COI on SingHealth cyber attack

Hearing reveals failings in work processes, staff judgment

The intrusions on SingHealth's electronic medical records system began undetected on June 27, 2018, before being discovered on July 4, 2018.
The intrusions on SingHealth's electronic medical records system began undetected on June 27, 2018, before being discovered on July 4, 2018.ST PHOTO: SYAZA NISRINA

Failings in organisational processes and staff judgment were exposed by the committee investigating June's SingHealth cyber attack, through the testimony of a key technology "risk man" yesterday.

Mr Wee Jia Huo, cluster information security officer at Integrated Health Information Systems (IHiS) - which runs the IT systems of all public healthcare institutions here - told the four-member Committee of Inquiry (COI) that he did not conduct regular internal meetings.

As the one in charge of assessing and reporting risks, Mr Wee did not create a framework spelling out timely responses to cyber-security risks. He also revealed that there was no process to appoint covering officers for when staff go on leave.

He was questioned by COI chairman and former chief district judge Richard Magnus on the fourth day of the public hearing into the incident, which compromised the personal data of 1.5 million patients and outpatient prescription records of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.

Mr Wee said he relies on IHiS' security management department - led by Mr Ernest Tan Choon Kiat, senior manager (Infra Services-Security Management) - to initiate any alerts on cyberthreats. Mr Tan was examined by the COI on Tuesday over similar failings.

The intrusions into SingHealth's electronic medical records (EMR) system began undetected on June 27, before being discovered and terminated on July 4.

Mr Wee said he was "copied" in e-mails sent by a system engineer reporting a malware infection in workstations as early as June, but only "glanced through" them.

 
 
 

He noted he was included in a chat group titled "Citrix-SCM Incident" set up by the system engineer on June 13. The chat contained findings on attempts to access the EMR system. Even though such chat groups are rare, Mr Wee did not follow up on the reported matter. He added: "I do not have my own system for keeping track of investigations being carried out... I would wait for them (Mr Tan's team) to inform me when necessary."

By July 4, Mr Wee had still not reported the incident to upper management even though he knew that there were attempts to access 100,000 EMR records, as he viewed it only as "a potential breach".

Mr Han Hann Kwang, assistant director (Infra Services-Security Management) at IHiS, clarified yesterday at the public hearing: "(It) does not mean that data has to be exfiltrated before an incident is considered a security incident. If there is unauthorised access or queries to a database, even if no records are returned or exfiltrated, it would still be a security incident."

He drafted the standard operating procedure for incident response, which was circulated to the cyber-security team and higher-ups in March this year.

Ms Kristy Tan, senior director at the Attorney-General's Chambers, said such an important document should be circulated not only to the cyber-security team, but also to the network and database teams in IHiS so that they would know what to do when they encounter incidents on critical systems.

 
A version of this article appeared in the print edition of The Straits Times on September 27, 2018, with the headline 'Hearing reveals failings in work processes, staff judgment'. Print Edition | Subscribe