COI on SingHealth cyber attack: Alarm bells did not ring for key cyber-security employee despite suspicious activity

A four-member Committee of Inquiry heard the account of Mr Ernest Tan Choon Kiat, a key cyber-security employee at Integrated Health Information Systems, on the third day of a public hearing to investigate the cyber attack on SingHealth. ST PHOTO: SYAZA NISRINA

SINGAPORE - A key cyber-security employee at Integrated Health Information Systems (IHiS), SingHealth's technology vendor, was on holiday when suspicious activities were first detected on SingHealth's network in June this year.

This - coupled with failure to seek clarifications on the severity of the situation and a lack of initiative to venture out of specified job scopes - was the subject of examination during a hearing over the massive SingHealth cyber attack.

A four-member Committee of Inquiry (COI) heard the account of Mr Ernest Tan Choon Kiat, senior manager (Infra Services-Security Management) at IHiS, on Tuesday (Sept 25), the third day of the public hearing to investigate the cyber attack on SingHealth.

Mr Tan, the only witness to testify during Tuesday's public hearing, was alerted to suspicious network activities as early as mid-June, when they were first spotted by his subordinates.

"I did not read any of these e-mails at the time they were sent, as I was on overseas leave in Japan from June 9 to 17. I only read them when I returned to Singapore on Monday, June 18," he said.

The public hearing on Tuesday did not address who - if anyone at all - was appointed to cover Mr Tan's duties when he went on leave. There are also no details given on whether his subordinates reported the suspicious network activities to other superiors during Mr Tan's absence.

Multiple attempts were made to access SingHealth's electronic medical records (EMR) system - a critical information infrastructure in Singapore - to transfer information from June 27 to July 4.

The intrusions, which began undetected on June 27, were eventually discovered on July 4 and terminated by Ms Katherine Tan, a database administrator at IHiS.

The Cyber Security Agency of Singapore (CSA) was informed of the attack on July 10.

The SingHealth cyber attack compromised the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.

The COI is tasked to shed light on the events that contributed to Singapore's worst data breach. The COI, headed by former chief district judge Richard Magnus, held its first hearing behind closed doors on Aug 28.

Even after Mr Tan read the e-mails, he did not appreciate the severity of the situation, or followed up to seek clarifications. He said he was busy clearing e-mails and other work.

Mr Tan said he disagreed with a system engineer's description of malware infection as an incident worth reporting, adding: "This was just a case of collecting a user's workstation for investigation."

For instance, IHiS had been receiving 40 to 50 security alerts daily for malware infection. It manages some 30,000 end-point devices, including computers and servers.

IHiS is an agency which runs the IT systems of all public healthcare institutions.

Mr Tan said malware investigation was "a fairly common occurrence and would be based on suspicion".

Alarm bells also did not ring for Mr Tan even when attempts were made to connect to the EMR system.

"This was only an attempt to connect to the database. To my mind, this was not a reportable security incident," he said.

He added: "The fact that several different username-password combinations have been used in attempting to connect to the database did not ring any alarm bells."

Even after realising that two workstations and one Citrix server, which is linked to the EMR database, were being forensically examined, alarm bells also did not ring for him.

"It was still not a confirmed security incident," said Mr Tan.

Even if a cyber-security incident had occurred, Mr Tan did not think it would be his job to escalate the matter.

"The responsibility for escalating a security incident lies with the security officer of the affected healthcare entity," he said, citing a standard operating protocol.

In SingHealth's case, the security officer is SingHealth's cluster information security officer.

It also came to light on Tuesday that there was only one computer at IHiS to carry out digital forensic examinations, which contributed to delays in determining the severity of the unauthorised intrusions.

Join ST's WhatsApp Channel and get the latest news and must-reads.