COI on SingHealth cyber attack: Operational challenges in fixing system weaknesses quickly

Intrusions into SingHealth's electronic medical records system began undetected on June 27 but were terminated on July 4.
Intrusions into SingHealth's electronic medical records system began undetected on June 27 but were terminated on July 4.ST PHOTO: SYAZA NISRINA

SINGAPORE - As public healthcare institutions operate round the clock, there is little room to set aside downtime for IT measures to be implemented, a high-level panel looking into the SingHealth cyber attack heard on Friday (Nov 2).

Given such operational challenges, the "high-risk weaknesses" found two years ago in the network link between Singapore General Hospital and cloud-based systems that host patient databases may not be fixed as quickly as expected, the Committee of Inquiry (COI) into the attack heard.

Mr Goh Aik Guan, managing director of MOH Holdings, offered a glimpse into the challenges faced by its technology arm Integrated Health Information Systems (IHiS) - which runs the IT systems of all public healthcare operators in Singapore - in plugging the weaknesses flagged.

"Take patching as an example. The IT infrastructure systems are complex, and it may not be technically feasible to immediately patch one system without affecting other layers of applications or hardware," he said at the hearing.

On Thursday, the COI heard that some "high-risk weaknesses" found during an internal audit in 2016 were not remedied. It was said that IHiS' operations team reported to upper management that actions had been taken to plug the flagged vulnerabilities - without anyone verifying that these had indeed been fixed.

"My impression was that six out of nine audit observations have been closed, and that for the three remaining issues, there was some progress," said Mr Goh on Friday.

It is not known if SingHealth's attackers had exploited these weaknesses to access the patient databases, and details of the "high-risk weaknesses" have also not been disclosed because of national security interests.

 
 

The Cyber Security Agency (CSA) of Singapore spotted the same vulnerabilities - along with others - in its July investigations into June's cyber attack on SingHealth that led to the biggest data breach here. CSA also said that even if the vulnerabilities had been fixed, the attacker would have employed other means to break into SingHealth's network.

On Friday, Mr Goh said: "My views on the need for a risk-based approach has not changed following the SingHealth cyber attack because the basic constraints faced in the public healthcare cyber security landscape have not and will not change."

He added: "System owners have to make that call whether residual risk is tolerable."

MOH Holdings is the Government's holding company for public healthcare assets.

Intrusions into SingHealth's electronic medical records system began undetected on June 27 but were terminated on July 4. The data breach compromised the personal data of 1.5 million patients and outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.