Lack of frameworks exposed in COI into SingHealth breach
Key 'risk man' questioned in fourth day of public hearings on SingHealth hack
Failings in organisational processes and staff judgement were exposed by the committee probing June's SingHealth cyber attack, as a key technology "risk man" was grilled yesterday.
Mr Wee Jia Huo, cluster information security officer at Integrated Health Information Systems (IHiS) - which runs the IT systems of all public healthcare institutions here - told the four-member Committee of Inquiry (COI) that he did not conduct regular internal meetings.
As the one in charge of assessing and reporting risks, Mr Wee did not create a framework spelling out timely responses to cyber-security risks. He also revealed there was no process to appoint covering officers for when workers go on leave.
He was questioned by COI chairman and former chief district judge Richard Magnus on the fourth day of the public hearing into the incident, which compromised the personal data of 1.5 million patients and outpatient prescription records of 160,000 people, including Prime Minister Lee Hsien Loong and several ministers.
Mr Wee said he relies on IHiS' security management department - led by Mr Ernest Tan Choon Kiat, senior manager (Infra Services-Security Management) - to initiate any alerts on cyberthreats. Mr Tan was examined by the COI on Tuesday for similar failings.
UNDETECTED
The intrusions on SingHealth's electronic medical records (EMR) system began undetected on June 27 before being discovered and terminated on July 4.
Mr Wee told the hearing he was "copied" in e-mails sent by a system engineer reporting a malware infection in workstations as early as June, but he only "glanced through" them.
He noted he was included in a chat group titled "Citrix-SCM Incident" set up by the system engineer on June 13 on attempts to access the EMR system. Even though such chat groups are rare, Mr Wee did not follow up.
He added: "I do not have my own system for keeping track of investigations being carried out... I would wait for them (Mr Tan's team) to inform me when necessary."
By July 4, Mr Wee had still not reported the incident to upper management despite knowing of attempts to access 100,000 EMR records, as he viewed it only as "a potential breach".
Mr Han Hann Kwang, assistant director (Infra Services-Security Management) at IHiS, clarified yesterday at the public hearing: "(It) does not mean that data has to be exfiltrated before an incident is considered a security incident. If there is unauthorised access or queries to a database, even if no records are returned or exfiltrated, it would still be a security incident."
He drafted the standard operating procedure for incident response, which was circulated to the cyber-security team and higher-ups in March this year.
Ms Kristy Tan, senior director at the Attorney-General's Chambers, said such an important document should not only be circulated to the cyber-security team, but also to the network and database teams in IHiS so that they know what to do when they encounter incidents on critical systems.
Get The New Paper on your phone with the free TNP app. Download from the Apple App Store or Google Play Store now