COI on SingHealth cyber attack

Weaknesses found in 2016 internal audit not rectified

IHiS bosses told action was taken to plug gaps but no one verified that this had been done

Integrated Health Information Systems chief Bruce Liang plans to tighten processes and boost training.
Integrated Health Information Systems chief Bruce Liang plans to tighten processes and boost training.

Some "high-risk weaknesses" found during an internal audit in 2016 of the network link between Singapore General Hospital and cloud-based systems that host patient databases were not remedied, a high-level panel looking into SingHealth's cyber attack heard yesterday.

While it is not known if SingHealth's attackers had exploited these weaknesses to access the patient databases, the new evidence pointed to more inadequacies at Integrated Health Information Systems (IHiS), tasked to run the IT systems of all public healthcare operators in Singapore.

Mr Bruce Liang, chief executive of IHiS, provided the evidence before the four-member Committee of Inquiry (COI).

Following up on this point with a summary of what was heard privately on Wednesday, Solicitor-General Kwek Mean Luck said yesterday that IHiS' operations team reported to upper management that action had been taken to plug the flagged vulnerabilities but without anyone verifying that it had been done.

The Cyber Security Agency (CSA) of Singapore spotted the same vulnerabilities - along with others - in its July investigations into June's cyber attack on SingHealth that led to the biggest data breach here.

CSA said in previous private hearings that the attacker would have employed other means to break into SingHealth's network even if the "high-risk weaknesses" had been fixed.

The details of the "high-risk weaknesses" were not shared in open court hearings.


Giving his evidence before the COI yesterday, Mr Liang said the audit team had "never previously indicated to me that there was a problem with the remediation actions" - until CSA knocked on his doors.

He said he relied on his directors to follow up on the action to be taken to plug the gaps.

  • New measures to boost security

  • Integrated Health Information Systems (IHiS) - which runs the IT systems of all public healthcare operators in Singapore - introduced a slew of new measures to strengthen public healthcare systems following the breach of SingHealth's network.

    • Suspicious IT incidents must be reported within 24 hours, even if initial investigations cannot confirm that they are malicious.

    • Two-factor authentication will be set up for all administrators who manage about 60,000 endpoint devices, such as workstations and laptops, across all public hospitals to thwart sophisticated hackers. This means administrators will need to enter a one-time password, generated either by a security token or delivered by SMS, to log in to systems to reset passwords or install software, among other administrative tasks.

    • IHiS' security operations centre will also have advanced features, including proactive threat-hunting and intelligence, to catch malicious activities that may have evaded detection.

    • Access control will be enhanced to allow only computers that have the latest security updates to plug into hospital networks. Machines that are not adequately protected will need the necessary security patches before they can rejoin the network.

    • A database activity monitoring system will also be rolled out to detect suspicious bulk queries to patient databases. IHiS does not have such automation at present, even though it handles an average of 42,000 queries per second.

    Irene Tham

The responses to the audit findings did not have to be cleared by him, he added.

Mr Liang said he will tighten processes by getting IHiS' technology personnel involved in checking on compliance measures taken by the operations team - adopting what he described as "three lines of defence".

It means that compliance checks will be performed by three teams: operations, technology and internal audit.

During his testimony, Mr Liang also said he would step up training because he felt the suspicious network activities detected as early as June 11 should have been reported by June 26, before the attack took place.

Intrusions into SingHealth's electronic medical records system - billed as the crown jewels of its network - began undetected on June 27, but were discovered on July 4 and terminated that day.

The attack compromised the personal data of 1.5 million patients and outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.

Besides training the security team on ways to identify suspicious events, Mr Liang will also work on promoting an organisational culture that accepts the reporting of suspicious activities, even if they may be false alarms, to avoid delays in reporting that contributed to the attack in June.

A version of this article appeared in the print edition of The Straits Times on November 02, 2018, with the headline 'Weaknesses found in 2016 internal audit not rectified'. Print Edition | Subscribe