CGH workstation hit by suspected malware half a year before SingHealth cyber attack

SINGAPORE — About six months before the SingHealth cyber attack unfolded, a workstation at the medical records office of Changi General Hospital (CGH) was suspected to have been infected with malware.

Logs showed that a user ID and the workstation had tried numerous times to communicate with a suspicious URL (uniform resource locator), commonly known as a web address.

Although the problem was contained, no steps were taken during the incident in January to identify the owner of the user ID, or to investigate if the workstation had been infected with malware, said Mr Ernest Tan Choon Kiat, senior manager of the security management department at the Integrated Health Information Systems (IHiS) — the Ministry of Health’s IT arm.

It is unclear if this was the same user ID used by sophisticated hackers in the cyber attack on public healthcare group SingHealth, which took place between June 27 and July 4.

On Monday, Mr Tan’s colleague told the Committee of Inquiry looking into the cyber attack that he had tried in vain on July 4 to find the user ID of the person logging in to a Citrix server from a workstation and who was behind an unusual database query. There is no information made public on the location of this workstation.

Mr Tan — the designated response manager for all security incidents involving SingHealth — said that no reporting forms were filed for the suspected IT security incident in January, as well as others in June and July.

Suspected malware infection of a workstation was a “very common occurrence”, Mr Tan added.

NO ALARM BELLS IN JUNE

In June, when Mr Tan was on overseas leave in Japan, his colleague set up a group chat for an “IT incident” involving a suspicious workstation and a Citrix server. There had been attempts to connect to the Sunrise Clinical Manager database using “several different username-password combinations”, but this “did not ring any alarm bells” in his mind. The Sunrise Clinical Manager is a platform holding electronic medical records. 

“I thought that we would know more about whether there was any malicious activity, after the completion of the forensic examination of the workstation,” said Mr Tan.

He was back in Singapore from June 18 and his role was to lead efforts of the Security Incident Response Team and coordinate activities among its respective groups, but Mr Tan said he did not do so, as he had just returned from leave and was busy catching up on work and other projects.

It was only in July that a suspicious query caused “alarm bells (to start) ringing” for Mr Tan. The query was being run using an account with rights to modify data in a database, but from a programme that was “different from most of the other programme names reflected in the records”.

WHAT AMOUNTS TO A SECURITY INCIDENT

Yet throughout the period from June to early July, Mr Tan’s understanding was that no IT security incident reporting forms were filed.

This was due to the definition of “security incident” in standard operating procedures.

A user account that accesses a server without the user’s permission, or attempts to access a server containing sensitive data, would not necessarily amount to a security incident, unless he was “100 per cent” certain it was malicious.

Likewise, access to a privileged user’s account without his or her permission would not necessarily be a security incident. “We would still have to check with the account holder whether he had used his account for any scheduled tasks,” said Mr Tan, noting that it would be classified a security incident only if there were no scheduled tasks.

Incidents affecting critical information infrastructure would have to be reported only if there was a real breach or compromise. “To my understanding, it does not cover incidents involving attempts to compromise a critical information infrastructure system, even where our investigations show that the attempts were malicious,” said Mr Tan.

The public hearings continue on Wednesday. 

Some hearings held by the four-member Committee of Inquiry are held behind closed doors in the interest of national security. For instance, the evidence may be exploited to carry out further cyber attacks or patients' personal data may be revealed.

Sign up for TODAY's WhatsApp service. Click here:
 

Sign Up