SingHealth cybersecurity fiasco: IHiS employees in the dark on steps to take during cyber-attack due to inadequate training

In a public hearing before the Committee of Inquiry (COI) on Friday (21 Sep) regarding the SingHealth cyber attack, two employees from the information technology (IT) department of the Ministry of Health (MOH) revealed that they were in the dark as to what steps should be taken in the event of such an attack.

The two MOH IT staff noted in their testimony during the Committee’s first public hearing out of six that while there are existing guidelines regarding reporting such cybersecurity breaches, they were not adequately trained on how to manage such incidents themselves.

Database administrator with the Integrated Health Information Systems (IHiS) Ms Katherine Tan testified that she had alerted her supervisor, Ms Teresa Wu, to the cybersecurity breach while trying to shut down any ongoing activity in the electronic medical database.

In response, Ms Wu sent her a slide detailing the reporting framework, and directed her to refer to her colleagues who were dealing with the same issue in order to establish a consensus as to whether a report should be made, which Ms Tan had abided to.

However, Ms Tan said, “No one responded” to her query, adding that she “never followed up to press for an answer to the matter.”

Later on, up until the midnight of 5 Jul, she developed a script at home to combat and prevent more “unusual activity” from taking place in the system, adding that following the input of her script into the database, she was not notified of any further queries being made to the particular database, until approximately five days later when she was called upon to an “urgent meeting” at the IHiS headquarters regarding the incident.

“During the meeting of 9 Jul, the incident on 4 Jul was not yet considered by IHiS to be a cyber attack, although it was acknowledged to be a security incident,” said Ms Tan.

She was instructed on the following day to report to a war room set-up and to trawl the database — also known as the Sunrise Clinical Manager database — to monitor any failed log-in attempts that might have been made by the infiltrators whilst trying to hack into the IHiS database.

“No such framework was communicated to me either verbally or in writing. I was never provided with any training or briefing on (such a) framework,” Ms Tan said, adding that she also manages more than 50 other databases.

Assistant director in the systems management department of IHiS’ infrastructure division Mr Lum Yuan Woh confirmed Ms Tan’s account, saying that while he had knowledge of a framework, he noted that there was “no training or briefing” provided to him or any of his staff of seven people.

Referring to the failed log-in attempts into the Sunrise Clinical Manager database, he said that he had first noticed such activity on 11 Jun, which went on up to June 13. This observation was corroborated by Ms Tan. Both of them noted that the same activity was observed on 26 Jun, but was only truly detected on 4 Jul.

Mr Lum added that senior management, including SingHealth’s group chief information officer Benedict Tan, was notified only on 9 Jul, as he and his staff “did not think the (breach) would go beyond the local account,” and that initially, they were under the impression that it was not a “security incident,” but instead an “infrastructure incident”.

The attack was confirmed on 10 Jul. However, knowledge of the attack only went public ten days later.

Ms Tan is scheduled to continue her testimony in a closed hearing today (24 Sep).

Other key witnesses due to testify include chief information officer Bruce Liang from MOH, chief information security officer Chua Kim Chuan from MOH, and employees from MOH, SingHealth and IHiS.

The COI on the SingHealth cyber attack, which was dubbed as the largest data breach in Singapore’s history. was convened on 24 Jul.

Chaired by former Chief District Judge and current member of the Public Service Commission, Mr Richard Magnus, the COI comprises four members who were tasked to probe into the cybersecurity breach against SingHealth’s patients’ records in early July, which affected the personal medical data, such as the outpatient prescriptions of 1.5 million SingHealth patients, including that of Prime Minister Lee Hsien Loong.