercriminals are also preying on victims in Asia, as there are plenty of organisations without well-equipped security systems, said Gen Bunjerd.
"The pandemic is driving many organisations and users to rely more on online channels, enabling criminals to have broader targets," he said.
It is hard to chase these attackers so preventive measures are essential to minimise the impact, said Gen Bunjerd.
"It is vital that critical information infrastructure [CII] has proper anti-cyber-attack systems in place," he said.
"We have the National Cyber Security Committee, chaired by the premier, bringing together a large number of agencies, but they rarely meet up as the leaders don't have enough time. There should be small working groups to expedite work."
The National Cyber Security Agency (NCSA) still lacks a sufficient budget and workforce to allow it to work full tilt, said Gen Bunjerd.
Prinya Hom-anek, an NCSC board member, said cyber-attacks are becoming more commonplace and are very hard to completely defend against.
Organisations need data governance, encryption and pseudonymisation to minimise cyber-risks, he said.
Rattipong Putthacharoen, senior manager for systems engineering at Fortinet Thailand, a local unit of the US cybersecurity company, said cyber-attacks could cost Thailand 286 billion baht in damages unless proper security mechanisms and standards are put in place.
Citing IDC's Asia/Pacific Digital Resilience Scorecard, he said only 6.7% of organisations surveyed in Thailand said they have a robust approach to cybersecurity. Some 63% said they have a basic portfolio of tools to defend against cyberthreats.
Patama Chantaruck, managing director of IBM Thailand and vice-president for Indochina Expansion, said cyber-attacks on healthcare, manufacturing and energy doubled globally in 2020, citing the company's 2021 X-Force Threat Intelligence Index report.
Threat actors targeted organisations that could not afford downtime because of the risk of disrupting medical efforts or critical supply chains, she said.
MEASURES AGAINST THREATS
The Digital Economy and Society (DES) Ministry is looking into urgent as well as long-term plans to fight cybercrime.
DES Minister Chaiwut Thanakamanusorn said state agencies and corporations must remain vigilant in their operations, increase staff awareness about threats, and ensure their staff comply with the PDPA.
Over the long term, ministries and related state agencies must have a centralised database and applications to monitor threats, he said.
State agencies should cooperate with the Thailand Computer Emergency Response Team (ThaiCert) for threat monitoring, said Mr Chaiwut.
ThaiCert provides 250 agencies with monitoring services.
NCSA secretary-general Lt Gen Prachya Chalermwat agreed the healthcare sector is a major cybercrime target because of the lack of cybersecurity officers and limited budgets at local agencies and provincial hospitals.
These organisations are likely to develop their own budget applications, he said.
Since NCSA was founded in January this year, many agencies have discovered data breaches or hacking, said Lt Gen Prachya.
Some reports found cybercriminals offered to share ransom money with state agencies' staff in exchange for providing passwords or creating vulnerabilities in the system, which can lead to data breaches, he said.
Gp Capt Amorn Chomchoey, acting deputy secretary-general of NCSA, said his agency plans to devise three subordinate laws under the Cybersecurity Act by November, casting a light on organisations' CII and sectors that fall into this act's obligations.
Baseline security measures are needed to protect organisations' systems and data, he said.
Gp Capt Amorn said NCSA is working with computer emergency response teams from the government, telecom and banking sectors, along with the Technology Crime Suppression Division of the Royal Thai Police to fight against cybercrime.
TELECOM DEFENCE
Vichaow Rakphongphairoj, president of the Telecommunications Association of Thailand, said cybersecurity threats have intensified using more sophisticated tactics as people engage more with the online world.
The popularity of cryptocurrencies is leading cybercriminals to find ways to steal the digital coins, which can be an easier way of making money than selling leaked data or blackmail, he said.
The Thailand Telecommunication Computer Emergency Response Team (TTC-CERT) was formed last year to guard against cyberthreats to the telecom sector, sharing information among members, said Mr Vichaow.
"Thailand needs to raise awareness about the issue from the top, from the country's leadership to its citizens," he said.
"Don't wait until damage happens."
Somchai Lertsutiwong, chief executive of Advanced Info Service (AIS), the country's largest mobile operator, said the company regularly detects efforts to try to access its data platforms unlawfully, as happens with other big corporations and infrastructure providers that handle huge databases.
Corporations must have effective software and systems in place, while their security operation centres must constantly monitor so threats can be quickly detected and tackled in time, he said.
COSTLY BUT CRUCIAL
State and private hospitals may need to consider adopting blockchain technology to better protect patients' data against criminals armed with new hacking tools, said Boon Vanasin, chairman of Thonburi Healthcare Group Plc (THG).
Fewer than five hospitals in Thailand use a blockchain-based protection system because the technology requires a huge investment, he said.
"We expect to spend more than 100 million baht to gradually install blockchain technology at our hospitals and those allied with Ramkhamhaeng Hospital," said Dr Boon, referring to a total number of around 40 hospitals.
Information in the blockchain system is saved in a series of blocks that make up a blockchain.
The technology prevents manipulation of data blocks, considerably reducing criminals' ability to make changes to the information.
THG began using blockchain technology at its Thonburi Hospital 1 and Thonburi Bamrungmuang Hospital more than two years ago under a pilot project covering 30,000 patients, he said.
"We are aware of patients' worries over data theft. Some have treatments and cannot disclose their illnesses as it may affect their work and associates," said Dr Boon.
The recent hack of patient data was not the first such incident in the healthcare sector. Some hospitals under the Public Health Ministry previously encountered ransomware attacks attempting to steal data for sale on the dark web.
He believes hackers only retrieved basic information such as names, phone numbers and addresses because many hospitals installed systems that can prevent illicit access to "deep-level data" that includes illnesses and treatments.
Veeraya Paocharoen, executive director of Paolo Hospital Phaholyothin, under the Phyathai-Paolo Hospital Group, said the group is using the Hospital Information System to manage data and prevent hacking.
This system is "strong and effective" in keeping cyber-attacks at bay, he said.
FINANCIAL DEFENCE
Bank of Thailand assistant governor Siritida Panomwon Na Ayudhya said the central bank has been monitoring cyber-risk protections for financial systems and upgrading cybersecurity standards.
The central bank is logging cyber-risks and using pre-emptive practices, she said.
The regulator wants to ensure financial institutions -- both banks and non-banks -- can complete transactions for consumers smoothly with high security standards, said Ms Siritida.
The central bank set up its IT policies and regulations to catch up with technological development and new risks, she said.
The regulator collaborated with related parties, including the authorities, companies and international organisations to improve cyber-risk protection, covering both human resources and equipment.
The arrangement sees the central bank and partners have discussions, share information and hold training programmes on handling risks.
The Bank of Thailand also supported financial institutions setting up the Thailand Banking Sector Computer Emergency Response Team to collaborate on ensuring the cybersecurity of the whole financial sector.
LESSON LEARNED
After British Airways suffered a data breach of around 400,000 passenger records in 2018, developers who provided passenger service systems tightened their security systems for airlines to safeguard passengers' personal data, including payment cards and booking details, said Nok Air chief executive Wutthiphum Jurangkool.
"Since the cybersecurity incidents with a few airlines in recent years, we have to be stricter about authorisation for data access and frequently test security systems against hacking processes," he said.
"The Thai PDPA law caused our airline to recruit experts to help prepare the IT and security systems to safeguard personal information."
As a result, the working team advised the airline to change the infrastructure system by using the standard guidelines from the General Data Protection Regulation, which is the European Union's data protection regime.
Nok Air uses a system from Navitaire, a subsidiary of Amadeus, which is a well-known IT service provider in the hospitality and aviation sector.
This system has been upgraded and audited by developers to guard against data leak risks, said Mr Wutthiphum.
In addition to relying on a third-party IT provider, the airline also strengthened its in-house system to build another firewall, he said.
"Some IT infrastructure nowadays might be on a cloud server, but Nok Air still opts for a hybrid system, with a back-up database on the internal server under a closed loop system to prevent unauthorised attempts to reach personal data," said Mr Wutthiphum.