COI on SingHealth cyber attack

Hard to find time to fix weakness in system, panel told

Healthcare institutions' round-the-clock operations cited as challenge

Goh Aik Guan (in pink shirt). PHOTO: LIANHE ZAOBAO

As public healthcare institutions operate round the clock, there is little room to set aside downtime to implement IT measures, a panel looking into the SingHealth cyber attack heard yesterday.

Given such operational challenges, the "high-risk weaknesses" found two years ago in the network link between Singapore General Hospital and cloud-based systems that host patient databases may not be fixed as quickly as expected, the Committee of Inquiry (COI) into the attack heard.

Mr Goh Aik Guan, managing director of MOH Holdings, gave a glimpse into the challenges faced by its technology arm Integrated Health Information Systems (IHiS) - which runs the IT systems of all public healthcare operators in Singapore - in plugging the weaknesses flagged.

"Take patching as an example. The IT infrastructure systems are complex, and it may not be technically feasible to immediately patch one system without affecting other layers of applications or hardware," he said.

On Thursday, the COI heard that some "high-risk weaknesses" found during an internal audit in 2016 were not remedied. It was said that IHiS' operations team reported to upper management that actions had been taken to plug the flagged vulnerabilities - without anyone verifying these had indeed been fixed. "My impression was that six out of nine audit observations have been closed, and that for the three remaining issues, there was some progress," said Mr Goh.

It is not known if SingHealth's attackers had exploited these weaknesses to access the patient databases, and details of the "high-risk weaknesses" have also not been disclosed because of national security interests.

The Cyber Security Agency (CSA) of Singapore spotted the same vulnerabilities - along with others - in its July investigations into June's cyber attack on SingHealth that led to the biggest data breach here. CSA also said that even if the vulnerabilities had been fixed, the attacker would have employed other means to break into SingHealth's network.

"My views on the need for a risk-based approach have not changed following the SingHealth cyber attack because the basic constraints faced in the public healthcare cyber security landscape have not and will not change," Mr Goh said. "System owners have to make that call whether residual risk is tolerable."

MOH Holdings is the Government's holding company for public healthcare assets.

Intrusions into SingHealth's electronic medical records system began undetected on June 27 but were terminated on July 4. The data breach compromised the personal data of 1.5 million patients and outpatient prescription information of 160,000 people.

Key management executives who have roles in both the Ministry of Health (MOH) and IHiS was another issue raised during the hearing. For instance, IHiS' chief executive officer Bruce Liang wears the hat of MOH chief information officer, while Mr Chua Kim Chuan, MOH's chief information security officer, is also director of the cybersecurity governance department in IHiS.

Solicitor-General Kwek Mean Luck asked whether there would be a conflict of interest. Mr Goh replied: "There will always be a possibility of a conflict of interest, because (here) you have the one who implement the directives (being) the one who promulgates it."

The solution? Mr Goh said that measures would have to be taken to ensure that Mr Liang and Mr Chua report back to other MOH executives.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on November 03, 2018, with the headline Hard to find time to fix weakness in system, panel told. Subscribe