The SingHealth cybersecurity attack illustrates the crucial need for a proactive and communicative team, and that is why the absence of such qualities in the workplace culture at IHiS needs to be rectified thoroughly, said chief executive officer Bruce Liang.
Testifying at the hearing before the Committee of Inquiry (COI) on the cyberattack on Thursday (1 Nov), Mr Liang said: “The culture should be that even if you’re not sure, consult your peers, reports upwards (to superiors), keep them in the loop and at the same time, superiors also have to recognise that people are telling them information without confirmation and should give staff sufficient breathing space.”
When probed by Solicitor-General Kwek Mean Luck as to how he would suggest improving the system in terms of detecting and reporting incidents of such infiltration at IHiS — the IT arm of the Ministry of Health — Mr Liang replied: “There is an art involved… a fair bit of intuition (in reporting cyberattacks). There is a certain amount of judgement involved.”
Mr Liang added that while “liked” how the frontline team had surfaced the suspicious activities to the security team, he “had an issue” with the follow-up responses of the team.
He pointed out that “while it may not be immediately clear” if the dubious repeated attempts to enter the system “are deliberate,” such attempts should have been “clearer” throughout the course of investigations between 12 June and 26 June.
Mr Liang argued that the repeated attempts at logging in “should have been classified as a security incident before June 26.
“In general, I think we need to see more initiative across the organisation,” he said.
Despite his grievances about the work culture at IHiS, Mr Liang assured that he did not “spot any major technical incompetence” among his employees who gave evidence to the COI, adding that all of them have been “extremely honest” in their answers and there was “complete transparency” in their testimonies.
Present mechanism for checks and balances failed to detect and rectify “high-risk weaknesses”
Failure to detect and rectify “high-risk weaknesses” with a cloud server used to access patients’ medical records more than a year after IHiS executives were informed about such weaknesses revealed the inadequate current mechanism for checks and balances in the system.
Following a simulated attack carried out on the H-Cloud, a cloud drive linked to the patient database to test the robustness of IT systems in the public healthcare sector in March last year, such weaknesses were found in the system.
An audit report detailing the findings of the simulated attack was submitted to IHiS’ audit and risk committee two months later.
Subsequently, Mr Liang said he had expected the “relevant IHiS staff to take immediate action” to fix the loopholes in the system.
However, approval was needed from group chief information officer of SingHealth Benedict Tan.
Following that, Mr Liang said that he was not notified by either his staff or the audit team regarding remedies to the vulnerabilities in the system from May last year to August this year, until external auditors “surfaced three outstanding issues” from the report during the latter period.
Mr Liang highlighted that while compliance checks are a “second line of defence,” IHiS strives to improve such checks in light of the cybersecurity breach.
Delays in installment of ATP systems due to “long negotiations over terms and conditions” with supplier: Mr Liang
Mr Liang also testified that Advanced Threat Protection (ATP) systems were originally scheduled to be installed last year, but the tender for the installation had lapsed due to “long negotiations over terms and conditions” with a supplier.
By the time the cybersecurity breach took place, IHiS had only begun to open up the tender — and subsequently award it — in June this year.
While the ATP system was expected to be completed two years from now in Mar 2020, the cybersecurity attack pushed IHiS to urgently bring forward a complete and thorough installation of the system on all 60,000 end-point devices and more than 6,000 servers across public healthcare institutions by this month.
Agents carrying out persistent advanced cyber threats are typically funded by foreign states, and were pinpointed by the Government as the perpetrators of the SingHealth cyber attack.
The COI hearing will continue today (2 Nov), with senior management from SingHealth and the Ministry of Health being expected to take the stand.