COI on SingHealth cyber attack

Key employee says he didn't realise severity of incident

The SingHealth cyber attack compromised the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.
The SingHealth cyber attack compromised the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.ST PHOTO: SYAZA NISRINA

He had been on leave when e-mails were first sent alerting him to suspicious network activities

A key cyber-security employee at Integrated Health Information Systems (IHiS), SingHealth's technology vendor, was on holiday when suspicious activities were first detected on SingHealth's network in June this year.

This - coupled with an inadequate security set-up, failure to seek clarifications on the severity of the situation and a lack of initiative to venture out of specified job scopes - was the subject of examination during a hearing yesterday over the massive SingHealth cyber attack.

A four-member Committee of Inquiry (COI) heard the account of Mr Ernest Tan Choon Kiat, senior manager (Infra Services-Security Management) at IHiS, who said that he was alerted to suspicious network activities as early as mid-June after they were spotted by his subordinates.

"I did not read any of these e-mails at the time they were sent as I was on overseas leave in Japan from June 9 to 17. I only read them when I returned to Singapore on Monday, June 18," said Mr Tan, who was the only witness to testify yesterday, the third day of a public hearing to investigate the cyber attack on SingHealth.

The hearing did not address who - if anyone at all - was appointed to cover Mr Tan's duties when he went on leave.

There were also no details given on whether his subordinates reported the suspicious network activities to other superiors during Mr Tan's absence.

Multiple attempts were made to access SingHealth's electronic medical records (EMR) system - a critical information infrastructure (CII) in Singapore - to transfer information from June 27 to July 4.

 
 
 

The intrusions, which began undetected on June 27, were eventually discovered on July 4 and terminated by Ms Katherine Tan, a database administrator at IHiS.

It came to light through Mr Tan's account that there was only one computer at IHiS - even though it runs the IT systems of all public healthcare institutions - to carry out digital forensic examinations.

The Cyber Security Agency of Singapore (CSA) was informed of the attack on July 10.

The SingHealth cyber attack compromised the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.

The COI is tasked to shed light on the events that contributed to Singapore's worst data breach and suggest improvements. Headed by former chief district judge Richard Magnus, the committee held its first hearing behind closed doors on Aug 28.

Even after Mr Tan read the e-mails upon his return to work, he did not appreciate the severity of the situation, or follow up to seek clarifications. He said he was busy clearing e-mails and other work.

Mr Tan said he disagreed with a system engineer's description of malware infection as an incident worth reporting, adding: "This was just a case of collecting a user's workstation for investigation."

For instance, IHiS had been receiving 40 to 50 security alerts daily for malware infection. It manages some 30,000 end-point devices, including computers and servers.

Mr Tan said malware investigation was "a fairly common occurrence".

Mr Tan did not suspect it was a serious security incident even when unauthorised attempts were made to connect to the EMR system.

"This was only an attempt to connect to the database. To my mind, this was not a reportable security incident," he said.

"The fact that several different username-password combinations had been used in attempting to connect to the database did not ring any alarm bells," he added.

Even after learning that two workstations and one Citrix server - which is linked to the EMR database - were being forensically examined, he did not realise the severity of the situation.

"It was still not a confirmed security incident," said Mr Tan.

Even if a cyber-security incident had occurred, Mr Tan did not think that it would be his job to escalate the matter.

"The responsibility for escalating a security incident lies with the security officer of the affected healthcare entity," he said, citing a standard operating protocol.

In SingHealth's case, the security officer is SingHealth's cluster information security officer.

SEE FORUM

 
A version of this article appeared in the print edition of The Straits Times on September 26, 2018, with the headline 'Key employee says he didn't realise severity of incident'. Print Edition | Subscribe