Skip to main content

New! You can personalise your feed. Try it now

Advertisement

Advertisement

SingHealth cyber attack: Senior manager didn’t report suspicious activity, for fear of working ‘non-stop’ to answer for it

SINGAPORE — Two days after a junior staff member from the Integrated Health Systems (IHiS) informed a senior manager that an attacker had infiltrated SingHealth’s patient database on July 4, the superior still decided against reporting the cyber-security incident to higher management.

At a hearing into the SingHealth cyber attack on Oct 31, 2018, a senior manager said that if he reported what he learnt about a possible breach into the database, he will have many people chasing him for answers and updates.

At a hearing into the SingHealth cyber attack on Oct 31, 2018, a senior manager said that if he reported what he learnt about a possible breach into the database, he will have many people chasing him for answers and updates.

Follow TODAY on WhatsApp

SINGAPORE — Two days after a junior staff member from the Integrated Health Systems (IHiS) informed a senior manager that an attacker had infiltrated SingHealth’s patient database on July 4, the superior still decided against reporting the cyber-security incident to higher management.

This was because he was afraid of being pressed to deliver answers, and his decision led to “a bottleneck” in the reporting of the breach.

In his reply to his subordinate on July 6, the senior manager said: “Once we escalate to management, there will be no day and no night… everyone in IHiS will be working non-stop on this case.”

These latest details emerged on Wednesday (Oct 31) at a Committee of Inquiry (COI) hearing for the cyber attack on public healthcare group SingHealth, which happened from June 27 to July 4.

The exchanges between Mr Ernest Tan, senior manager of the security management department at IHiS — the info-technology arm of the Ministry of Health (MOH) — and his colleagues, including junior staff member Benjamin Lee, were submitted as new evidence at the hearing.

During the cyber attack, 1.5 million patients had their personal data stolen, and 160,000 of them — including Prime Minister Lee Hsien Loong — also had their outpatient medication data extracted.

The four-member committee heard on Wednesday that Mr Lee told Mr Tan: “Seems like someone managed to get into the Sunrise Clinical Manager (SCM database) already… attack is going on right now.”

Mr Lee also urged his boss to report the incident to higher-level management. They were communicating in an internal messaging application used by IHiS and SingHealth employees.

Asked to explain why he decided not to do as Mr Lee advised, Mr Tan said he had thought to himself, “If I report the matter, what do I get?”

“If I report the matter, I will simply get more people chasing me for more updates,” he told the COI.

Mr Tan, who is the designated response manager for all security incidents involving SingHealth, added: “If they are chasing me for more updates, I need to be able to get more information to provide to them. I avoided reporting the matter as soon as it occurred to me to report it, because the clock will start ticking.”

He said that having to provide updates to senior management from MOH, the Cybersecurity Agency of Singapore (CSA), IHiS and SingHealth would “put pressure” on his team.

In his earlier statement given in September, Mr Tan said that he did not think the attempted log-ins amounted to a security incident that was worth reporting, because “it was not confirmed that there had been successful access to any server”.

NOT REALLY HIS JOB TO RAISE ALARM

On Wednesday, Mr Tan again maintained that he did not feel a need to report the matter, until he had obtained all the necessary information deemed necessary to classify the attack as a security incident, which would include information about the impact of the attack and the identity of the attacker.

He added that even if a cyber-security incident had occurred, he did not think that it would be his job to raise the alarm.

This was because other personnel from IHiS’ senior management, such as the director for infrastructure services Serena Yong and Mr Clarence Kua, deputy director of the chief information officer's office, would escalate it.

Mr Tan broke down at the hearing when he was explaining why he declined to meet Ms Yong to brief her on the incident on July 7. He said that he was “too stressed to work that weekend” because his mother was hospitalised.

He met with his senior management only on July 9, a day before the cyber attack was confirmed and reported to the CSA.

When asked by MOH Holdings’ lawyer Chua Ying Hong if he would have escalated the incident knowing the severity of the cyber attack in retrospect, Mr Tan said that he would have discussed the matter with assistant director Han Hann Kwang, to whom he reports.

NO GOOD REASON TO THINK THAT WAY

Testifying on the same day, Mr Benedict Tan, SingHealth’s group chief information officer who is employed by IHiS, said that Mr Ernest Tan’s concern with facing “pressure to deliver answers” was unwarranted.

“Management would (provide) additional resources to assist in the response and management (of the security incident). I do not think that people will have to go about it alone.”

Therefore, this “bottleneck is not acceptable”, Mr Benedict Tan said.

IHiS’ director of cyber security governance Chua Kim Chuan, who also gave his testimony on Wednesday, said that there has been an established policy since July last year for IHiS employees to report IT incidents involving IHiS systems, including personal computers and workstations.

Mr Chua, who is also the chief information security officer of MOH, said: “If IHiS staff discover suspicious activities, they should investigate to rule out the possibility that there was an IT glitch or end-users’ IT issues. Following investigation, if they suspect a deliberate adverse event, they should inform their boss, or contact the security management department.”

Mr Chua added that there have been at least three “tabletop exercises”, or drills, conducted to prepare IHiS employees to classify and respond to cyber-security incidents.

They were done by external auditors such as Pricewaterhouse Coopers and Ernst & Young in November 2016, last March, and March this year.

INVOLVING SENIOR MANAGEMENT IN SPOTTING THREATS

COI member Lee Fook Sun asked Mr Chua if such detection capabilities should also be present at the senior management level.

Mr Chua replied that it may not be wise to involve senior management in all cyber-security threats, as there could be numerous false alarms.

“There are many attempts that look alarming, but are no bigger than system bugs. If we start to involve senior management, then there may be ‘alert fatigue’, in which they may not act and follow up on all alarms.”

Adopting the “assume breach” mindset, where it is always assumed that the company’s assets have been compromised, also oversimplifies the challenges of cyber-security defence, Mr Chua said in his statement.

To this, COI chair Richard Magnus said that cyber-security defence was both an “art and a science”.

“A lot of evidence we’ve heard has to do with the science, (how to identify and classify an attack) but what can we do with regard to the art component?”

Mr Magnus added that the art component would involve studying the behavioural patterns of the attacker, and also the situational awareness of IHiS employees.

Mr Chua then acknowledged that the tabletop exercises may not fully prepare staff members to identify and respond to security incidents.

“During these exercises, we meet for one specific purpose, to rehearse and respond to a cyber attack, in a classroom setting. Participants will respond to (various) scenarios. (But) take them out of a classroom environment, the presence of mind and situational awareness may be different,” Mr Chua said.

COI member T K Udairum then remarked: “Quite unfortunately so.”

WHO OWNS THE DATABASE?

The testimony of Mr Benedict Tan on Wednesday raised questions about the ownership of the SCM, which holds patients’ electronic medical records.

He said that last year, the H-Cloud — a cloud server which was a pathway to the SCM database — had undergone penetration testing, a simulated attack to test the security of IT systems.

However, the SCM database itself, which is considered a critical information infrastructure, was not tested for vulnerabilities.

“Who owns it is still a subject of discussion,” Mr Benedict Tan said.

The public hearings continue on Thursday. Other senior management of IHiS and SingHealth are expected to testify.

Read more of the latest in

Advertisement

Advertisement

Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.