Lawmakers urge gov’t to boost ICT protection vs ‘malicious actors’

PhilHealth office in Quezon City.

PhilHealth office in Quezon City. (FILE PHOTO)

MANILA, Philippines —State agencies and private entities should start fortifying their computer systems against cyberattacks, a senator said on Sunday, after hackers recently leaked 730 gigabytes of data from the files of the Philippine Health Insurance Corp. (PhilHealth), which refused to pay a ransom of $300,000 (about P17 million) for the stolen information.

Another lawmaker called the incident a “wake-up call” for all public agencies as she urged the government to be extra vigilant in protecting the data of its citizens.

“It is high time that we take the necessary steps to protect our critical information infrastructure by ensuring, at the minimum, compliance with international standards and globally accepted best practices for cybersecurity,” Sen. Sherwin Gatchalian said in a statement.

According to Gatchalian, the country’s information and communications technology (ICT) systems and infrastructures should be able to withstand hacking and quickly recover should such incidents happen.

“With the increased use of digital technologies in our daily lives,” he pointed out, “malicious actors, from casual scammers to highly sophisticated state-based groups, hunt for vulnerabilities in ICT systems and networks to steal information, disrupt essential services, and profit from attacks.”

Gatchalian said that adopting and implementing minimum information security standards was “a globally accepted best practice” to effectively protect “the confidentiality, integrity, and availability of information that is vital to the nation.”

‘Central authority’

Based on the findings of the National Privacy Commission, the data leaked by Medusa, a clandestine group that had admitted hacking into PhilHealth computers, included the personal information of possibly hundreds of thousands of the state insurer’s beneficiaries.

Gatchalian had filed Senate Bill No. 2066, or the proposed Critical Information Infrastructure Protection Act, to require all critical information institutions (CII) to strengthen their cybersecurity systems.

Under the measure, he said the Department of Information and Communications Technology (DICT) would be mandated to “determine and update information security standards and require CII institutions to comply with such standards.”

“It mandates the National Computer Emergency Response Team to act as the central authority for computer emergency response teams in the country and to administer the centralized information security incident reporting mechanism that would cover industries that include banking and finance, broadcast media, emergency services and disaster response, energy, health, telecommunications and transportation, among others,” Gatchalian added.

Other potential targets

House Deputy Minority Leader and ACT Teachers Rep. France Castro, on the other hand, warned of possible hacking attacks on other targets should the government fail to take extra steps to put in place adequate safeguards.

Castro said that the hacking of PhilHealth computers should alert all public agencies as she also called on the government to be more careful about handling the data of its citizens.

Along with her colleagues from the three-member Makabayan bloc, she filed a resolution last week calling for an inquiry into the cyberattack.

“Now imagine if these hackers target the database of the SIM registration, as well as that of the National ID system, the majority of Filipinos’ private data would be compromised,” Castro said.

She called on the DICT to come up with guidelines or minimum requirements for the “cyberdefense” of all government agencies and data repositories.

“It is almost laughable, if it is not so dangerous, that PhilHealth even sent out the alert that it was hacked through free email which is both unofficial and more prone to hacking,” Castro said.

The best DICT can do, according to her, is to build “unhackable systems” or at least put up the “best cyberdefense available” to prevent any more attacks in the future.

But if the government could not do this, it should “stop collecting sensitive data from Filipinos that can be exploited by unscrupulous groups and individuals,” Castro said.

Take ‘precautionary measures’

PhilHealth asked its members to take “precautionary measures” against all sorts of online scams as a result of the ransomware attack on the state insurer’s systems last Sept. 22.

PhilHealth said it “strongly recommended” changing passwords of online accounts, enabling multi-factor authentication, monitoring suspicious activities in online accounts, not opening and clicking suspicious emails and links, and not answering suspicious calls and text messages.

In a statement on Sunday night, PhilHealth also said it is “ready to face any inquiry… to get to the bottom of the incident” and vowed to fully cooperate with investigating agencies such as the National Privacy Commission, the National Bureau of Investigation and the Philippine National Police.

“Being responsible for the information [security] of our members, we are ready to cooperate in investigations to further improve our cybersecurity system,” PhilHealth chief Emmanuel Ledesma Jr. said in Filipino.

“We assure the public that something great will come out of this incident to improve our service to our members,” he added.

—WITH A REPORT FROM DONA Z. PAZZIBUGAN

Read more...