A suspected security incident in January 2018 involving a workstation at the Medical Records Office thought to have been infected with malware was not escalated as it did not fall under reporting parameters for security incidents, a Committee of Inquiry (COI) was told on Tuesday (25 September).
Even after Benjamin Lee, a member of the Computer Emergency Response Team (CERT), discovered that 34 additional workstations were sending suspicious queries to the SingHealth database, the incident remained unreported. These were later ascertained to be legacy printer settings which had not been removed.
“This was not a reportable security incident (under SOP) as…the malware on the…workstation had been contained,” said Ernest Tan, a senior manager with the Integrated Health Information Systems (IHiS), the central IT agency for the healthcare sector.
According to Tan’s understanding of the Standard Operating Procedure (SOP) for reporting security incidents, an incident of this nature only has to be reported if there is “an actual breach or instance where (critical information infrastructure) was successfully compromised”.
“No steps were taken to identify the physical location of the workstations. No steps were taken to investigate if the workstations were infected with malware, except for the one workstation in (redacted) that Benjamin investigated,” added Tan in his conditioned statement.
It was the third day of hearings by the COI tasked with looking into the worst ever cyberattack in Singapore. The personal particulars of 1,495,364 unique patients – including that of Prime Minister Lee Hsien Loong – were stolen from SingHealth’s database during the cyberattack, which occurred between 27 June and 4 July this year.
The data comprises the patients’ demographic records and the dispensed medication records of about 159,000 of them.
Gaps in the SOP?
From June to July, Tan continued to follow SOP in dealing with subsequent incidents.
On 13 June, Lee created a chat group on messaging app Tigerconnect to address a number of possible security incidents that he had investigated that month. Earlier, he had taken forensic images from a workstation and was following up with forensic investigations.
While Tan was in this chat group, he did not view it as a security incident as, at the time, it was not confirmed that there had been a breach of the server. “However, I did not verify with anyone whether there had been successful access to any server.”
And while his role was to lead the security incident response team, Tan did not do so in the following days as he had just returned to work from leave and was “busy catching up on my work and other projects”. He was on overseas leave from 9 – 17 June.
Lee had also sent a series of emails about the suspected security incidents. “However, since this was only an attempt to connect to the SCM (Sunrise Clinical Manager) database, to my mind, this was not a reportable security incident,” said Tan, who has been with the agency since 2006.
“The fact that several different username/password combinations had been used in attempting to connect to the SCM database did not ring any alarm bells in my mind.”
It was only while dealing with a bulk query in July for the top 100,000 records from a particular database table that “alarm bells started ringing”, said Tan. But even after a meeting with colleagues on 5 July to discuss the incident, he did not recommend escalating the matter to IHiS senior management.
The four-member Committee Of Inquiry is chaired by retired chief district judge Richard Magnus. The other three members on the committee are Lee Fook Sun, Executive Chairman of Ensign InfoSecurity; T K Udairam, Group Chief Operating Officer of Sheares Healthcare Management; and Cham Hui Fong, Assistant Secretary-General of the National Trades Union Congress.
Ernest Tan is the sixth witness to testify before the committee so far. It will hear from witnesses from the Ministry of Health, Ministry of Health Holdings, SingHealth, IHiS and the Cyber Security Agency during a series of public and private hearings until 5 October.
The COI is then expected to submit a report on its findings and recommendations to Minister Iswaran by 31 December.