Enhanced cybersecurity urged amid PhilHealth data breach

MANILA, Philippines — All government agencies and the private sector must beef up their protection against cybersecurity threats, said Sen. Sherwin Gatchalian, as he pointed out that the hacking of state health insurer Philippine Health Insurance Corp. (PhilHealth) remains unresolved.

“It is high time that we take the necessary steps to protect our critical information infrastructure by ensuring, at the minimum, compliance with international standards and globally accepted best practices for cybersecurity,” Gatchalian said.

The senator noted the ongoing cyber attack on PhilHealth’s database wherein cyber criminals have asked for $300,000 in exchange for handing over decryption keys, while holding for ransom the data they illegally obtained.

He said more Filipinos and businesses rely on digital technologies to perform their daily tasks, especially after the COVID-19 pandemic. 

On average, Filipinos are estimated to use and consume 4.3 more digital services compared to pre-pandemic years. E-commerce also continues to grow exponentially and sales are expected to be valued at $10.3 billion by 2025, the senator said, citing estimates made by GlobalData.

“With the increased use of digital technologies in our daily lives, malicious actors, from casual scammers to highly sophisticated state-based groups, hunt for vulnerabilities in ICT (information and communications technology) systems and networks to steal information, disrupt essential services, and profit from attacks,” said Gatchalian.

“The adoption and implementation of minimum information security standards is a globally accepted best practice to provide guidance, which would lead to more efficient use of resources, improved risk management, consistent delivery of critical and essential services and effective protection of the confidentiality, integrity, and availability of information that is vital to the nation,” he added.

Gatchalian filed Senate Bill 2066, or the Critical Information Infrastructure Protection Act. The measure mandates all covered critical information institutions (CII) to adopt and implement adequate measures to protect their ICT systems and infrastructures, and respond to and recover from any information security incident.

He said the proposal also seeks to mandate the Department of Information and Communications Technology to determine and update information security standards and require CII institutions to comply with such standards. 

Gatchalian said the bill also intends to mandate the National Computer Emergency Response Team to act as the central authority for computer emergency response teams in the country, and to administer the centralized information security incident reporting mechanism that would cover industries that include banking and finance, broadcast media, emergency services and disaster response, energy, health, telecommunications and transportation.