Exploited server in Singhealth data hack had not been updated for over a year: COI reveals

4515
Health Minister Gan Kim Yong / YT screencapture
 

The ongoing Committee of Inquiry (COI) probe into the massive Singhealth data hack has revealed that the server that was exploited in the cyberattack had not been updated since May 2017 – more than a year before the Government portal was targeted by hackers in July.

Unusual activity was first detected on Singhealth IT databases by Database administrators from the Integrated Health Information Systems (IHiS) – the central IT agency for the healthcare sector – on 4 July this year before the Ministry of Health was given confirmation that the unusual activity was due to a cyber attack on 10 July. The authorities made a police report two days later.

Over a week later, the authorities revealed that a massive breach had occurred on the Government health database and that the personal details and medical records of 1.5 million patients had been compromised.

Prime Minister Lee Hsien Loong and Emeritus Senior Minister Goh Chok Tong were among the affected patients whose confidential information had been hacked. A COI was subsequently convened to investigate the data breach.

On the fifth day of public hearings yesterday, a senior manager involved in managing the security system of the database revealed that the server that was exploited had not been updated for months before the attack.

Mr Tan Aik Chin revealed that he would have to do manual updates since the server was not connected to the Internet and so, could not be wired to undergo automatic Windows updates. Mr Tan only discovered that the server had been infected with a virus in July after he was notified by a colleague this past July.

Mr Tan, who is employed as a senior manager for cancer service registry and development by the National Cancer Centre (NCC) which is part of the SingHealth cluster, did not know what the virus was or what the extent of the virus and its damage had been.

Curiously, Mr Tan told the COI that he was never officially assigned to manage the server and that he was made to manage a cluster of servers even though his understanding of IT security was “very basic” after his colleagues progressively left the NCC.

Initially, Mr Tan – whose main role was to oversee a business continuation plan programme – had only been given the password of the exploited server’s administrator account just in case his help is needed, since another NCC employee and an IHiS employee shared responsibility for the exploited server.

Even though Mr Tan was admittedly not proficient in managing server security, he was forced to assume responsibility for the server after the IHiS employee passed away and after his NCC colleague resigned.

Soon, Mr Tan gradually took over responsibility of the exploited server even though either the NCC or IHiS never officially assigned the server to him. Mr Tan told the COI that he would be the one his colleagues would contact if there are problems with the server.

Curiously, another IHiS staff member named Mr Zheng Haoran was listed as the system administrator for the server in a server maintenance directory but Mr Tan said that Mr Zheng had never logged in to the server.

Mr Tan first told the COI that he did not check if antivirus software has been installed in the server because he assumed it had been since he inherited the server from someone else. When COI chairman Richard Magnus pressed further, Mr Tan said that the server was protected by an older version of an antivirus software that had been installed.

The second witness at the hearing yesterday, IHiS director for infrastructure services Ms Serena Yong, initially blamed NCC and Mr Tan for failing to ensure that the exploited server was protected before admitting that IHiS had responsibility over the server.

In her statement, which contained sensitive details that were redacted, Ms Yong first said: “After July 10, when IHiS began to piece together the events that occurred in June and July 2018, I was informed that the (redacted) server did not have (redacted) anti-virus installed.

“To my knowledge, this was because the server was not in practice being managed by anyone in IHiS. It was managed by NCC by themselves. I was told that the server was managed by Tan Aik Chin, who is a SingHealth employee.”

When questioned by Singhealth legal counsel Stanley Lai, Ms Yong admitted that IHiS had responsibility over the server since IHiS staff Mr Zheng was listed as the assistant manager of the exploited server.

Ms Yong further said she was aware of the reporting time for security incidents to be escalated, when the COI chairman asked her whether she was aware of this. The chairman had noted:

“I’m asking you this because you’re the highest ranking witness that has appeared in the COI so far. There has been some evidence during the COI hearing that people who are involved in looking at the security incidents of this matter, people from Security Management Department, for example, will only escalate if there is verification of the security incident.”

Ms Yong replied that there could be a possibility that the team needed to confirm the incident first before escalating it since many incidents happen day-to-day on the ground.