Exploited server in SingHealth cyber attack did not get security update for 14 months, COI finds

The intrusions on SingHealth's electronic medical records system began undetected on June 27 before being discovered on July 4 and terminated by an IHiS employee. ST PHOTO: SYAZA NISRINA

SINGAPORE - A server exploited by hackers to ultimately reach SingHealth's critical system, leading to Singapore's worst data breach in June, had not received the necessary security software updates for more than a year.

Servers are typically patched several times a month.

This server became one of the many pathways hackers exploited, as it fell through the cracks of Integrated Health Information Systems' (IHiS) oversight, the Committee of Inquiry (COI) heard on Thursday (Sept 27).

At the COI hearing into the breach, Mr Tan Aik Chin, a senior manager of cancer service registry and development at the National Cancer Centre Singapore (NCCS), testified that he became the "convenient" custodian of the server in question.

On paper, he was not supposed to manage the server, but he had been doing so in practice since 2014.

Because the server is located at the NCCS, his counterparts at IHiS felt it was "convenient" to give him the username and password for the administrator account of this server "in case they need me to help", he said before the four-member committee on Thursday.

These counterparts later left the organisation and no one at IHiS took over the management of the server.

The NCCS belongs to the SingHealth cluster. Formed in 2008, IHiS is an agency which runs the IT systems of all public healthcare institutions here.

Mr Tan, whose main task is planning business continuation programmes, said he was not trained in cyber security or server administration, and had not been given any standard operating procedures for managing security incidents.

The last time the exploited server received the necessary security software updates was in May last year, following the spread of the WannaCry ransomware that disrupted healthcare, manufacturing, transport and government operations around the world. IHiS had circulated instructions to update all Windows servers.

Mr Tan learnt that the exploited server became infected with a virus sometime in July this year - 14 months after the last security software update. An IHiS staff member could not update the anti-virus software within this server, as it was too old and had to be reinstalled. The IHiS staff member told Mr Tan to disconnect the server from the SingHealth network to perform manual anti-virus software installation and virus signature updates.

On July 10, when Mr Tan scanned the server, he detected three security threats, two of which had been cleaned up, but one had been "quarantined".

The intrusions on SingHealth's electronic medical records system began undetected on June 27 before being discovered on July 4 and terminated by an IHiS staff member.

The Cyber Security Agency of Singapore and upper management at IHiS and SingHealth were informed of the attack on July 10.

On Thursday, Ms Serena Yong, director of IHiS infrastructure services division, said that she was not aware that the server in question was not being managed by IHiS in practice.

She had given a directive in 2014 that IHiS would not manage eight research servers, which then came under the care of Mr Tan.

Before 2008, he was managing a mixture of application, database and research servers under the NCCS. But after IHiS was set up in 2008, it took over the management of everything except research servers.

The inquiry continues.

Join ST's WhatsApp Channel and get the latest news and must-reads.