SINGAPORE - Some "high-risk weaknesses" found during an internal audit in 2016 of the network link between Singapore General Hospital and cloud-based systems that host patient databases were not remedied, a high-level panel looking into SingHealth's cyber attack heard on Thursday (Nov 1).
While it is not known if SingHealth's attackers had exploited these weaknesses to access the patient databases, the new evidence pointed to more inadequacies at Integrated Health Information Systems (IHiS), tasked to run the IT systems of all public healthcare operators in Singapore.
Mr Bruce Liang, chief executive officer of IHiS, provided the evidence before the four-member Committee of Inquiry (COI).
Following up on this point with a summary of what was heard privately on Wednesday, Solicitor-General Kwek Mean Luck said on Thursday that IHiS' operations team reported to upper management that actions had been taken to plug the flagged vulnerabilities but without anyone verifying that they had been done.
The Cyber Security Agency (CSA) of Singapore spotted the same vulnerabilities - along with others - in its investigations into June's cyber attack on SingHealth that led to the biggest data breach here. The details of the "high-risk weaknesses" were not shared in open court hearings.
CSA said in previous private hearings that the attacker would have employed other means to break into SingHealth's network even if the "high-risk weaknesses" had been fixed.
Giving his evidence before the COI on Thursday, Mr Liang said the audit team had "never previously indicated to me that there was a problem with the remediation actions" - until CSA knocked on his doors.
He said he relied on his directors to follow up on the actions to be taken to plug the gaps. The responses to the audit findings did not have to be cleared by him, he said.
Mr Liang said, going forward, he will tighten the process by getting IHiS' technology personnel involved in checking on compliance measures taken by the operations team - adopting what he described as "three lines of defence". It means that compliance checks will be performed by the operations team, the technology team and the internal audit team.
During his testimony, Mr Liang also said he would step up training as he felt the suspicious network activities detected as early as June 11 should have been reported by June 26, before the attack took place.
Intrusions into SingHealth's electronic medical records system - billed as the crown jewels of its network - began undetected on June 27 but were discovered on July 4 and terminated that day by a junior staff member, IHiS' database administrator, Ms Katherine Tan.
The attack led to the personal data of 1.5 million patients and outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers, being leaked.
