COI on SingHealth cyber attack

Team would have 'no day, no night' if I raised alert: Exec

IHiS' role in the SingHealth cyber attack, in which personal data of 1.5 million patients and outpatient prescription info of 160,000 were compromised, is under scrutiny.
IHiS' role in the SingHealth cyber attack, in which personal data of 1.5 million patients and outpatient prescription info of 160,000 were compromised, is under scrutiny.ST PHOTO: SYAZA NISRINA KHAIRUL LIZAN

Senior manager says he was under stress as mum was hospitalised soon after cyber attack

It was his job to sound the alarm on suspicious cyber activities in Singapore's biggest health network - but Mr Ernest Tan Choon Kiat decided not to, even though the warning signs were there.

The reason for his reluctance: It would lead to more work for him and his team and pressure from his bosses, with Mr Tan going so far as to claim that he and his team members would have "no day, no night".

Yesterday, he told the Committee of Inquiry (COI) looking into the country's worst cyber attack: "I thought to myself: 'If I report the matter, what do I get?' If I report the matter, I will simply get more people chasing me for more updates. If they are chasing me for more updates, I need to be able to get more information to provide them."

Mr Tan, who started tearing when talking about the stress he was under after his mother was hospitalised soon after the cyber attack, is the senior manager in charge of the cyber security of infrastructure at IHiS - an agency that runs the IT systems of all public healthcare operators in Singapore.

IHiS' role in the SingHealth cyber attack - which compromised personal data of 1.5 million patients and outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers - has come under intense scrutiny before the four-member COI.

Since the inquiry began on Aug 28, a lack of awareness about the seriousness of the attack, tardy response by IHiS staff and inaction by its management were some of the issues which had been highlighted.

Intrusions into SingHealth's electronic medical records system - billed as the crown jewels of its network - began undetected on June 27 but were discovered on July 4 and terminated that day by a junior staff member, IHiS' database administrator, Ms Katherine Tan.

JULY 4

We really need to escalate into incident... seems like someone managed to get into the SCM db already... attack is going on right now... attacker is already in our network.

IHiS SYSTEM ENGINEER BENJAMIN LEE, in a message to an internal chat group.

JULY 6

Once we escalate to management, there will be no day, no night.

IHiS SENIOR MANAGER ERNEST TAN CHOON KIAT, in charge of the cyber security of infrastructure at his company, in a message to the same chat group. By then, he was aware that attempts had been made to access 100,000 patient records.

Mr Tan was alerted to suspicious network activities on June 13 by his subordinate, IHiS system engineer Benjamin Lee, on an internal chat group. Mr Wee Jia Huo, the cluster information security officer who is a senior staff member, was also included in the chat.

Mr Tan was on leave and did not read the messages until he was back in the country on June 18. After returning to work, he was "not concerned" with the reported incidents as he was waiting for forensic analyses to be done. Mr Tan also did not think that it would be his job to raise the alarm.

During Mr Tan's absence, his superior Mr Wee also did not take action, not realising the severity of the incidents.

Yesterday, Mr Tan reiterated that any reporting would only be necessary if it had been proven there had been a successful attack.

That meant figuring out where it originated from, who was behind it, whether the database was accessed and how many times, and the eventual impact.

He also claimed that he was too busy with "isolating, containing and defending" the attack, so much so he did not have time to alert management.

 
 
 
 

His inaction continued even after his subordinate Mr Lee messaged the chat group on July 4: "We really need to escalate into incident... seems like someone managed to get into the SCM db already... attack is going on right now... attacker is already in our network."

By then, Mr Tan knew that attempts had been made to access 100,000 patient records.

Instead, he replied on the group chat on July 6: "Once we escalate to management, there will be no day, no night". He meant there would be a lot more work and pressure.

Getting emotional, he also described how on July 6, his mother was hospitalised, but he did not elaborate on her condition.

Mr Benedict Tan, the SingHealth cluster's group chief information officer at IHiS, also took the stand yesterday, saying there is value in reporting incidents quickly even if the evidence might be inconclusive or vague.

During the hearing, he also said all IHiS staff should raise matters to higher management directly, as "the speed of reporting is more important than the chain of reporting".

According to him, at present, there is no written protocol for how IHiS staff who discover cyber-security incidents related to SingHealth should report the matter. Referring to the information flow stopping at Mr Ernest Tan, he said: "A bottleneck is not acceptable."

 
A version of this article appeared in the print edition of The Straits Times on November 01, 2018, with the headline 'Team would have 'no day, no night' if I raised alert: Exec'. Print Edition | Subscribe