COI examines alleged security ‘loophole’ discovered in 2014 in SingHealth system

According to an e-mail forwarded by then IHis chief executive officer Chong Yoke Sin, an IHis employee had flagged a "loophole" in SingHealth's electronic medical records system. ST PHOTO: SYAZA NISRINA

SINGAPORE - Management inaction on an alleged security flaw in SingHealth's electronic medical records (EMR) system was scrutinised by the Committee of Inquiry (COI) into Singapore's biggest data breach on Friday (Sept 28).

Solicitor-General Kwek Mean Luck said in his opening statement last Friday that the failure to plug the alleged security hole could have contributed to June's attack.

During the sixth day of the public hearing, Mr Clarence Kua - who works for Integrated Health Information Systems (IHiS) and is assigned to SingHealth as its deputy director (Chief Information Officer's Office) - was cross-examined for more than two hours about why he failed to act on an e-mail he received on Sept 18, 2014.

Forwarded by then IHis chief executive officer Chong Yoke Sin, it said an IHiS employee had flagged an alleged "loophole" in the EMR system, which had been supplied by Allscripts Healthcare Solutions.

The coding flaw could allow hackers to "gain admin control of the whole database easily", and "this could lead to a serious medical data leak, or even a national security threat", the e-mail said.

The e-mail had originally been sent by IHiS system analyst Zhao Hainan to Allscripts' rival Epic Systems, inviting the latter to contact him to learn more about the alleged flaw. Allscripts somehow got hold of the e-mail and forwarded it to Dr Chong.

Mr David Chambers, Allscripts Asia Pacific chief executive officer, wrote in an e-mail to Dr Chong saying that the matter was "very serious" and must be taken as "genuine" as Mr Zhao had worked for Allscripts in its development laboratory.

COI chairman Richard Magnus and deputy senior state counsel Sarah Shi took turns to ask why it did not occur to Mr Kua to check what the alleged security flaw was.

Mr Kua repeatedly said: "My focus was to double-check the private e-mail address of Mr Zhao to verify that he was the person who had sent the e-mail to Epic."

To this, Mr Magnus said: "You can focus on two things at the same time."

Dr Chong sent a second e-mail on the same day to Mr Kua to ask him to verify that Mr Zhao was indeed responsible for the alleged "loophole" e-mail.

Mr Zhao's accounts with IHiS and SingHealth were terminated that day. Mr Zhao was also dismissed by Dr Chong and escorted out of the office on the same day.

On Friday, IHiS' lawyer, Senior Counsel Philip Jeyaretnam, said that Mr Zhao, during a private hearing a day before, had confessed he was "angry" with IHiS and Allscripts over not being allowed to do coding. As a result, Mr Zhao would not have shared details of the flaw with IHiS to help the organisation.

In contrast, Mr Zhao's supervisor, Ms Angela Chen, testified during Friday's public hearing that he had a good relationship with his colleagues, and was a "very good worker" and "technically strong".

Formed in 2008, IHiS is an agency which runs the IT systems of all public healthcare institutions here.

Ms Foong Lai Choo, IHiS director of programme delivery for clinical care, was also sent the first e-mail Dr Chong sent to Mr Kua. She is in charge of the operations and management of the EMR system.

During her testimony on Friday, she said she had "the impression that the loophole was not a big deal".

She also did not take action to investigate it, saying: "I believe there was some communication between Mr Chambers from Allscripts and (Dr Chong) but I was not included in the communications. I do not know what action, if any, was taken by Allscripts in relation to this matter."

Ms Foong noted that IHiS had immediately made a police report, but the case was closed.

Multiple attempts were made to access SingHealth's EMR system - a critical information infrastructure in Singapore - to transfer information from June 27 to July 4.

The breach compromised the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.

The Cyber Security Agency of Singapore and upper management at IHiS and SingHealth were informed of the attack on July 10.

The inquiry continues.

Join ST's WhatsApp Channel and get the latest news and must-reads.