The ongoing Committee of Inquiry (COI) probe into the Singhealth data breach has turned up disturbing details of management inaction, inadequate action and delayed responses that may have led to Singapore’s biggest cyberattack, in which the personal details and medical records of 1.5 million patients were compromised.

Although cyber-security experts initially suggested that the nature of the unprecedented attack pointed to the work of state-sponsored hackers, revelations from the ongoing COI hearings have unearthed details showing an alarming work culture at the Integrated Health Information Systems (IHiS) – the central IT agency for the healthcare sector – may have made the work of hackers easier.

From senior management who turned a blind eye to alleged security loopholes, staff who did not seem to take initiative or acted slowly when they are faced with possible security threats, to shockingly poor password hygiene and poor system maintenance, the COI hearings have revealed a rough timeline of poor management that may have contributed to how easily hackers were able to infiltrate the Government health database.

The COI hearings show that the string of events that contributed to Singhealth being more easily compromised started in 2014, when IHiS chief executive officer Chong Yoke Sin was sent an email written by a staff member who revealed that he had discovered an alleged security “loophole” in the EMR system supplied by third-party company, Allscripts Healthcare Solutions.

The IHiS employee, system analyst Zhao Hainan, revealed that the coding flaw could allow hackers to “gain admin control of the whole database easily”, which could “lead to a serious medical data leak, or even a national security threat.”

Alarmingly, the email that Zhao Hainan wrote revealing this confidential information was not originally sent to Dr Chong – Zhao had actually sent the email to Allscripts’ rival Epic Systems, inviting Epic to contact him to find out more about the alleged loophole. Allscripts intercepted the email and forwarded it to Dr Chong.

Allscripts Asia Pacific chief executive officer David Chambers further warned Dr Chong in an email that the matter was “very serious” and must be taken as “genuine” since Zhao had worked in Allscripts’ development laboratory.

Dr Chong sent the email to IHiS employee Clarence Kua who was assigned to SingHealth as its deputy director (Chief Information Officer’s Office) on 18 Sept 2014.

Kua indicated to the COI that he had been too busy verifying Zhao’s private e-mail address to look into what the alleged security flaw was.

Zhao was subsequently terminated. IHiS’ lawyer, Senior Counsel Philip Jeyaretnam, claimed that Zhao had refused to share details about the coding flaw to IHiS since he was “angry” with IHiS and Allscripts over not being allowed to do coding.

Zhao’s supervisor, Angela Chen, disputed this claim when she testified that “technically strong” Zhao was a “good worker” who had a good relationship with his colleagues.

Meanwhile, Kua – who indicated to the COI that he preferred to take orders – said that he was more focused on the ethical breach of information than the coding flaw since that is what IHiS CEO seemed more concerned with.

Another IHiS officer who Dr Chong forwarded Zhao’s email to, IHiS director of programme delivery for clinical care Foong Lai Choo who is in charge of operating and managing the EMR system, testified that she had “the impression that the loophole was not a big deal”.

Like Kua, Foong did not look into the coding flaw since the organisation thought that an upgrade of the database’s system architecture would counter the flaw. Foong further testified:

“I believe there was some communication between Mr Chambers from Allscripts and (Dr Chong) but I was not included in the communications. I do not know what action, if any, was taken by Allscripts in relation to this matter.”

The case was closed after IHiS made a police report – that is until four years later in 2018, when IHiS database administrator Katherine Tan spotted suspicious patterns around 11 June that looked like someone was trying to breach the system by sending many access requests and hoping one would hit the mark.

This is a method hackers employ to breach servers called advanced persistent threat (APT) attack that involves customised malware that succeeded in disabling SingHealth’s antivirus and security tools. The hacker then used a publicly available hacking tool to breach an end-user workstation repeatedly to transfer information between 27 June and 4 July.

Cybersecurity Agency of Singapore (CSA) investigations showed that the hacker could more easily breach the end-user workstation because the workstation had not been well-maintained. It was running an old version of Microsoft Outlook that was not updated with a patch to counter the use of the hacking tool.

Careless system management, the failure to deactivate inactive administrative accounts connected to the medical records database, and poor password hygiene – with one local admin account having the shockingly easy password “P@ssword” – may have helped contribute to hackers easily penetrating the Government database.

Katherine Tan alerted her boss, Teresa Wu, about the potential breach who told Tan to approach her colleagues for another opinion. Katherine Tan said that she emailed her coworkers, No one responded to my query, and I never followed up to press for an answer to the matter.”

No further action was taken for close to a month after Tan sent the email.

Meanwhile, IHiS Cluster Information Security Officer Wee Jia Hou reported to the COI that he did not have a framework for reporting cyber threats and indicated that he merely scanned emails related to the matter since these kinds of matters were usually handled by IHiS Senior Manager for Infra Services-Security Management Ernest Tan.

Ernest Tan was holidaying in Japan when this was going on. Wee told the COI that there was no process to appoint covering officers for when staff go on leave.

When Ernest returned to work, he was busy “clearing emails” to appreciate the severity of the security threat. When he finally got to it, he decided that the matter was not a serious breach and that even if it was a “reportable security threat,” it would have been Wee’s job to escalate action against the threat.

When questioned on the back and forth between him and Wee, Ernest Tan cited standard operating protocol and said that the situation “did not ring alarm bells”.

Katherine Tan, however, diligently worked on the sidelines and independently developed a script to try and stop the unusual activity. Tan installed the software on 5 July – nearly a month after she first spotted suspicious patterns – but it was too late.

The Ministry of Health was given confirmation that the unusual activity was due to a cyber attack on 10 July. The authorities made a police report two days later.

Over a week later, on 21 July, the authorities revealed that a massive breach had occurred on the Government health database and that the names, NRIC numbers, addresses and medical records of 1.5 million patients had been compromised.

Slamming the initial response to the security breach as “piecemeal” and “inadequate” on Friday, Solicitor-General Kwek Mean Luck said that more could have been done to prevent the security incident from escalating.

He added that the management’s failure to ensure that systems were updated and well-maintained could have provided hackers access into SingHealth’s network as early as August 2017.

https://theindependent.sg.sg/exploited-server-in-singhealth-data-hack-had-not-been-updated-for-over-a-year-coi-reveals/