In a cross-examination that lasted more than two hours on Friday (28 Sep), deputy director at the Chief Information Officer’s Office at SingHealth Clarence Kua was probed by the Committee of Inquiry (COI) as to why he had overlooked an alleged security flaw in SingHealth’s Electronic Medical Records (EMR) in 2014.
The sixth day of the public hearing witnessed Mr Kua, who is employed with the Integrated Health Information Systems (IHiS), being cross-examined by COI’s chairman Richard Magnus and deputy public prosecutor Sarah Shi regarding his failure to respond to an email he had received from then-chief executive officer of IHiS Chong Yoke Sin on 18 Sep 2014.
Mr Kua reiterated multiple times that “My focus was to double-check the private email address of Mr Zhao to verify that he was the person who had sent the email to Epic Systems,” to which Mr Magnus responded: “You can focus on two things at the same time.”
IHiS system analyst Zhao Hainan had flagged an alleged “loophole” in the EMR system, supplied by Allscripts Healthcare Solutions, that could allow hackers to “gain admin control of the whole database easily”, and “this could lead to a serious medical data leak, or even a national security threat.”
Zhao had originally sent the email to Epic Systems, a competitor of Allscripts, in a bid to get the former to contact him regarding the coding flaw. However, it was noted that Allscripts managed to get a hold of the email, and had subsequently forwarded it to Dr Chong.
Chief executive officer of the Asia-Pacific base of Allscripts David Chambers notified Dr Chong via email, highlighting the seriousness of the matter, and must be accepted as “genuine,” as Mr Zhao had worked for Allscripts in its development laboratory.
Dr Chong attempted to contact Mr Kua for the second time via email on the same day in a bid to get him to perform a verification process that will help confirm Mr Zhao’s role in the alleged “loophole” email. Subsequently, he also dismissed Mr Zhao, and had his accounts with IHiS and SingHealth terminated immediately.
Mr Zhao had confessed in a private hearing on Thursday that he was “angry” with IHiS and Allscripts over not being allowed to do coding, and that as a result, he would not have shared details of the flaw with IHiS to help the organisation, according to IHiS’ lawyer senior counsel Philip Jeyaretnam.
The testimony of Mr Zhao’s supervisor, Ms Angela Chen, on Friday however, contradicted Mr Jeyaretnam’s statement. She claimed that Mr Zhao was a “very good worker” and “technically strong,” and that he had a healthy relationship with his colleagues.
IHiS director of programme delivery for clinical care Foong Lai Choo also received the first email sent by Dr Chong to Mr Kua.
Ms Foong, who is in charge of the operations and management of the EMR system, claimed that “the loophole was not a big deal” upon first impression, and thus did not take action to investigate it, saying: “I believe there was some communication between Mr Chambers from Allscripts and (Dr Chong) but I was not included in the communications.
“I do not know what action, if any, was taken by Allscripts in relation to this matter.”
She also revealed that while IHiS had immediately made a police report, the case was subsequently closed.
Server left running in the absence of security updates, making the system susceptible to the cyberattack in July
On Thursday (27 Sep), it was revealed that a server within the National Cancer Centre (NCC) at the Singapore General Hospital was infected by a virus after being left to run without any security updates for a year, which made room for the cybersecurity breach of the medical data of approximately 1.5 million patients under the SingHealth system.
While no data was stolen from the server itself, that particular server as well as several others of its kind were manipulated by the hackers as means to infiltrate the Sunrise Clinical Manager, a platform that houses electronic medical records of patients under SingHealth.
It was alleged that a senior manager at the NCC had, unbeknownst to a senior officer at IHiS, had assumed the role of managing the server in 2016 as a part of a “convenient arrangement”.
Tan Aik Chin was given the login details of the local administrator account to the server between 2014 and 2015 in the event that IHiS staff required assistance regarding troubleshooting of the server.
Mr Tan acknowledged that the last time he had updated the server was in May last year upon IHiS’ instruction to update “all Windows servers” as a measure to combat the spread of the WannaCry ransomware, which took place worldwide.
He also revealed that he was resting on the assumption that the server would “automatically” be updated and had already contained antivirus software.
Upon receiving alerts that the server was infected, he was told to disconnect the server from the SingHealth network, and to subsequently install a new antivirus software after uninstalling the old one.
A scan he performed revealed that there were “three threats,” two of which “had been cleaned” while “one was quarantined,” all of which he did not understand why.
Following the scan, he reconnected the server to the SingHealth network and performed a manual update, after which he ran another full scan that showed zero threats.
Director of the infrastructure services division in IHiS Serena Yong — who is the highest-ranking government officer to have testified before the COI to date since the public hearings began on Sep 21 — said that she had no knowledge of Mr Tan’s role in handling the server, and that it was only after the cybersecurity breach was exposed on 10 Jul that she found out about his involvement.
Ms Yong was tasked to supervise and to make recommendations regarding software updates, having had previous experience in end-user computing solutions in IHiS since 2009. She was appointed as director this year.
She also revealed having received alerts regarding “problems” related to the Sunrise Clinical Manager database between 7-8 Jul.
While she was told by her deputy director that there would be a meeting on 9 Jul, she said that “she did not get the impression that it was a serious problem”. Additionally, she did not ask her staff members to run tests in the database after the meeting.
On Wednesday (26 Sep), it was revealed that it was only the day after the meeting that an IHiS staff discovered that a query returned data.
Ms Yong, upon further probing by Mr Magnus on Thursday, said that she was unaware of the attempt to extract the first 100,000 electronic medical records.
The COI on the SingHealth cyber attack, which was dubbed as the largest data breach in Singapore’s history. was convened on 24 Jul.
Chaired by former Chief District Judge and current member of the Public Service Commission, Mr Richard Magnus, the COI comprises four members who were tasked to probe into the cybersecurity breach against SingHealth’s patients’ records in early July, which affected the personal medical data, such as the outpatient prescriptions of 1.5 million SingHealth patients, including that of Prime Minister Lee Hsien Loong.