COI on SingHealth cyber attack: Failings in judgment, organisation exposed

The intrusions on SingHealth's electronic medical records (EMR) system began undetected on June 27 before being discovered on July 4, 2018.
The intrusions on SingHealth's electronic medical records (EMR) system began undetected on June 27 before being discovered on July 4, 2018.ST PHOTO: SYAZA NISRINA

SINGAPORE - Failings in organisational processes and staff judgment were exposed by the committee probing June's SingHealth cyber attack, as a key technology "risk man" was grilled on Wednesday (Sept 26).

Mr Wee Jia Huo, cluster information security officer at Integrated Health Information Systems (IHiS) - an agency which runs the IT systems of all public healthcare institutions here, told the four-member Committee of Inquiry (COI) that he did not conduct regular meetings with the agency's security management department.

Mr Wee - whose job is to decide whether incidents should be reported or brought to the attention of upper management, according to witnesses who testified - also admitted that he did not create a framework spelling out timely responses to cyber-security risks, and revealed that there was no process to appoint covering officers for when staff go on leave.

He was questioned by COI chairman and former chief district judge Richard Magnus on the fourth day of the public hearing into the incident, which compromised the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.

Mr Wee said he relies entirely on IHiS' security management department - a cyber-security team led by Mr Ernest Tan Choon Kiat, senior manager (Infra Services-Security Management) - to initiate any alerts or updates on cyberthreats. Mr Tan took the witness stand on Tuesday (Sept 25) and was examined by the COI for similar failings.

The intrusions on SingHealth's electronic medical records (EMR) system began undetected on June 27 before being discovered on July 4 and terminated by Ms Katherine Tan, a database administrator at IHiS.

Mr Wee told the hearing he was "copied" in e-mails sent by a system engineer reporting a malware infection in workstations as early as June. "The next morning, I glanced through the e-mails. I do not recall looking in detail at the logs and the screenshots in the first e-mail," he said.

 
 
 
 

Mr Wee noted that he was included in a chat group titled "Citrix-SCM Incident" set up by the system engineer on June 13, which also looped in Mr Tan who was on leave at the time.

The chat contained findings on attempts to access the EMR system.

Mr Wee said he did not contact Mr Tan, or follow up on the reported matter. "I do not have my own system for keeping track of investigations being carried out... I would wait for them (Mr Tan's team) to inform me when necessary," he said.

By July 4, Mr Wee had still not reported the incident to upper management, as he viewed it only as "a potential breach" based on information gathered at that time.

Investigations were going on to determine whether EMR records had been leaked, although he knew that there were attempts to access 100,000 records.

The COI also heard that Mr Wee failed to link two key events: The attempts to seek 100,000 EMR records and earlier failed attempts in May and June to exploit inactive administrator accounts to remotely log into a server linked to the EMR database.

The Cyber Security Agency of Singapore (CSA) and upper management at IHiS and SingHealth were informed of the attack on July 10.

Later in the day, Mr Han Hann Kwang, assistant director (infra services – security management) at IHiS, took the witness stand and provided clarification on the criteria for escalation.  He drafted the standard operating procedure for incident response, which was approved and circulated to the cyber-security team and higher-ups in March this year. 

“(It) does not mean that data has to be exfiltrated before an incident is considered a security incident. If there is unauthorised access or queries to a database, even if no records are returned or exfiltrated, it would still be a security incident,” he said. “Also, unauthorised access would be considered to violate IT security policies.”

Ms Kristy Tan, senior director at the Attorney-General’s Chambers, said that such an important document should not only be circulated to the cyber-security team, but also to the network and database teams in IHiS so that they know what to do when they encounter incidents on critical systems. 

Earlier on Wednesday, Mr Magnus asked if Mr Wee had spelt out how fast risks should be reported and contained, to which he replied “no”.

He also asked why Mr Wee only glanced at the content of the email copied to him in June. 

Mr Wee replied: “Investigation was being done. The result was not conclusive.”

COI member Lee Fook Sun, executive chairman of security firm Ensign InfoSecurity, asked what the consequences would be if Mr Wee were to report a false alarm to upper management. Mr Wee answered: “There would be no consequence.”

Mr Lee also asked how often chat groups such as the one titled “Citrix-SCM Incident” were set up. Mr Wee replied: “Not very often.”

The inquiry continues.