COI on SingHealth cyber attack

IT vendor employee found alleged flaw in system in 2014

He was dismissed for alerting rival vendor but no action was taken on supposed loophole

According to an e-mail forwarded by then IHis chief executive officer Chong Yoke Sin, an IHis employee had flagged a "loophole" in SingHealth's electronic medical records system.
According to an e-mail forwarded by then IHis chief executive officer Chong Yoke Sin, an IHis employee had flagged a "loophole" in SingHealth's electronic medical records system. ST PHOTO: SYAZA NISRINA

An employee of SingHealth's IT vendor had found an alleged flaw in its electronic medical records (EMR) system in 2014 that could allow anyone access to the critical data stored within.

He then offered this information - which he claimed "could lead to a serious medical leak or even a national security threat" - to a rival software vendor, the Committee of Inquiry (COI) into Singapore's biggest data breach heard yesterday.

Mr Zhao Hainan, a former systems analyst at Integrated Health Information Systems (IHiS), wrote an e-mail on Sept 17, 2014, to flag an alleged "loophole" in the EMR system supplied by Allscripts Healthcare Solutions. He sent it to Allscripts' rival, Epic Systems.

This supposed coding flaw could allow hackers to "gain admin control of the whole database easily", he wrote. Even medical students, nurses and pharmacists could have such access, Mr Zhao alleged.

Yesterday, the COI scrutinised the actions Mr Zhao took, his dismissal on the same day that then IHiS chief executive officer Chong Yoke Sin found out about the e-mail, and why his superiors did not take action on the supposed "loophole" found.

IHiS is an agency formed in 2008 to manage the IT systems of all public healthcare institutions here.

Solicitor-General Kwek Mean Luck said on Friday last week that the failure to plug the alleged security hole could have contributed to June's cyber attack on SingHealth.

Hackers gained access to SingHealth's EMR system and transferred information from June 27 to July 4. The breach compromised the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.

But during yesterday's hearing, IHiS staff revealed they did not think much about the "loophole". Therefore, they did not investigate if it was indeed true. Instead, they focused on disciplining Mr Zhao.

Dr Chong, who left IHiS in 2016 and is now StarHub's chief of enterprise business group, said she had considered Mr Zhao's action to be "primarily a disciplinary issue, and not an IT security issue", and that she had an impression that his motive for disclosing the discovery to Epic was for personal gain.


She also did not know the details of the alleged loophole. Neither did she ask her staff for it to be verified. She also assumed that the problem would be rendered "irrelevant" as IHiS had just upgraded the EMR system architecture. She received the "loophole" e-mail from Allscripts, which had got it from Epic Systems, on Sept 18, 2014.

In the e-mail, Allscripts Asia Pacific chief executive David Chambers wrote that what Mr Zhao flagged was "very serious" and must be taken as "genuine", as the latter had worked for Allscripts in its development laboratory. On the same day, Dr Chong forwarded the e-mail to Mr Clarence Kua, who works for IHiS and is assigned to SingHealth as its deputy director (chief information officer's office).

Yesterday, COI chairman Richard Magnus and deputy senior state counsel Sarah Shi took turns to ask why Mr Kua did not take the initiative to check what the alleged security flaw was. Mr Kua repeatedly replied that he did only what he was asked to by Dr Chong. "My focus was to double-check the private e-mail address of Mr Zhao to verify that he was the person who had sent the e-mail to Epic," he said.

Mr Zhao's accounts with IHiS and SingHealth were terminated on Sept 18, 2014 - the day Dr Chong received the "loophole" e-mail. Mr Zhao was dismissed and escorted out of the office on the same day.

Yesterday, IHiS' lawyer, Senior Counsel Philip Jeyaretnam, said Mr Zhao - who testified during a private hearing on Thursday - had confessed he was "angry" with IHiS and Allscripts over not being allowed to do coding. He said that as a result, Mr Zhao would not have shared details of the flaw with IHiS to help the organisation.

Dr Chong supported the character assessment, saying Mr Zhao had "a history of poor work performance", citing information received at that time from human resources.

But Mr Zhao's supervisor, Ms Angela Chen, testified yesterday that he had a good relationship with his colleagues, and was a "very good worker" and "technically strong".

Dr Chong, who was involved in the formation of IHiS as its first chief executive officer, said she was involved in evaluating the EMR system from its supplier Allscripts. She did so along with cluster leaders as well as SingHealth's then deputy chief executive Karen Koh.

Dr Chong said the EMR system - which was adopted around the time she became chief executive in April 2008 - was chosen because of its functionality, and the main focus at that time was not on its security.

She cited other factors like resilience, though she added that a balance needed to be struck between functionality and security. The inquiry continues on Monday.

Correction note: An earlier version of the report stated that Dr Chong Yoke Sin said she was involved in evaluating the EMR system from supplier Allscripts with cluster leaders as well as SingHealth’s then deputy chief executive Ivy Ng. SingHealth has clarified that SingHealth’s then deputy chief executive was Ms Karen Koh.

A version of this article appeared in the print edition of The Straits Times on September 29, 2018, with the headline 'IT vendor employee found alleged flaw in system in 2014'. Print Edition | Subscribe