A server exploited by hackers to reach SingHealth's critical system, leading to Singapore's worst data breach in June, had not received the necessary security software updates for more than a year.
This server became one of the many pathways hackers exploited, as it fell through the cracks in Integrated Health Information Systems' (IHiS) oversight, a high-level panel heard yesterday.
Servers are typically patched several times a month.
Mr Tan Aik Chin, a senior manager of cancer service registry and development at the National Cancer Centre Singapore (NCCS), and Ms Serena Yong, the newly minted director of IHiS infrastructure services division, testified at a Committee of Inquiry (COI) hearing into the breach.
Mr Tan said he became the "convenient" custodian of the server in question. On paper, he was not supposed to manage the server, but had been doing so since 2014.
As the server is located at the NCCS, his counterparts at IHiS felt it was "convenient" to give him the username and password for the administrator account "in case they need me to help", he said before the four-member committee.
These counterparts later left the organisation, and no one else took over the management of the server.
NCCS belongs to the SingHealth cluster. Formed in 2008, IHiS is an agency which runs the IT systems of all public healthcare institutions here.
Mr Tan, whose main job is to plan business continuation programmes, said he was not trained in cyber security or server administration, and had not been given any standard operating procedures for managing security incidents.
The exploited server last received software updates in May last year, following the spread of the WannaCry ransomware that disrupted operations around the world. IHiS had circulated instructions to update all Windows servers. Some time in July this year, Mr Tan learnt that the exploited server became infected with a virus.
Automatic anti-virus software updates could not be made to the server as the software was too old. Mr Tan had to disconnect the server from the SingHealth network to do manual anti-virus software installation. Only then could the virus signatures be updated.
On July 10, when Mr Tan scanned the server, he detected three security threats: Two had been cleaned up, but one had been "quarantined".
The intrusions into SingHealth's electronic medical records system began undetected on June 27 before being discovered on July 4 and terminated by an IHiS staff member. The Cyber Security Agency of Singapore and upper management at IHiS and SingHealth were informed of the attack on July 10.
That was the day when Ms Yong realised Mr Tan had been managing this server. She had given a directive in 2014, under a previous role, that IHiS would not manage eight research servers, which then came under the care of Mr Tan.
The exploited server was not supposed to be among the eight, and the public hearings have not addressed how IHiS lost oversight of it. Ms Yong said she would review processes and structures for greater accountability, when asked by COI chairman Richard Magnus.