SingHealth cyber attack COI: Senior manager didn't sound alarm because he didn't want more work

Systems are still dependent on human judgement.

Sulaiman Daud | November 01, 2018, 06:01 PM

In July 2018, the government announced that the worst cyber attack in Singapore's history had been attempted.

Non-medical records of some 1.5 million patients had been stolen.

Information on 160,000 patients’ outpatient dispensed medicines were also stolen, including that of Prime Minister Lee Hsien Loong.

Following the attack, the government set up a Committee of Inquiry (COI) to find out what happened.

It began on Aug. 28.

Details revealed so far have indicated that systems, properly secured or otherwise, are dependent on human judgement to function properly.

No written protocol

According to the Integrated Health Information System (IHiS), there is currently no written protocol on how staff should report cyber attacks.

IHiS has come under scrutiny by the COI set up to find out what led to the cyber attack that began in late June 2018.

IHiS is the agency that runs the IT systems of every public healthcare operator in Singapore.

Hesitance in reporting matter

According to The Straits Times on Nov. 1, Benedict Tan, SingHealth's chief information officer at IHiS, gave evidence at the COI on Oct. 31 and revealed the lack of a written protocol.

According to Benedict Tan, all IHiS staff should raise matters directly to their higher management, as the "speed" of reporting was more important than the "chain" of reporting.

He added that incidents should be reported quickly, even if the evidence is vague or not entirely clear at that point in time.

Said Benedict Tan:

"A bottleneck is not acceptable."

Forewarned, but no alarm raised

Tan was referring to statements made by Ernest Tan Choon Kiat, a senior manager in charge of IHiS's cyber security.

Ernest Tan had also taken the stand to tell the COI what went down in the days leading up to the attack.

Intrusions into SingHealth's electronic system of medical records began on June 27.

However, an IHiS systems engineer, Benjamin Lee, alerted his superiors to "suspicious network activities", including Ernest Tan, on June 13 through an internal chat group.

But Ernest Tan was on leave at the time.

Even when he returned to Singapore on June 18, he was "not concerned" and chose to wait for forensic analyses to be conducted first instead of raising the alarm.

Ernest Tan also did not see it as his responsibility to raise the alarm.

Wee Jia Huo, another cluster information security officer who is Ernest Tan's superior, was also a member of the group chat.

However, he did not raise the alarm either.

"No day, no night", so no escalation

Ernest Tan said reporting was necessary only if there was proof of a successful attack, as he was spending time figuring out its point of origin and how many times the database had been accessed.

He also claimed he was too busy "isolating, containing and defending the attack" to report it to the upper management and implicating him and his team with more work.

Said Ernest Tan:

"I thought to myself: 'If I report the matter, what do I get?' If I report the matter, I will simply get more people chasing me for more updates. If they are chasing me for more updates, I need to be able to get more information to provide them."

He maintained this position even after Lee sent another message to the group chat on July 4:

"We really need to escalate into incident... seems like someone managed to get into the SCM db already... attack is going on right now... attacker is already in our network."

By this time, they were aware that attempts had been made to access 100,000 patient records.

Ernest Tan did not reply immediately, but sent this message to the chat on July 6, saying there would be more work and pressure:

"Once we escalate to management, there will be no day, no night."

He also said that his mother was hospitalised on July 6, placing him under additional stress.

Plans were deferred

Another member of IHiS, Director of cyber-security governance Chua Kim Chuan, also gave evidence that plans to secure Internet access were scheduled for implementation.

According to another ST report on Nov. 1, a "remote browser solution" implemented would enable users to access the Internet without being connected directly to networks or servers.

It was selected over "Internet surfing separation", which delinks work systems from Internet access altogether.

IHiS had received feedback from the healthcare sector that Internet access was needed for day-to-day operations.

However, due to technical issues, implementation had to be pushed back to 2019.

But following the attack, Internet surfing separation was implemented by the Ministry of Health across public healthcare clusters.

It is intended to be for a limited period, although the Ministry might make it permanent practice in certain areas.

Related stories:


Content that keeps going

I want my life back.

Earn some karma points here. Say real one.

? vs ?
You're on the MRT. Do you read or surf?
Why not both??

Damn cheap movie tickets here.