SINGAPORE - Chat messages that showed a bottleneck in the reporting of suspicious network activities came under the spotlight, as the third phase of public hearings on the SingHealth cyber attack started on Wednesday (Oct 31).
"Once we escalate to management, there will be no day no night," one message went, meaning that there will be a lot more work and pressure.
This message, along with several others from an internal chat retrieved from server log files, were presented as new evidence on Wednesday. They pointed to a bottleneck in the reporting chain at SingHealth's technology vendor Integrated Health Information Systems (IHiS), a four-member Committee of Inquiry (COI) heard.
Mr Ernest Tan Choon Kiat, senior manager (Infra Services-Security Management) at IHiS, had sent the message on July 6 - two days after the cyber attack was stopped by a junior staff member.
Mr Tan, a key cyber-security employee at IHiS, explained: "My focus was on isolating, containing and defending. I was so busy with this that I did not escalate to management about the security incident."
He also avoided reporting suspicious activities, to which he was alerted as early as mid-June, as he did not want to deal with the pressure that senior management would put on him and his team.
"I thought to myself: 'If I report the matter, what do I get? If I report the matter, I will simply get more people chasing me for more updates. If they are chasing me for more updates, I need to be able to get more information to provide them," he said, tearing as he recounted his mother's admission to a hospital accident and emergency department on the night of July 6.
The SingHealth cyber attack compromised the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.
Intrusions into SingHealth's electronic medical records (EMR) system - a critical information infrastructure in Singapore - began undetected on June 27 but were discovered on July 4 and terminated by a database administrator at IHiS.
Mr Tan had taken the stand during the second phase of hearings in late September, during which the COI heard that he did not report suspicious network activities to senior management even though he was alerted to them as early as mid-June.
Even if a cyber-security incident had occurred, Mr Tan had said he did not think that it would be his job to raise the alarm.
On Wednesday, Mr Tan reiterated his position that any reporting would only be necessary if an attack has been successful. It means that he must get complete information - including the impact of the attack, the identity of the attacker, where the attack was coming from, whether the database was accessed and if there were multiple attempts to access the database.
His inaction persisted even though IHiS system engineer Benjamin Lee had on July 4 messaged the chat group: "We really need to escalate into incident... seems like someone managed to get into the SCM db already... attack is going on right now... attacker is already in our network."
Mr Tan said he read Mr Lee's multiple alerts sent on June 13 and 26.
Also taking the stand on Wednesday was Mr Benedict Tan, the SingHealth cluster's group chief information officer at IHiS.
He urged all staff at IHiS to raise matters to higher management directly, saying that there is value in reporting incidents quickly even if the evidence might be inconclusive. He did the same on July 9, when he reported the incident to IHiS chief executive officer Bruce Liang "notwithstanding that the information I was given at that stage was still vague".
"A bottleneck is not acceptable," he said, referring to the information flow stopping at Mr Ernest Tan.
According to Mr Benedict Tan, there is no written protocol for how IHiS staff who discover cyber-security incidents related to SingHealth should report the matter.
The hearing continues with Mr Chua Kim Chuan, IHiS director of cyber-security governance, expected to take the stand later.