MANILA – An information security group has lauded the management of the Philippine Health Insurance Corp. (PhilHealth) for refusing to pay the USD300,000 (roughly PHP17 million) ransom demanded by the cybercriminals who hacked into its network on Sept. 22, but also urged the agency to enhance its cyber defenses.
Philippine Computer Emergency Response Team (PH-CERT) president Lito Averia said Tuesday that paying off the attackers does not guarantee a solution to the problem and opens doors to new complications.
“Paying ransom only incentivizes the attackers to launch similar malicious activities. There is risk that the attackers will not provide the decryption key or if the key provided will work upon payment of the ransom amount,” Averia said in a message to the Philippine News Agency (PNA).
PhilHealth’s management can also face legal issues if they decided to pay up since the ransom money could have come from contributions of members or public funds, he added.
Averia, however, pointed out that PhilHealth should be more specific as to those that have been put at greatest risk by the apparently successful cyber-attack.
He said the “urgent notice to the public” released by PhilHealth on Monday does not clearly distinguish which groups of data subjects, whether employees or members, are most affected by the ransomware attack and subsequent data breach.
PH-CERT’s president also noted that time is of the essence when trying to mitigate the damage caused by cyber-attacks.
He lamented that it took the agency more than a week after the breach to issue its notice to the public.
It was explained that affected employees and members are vulnerable to potential identity theft and unauthorized use of their personal information, to the extent that such personal information can be used in criminal activities.
In the aftermath of the data breach, Averia said Republic Act 10173, or the Data Privacy Act, requires that the PhilHealth management promptly “implement appropriate organizational, physical, and technical measures to protect the personal information of its employees and members.”
“It is lesson learned on the need to vigilantly protect personal and sensitive personal information. The health sector is considered critical infrastructure in many jurisdictions. Critical infrastructure is now managed using information and communication(s) technologies, as well as operational technologies, which need protection against malicious attacks, physical or digital,” Averia said.
PH-CERT is a non-profit aggrupation of information security professionals providing technical support and advice to various organizations.
Meanwhile, PhilHealth’s management assured that the members' database and other sensitive applications were not affected by the cyber-attack.
Emmanuel Ledesma Jr., PhilHealth president and chief executive officer, said during a press conference on Monday that “interim arrangements have been immediately implemented to ensure uninterrupted service to members in need.”
It was disclosed that because of the attack involving a ransomware program, “the state health insurer immediately executed a system shutdown as protocol, to prevent further widespread impacts.”
Ledesma, however, admitted that the cyber attacker successfully accessed employees' personal information and even memoranda.
PhilHealth’s management said it continues its efforts to fix its affected systems, including the health care institution portal.
It also urged the public to immediately report to them or the Department of Information and Communications Technology (DICT) any leaked information received from email addresses: [email protected] and [email protected].
“The DICT, in collaboration with the National Privacy Commission (NPC) and the cybercrime units of the National Bureau of Investigation (NBI) and the Philippine National Police (PNP), is actively conducting a comprehensive investigation into the cyberattack to ensure accountability for those behind the incident,” PhilHealth said in a statement. (PNA)