A database administrator with more than 20 years’ experience did not immediately recognise that the multiple failed attempts to log-in to the SingHealth database she had encountered on 4 July amounted to a “serious security incident”, a Committee of Inquiry (COI) investigating the worst ever cyberattack in Singapore was told on Friday (21 September).
Integrated Health Information Systems (IHiS) senior manager Katherine Tan, further acknowledged that even before 4 July, she had been aware of “various IT security incidents” that occurred in the database between June and July 2018. These consisted of multiple log-in attempts using non-existent or unauthorised accounts.
Tan had seen “unusual failed attempts” at logging-in through the software system SingHealth utilises for its electronic medical records (EMR). “By 12 June 2018, I was concerned that something was wrong. I did not know exactly what was taking place, but I knew that it was unusual,” said Tan, who manages more than 50 databases.
“I know that I had a responsibility to report this matter. However, I did not report the matter to anyone,” said Tan, as she assumed that the Applications team would look into the matter since she had informed them of the incidents. On 11 June, she had also escalated the matter to server administrators.
On 4 July, after being alerted by a colleague to an “unusual incident” in the database, Tan realised that “bulk amounts of data” were being queried from the SingHealth database. She then terminated these queries and escalated the matter to her supervisor.
In retrospect, Tan admitted that it should have been “immediately apparent” that IHiS was dealing with a serious security incident, as she should have realised that the separate incidents in June and July were linked.
Earlier on Friday, Solicitor-General Kwek Mean Luck told the COI that the initial response by IHiS staff to the attack, which occurred between 27 June and 4 July this year, was “piecemeal and inadequate”. He added that they “did not fully appreciate that multiple cyber security incidents were happening”.
In this regard, Tan noted in her conditioned statement that she had never been provided with any training or briefing on a security incident reporting framework. She also told the committee that even during an “urgent meeting” called by IHiS senior management on 9 July, the incident was not yet considered by the IT agency to be a cyberattack.
The personal particulars of 1,495,364 unique patients – including that of Prime Minister Lee Hsien Loong – were stolen from SingHealth’s database during the cyberattack. The data comprises the patients’ demographic records and the dispensed medication records of about 159,000 of them.
The four-member Committee of Inquiry is chaired by retired chief district judge Richard Magnus. The other three members on the committee are Lee Fook Sun, Executive Chairman of Ensign InfoSecurity; T K Udairam, Group Chief Operating Officer of Sheares Healthcare Management; and Cham Hui Fong, Assistant Secretary-General of the National Trades Union Congress.
Besides Tan, another witness from IHiS also took the stand on the first day of hearings: Lum Yuan Woh, assistant director (Infra Services – Systems Management), who first discovered on 11 June that certain accounts had been compromised.
The COI will hear from at least nine witnesses from the Ministry of Health, Ministry of Health Holdings, SingHealth, IHiS and the Cyber Security Agency during a series of public and private hearings until 5 October. It is then expected to submit a report on its findings and recommendations to Communications and Information Minister S. Iswaran by 31 December.