IHiS needs to improve work culture, processes and take more initiative, says CEO

SINGAPORE — Cultural issues such as the lack of initiative and sharing of information within the Integrated Health Systems (IHiS) need to be addressed, in order to deal better with cybersecurity incidents.

Besides improving structural systems, IHiS chief executive Bruce Liang acknowledged the role of workplace culture at the hearing on Thursday (Nov 1) on the massive SingHealth cyberattack.

“There is an art involved… a fair bit of intuition (in reporting cyberattacks). There is a certain amount of judgement involved,” said Mr Liang when asked by Solicitor-General Kwek Mean Luck how he would improve the systems of detection and reporting.

“The culture should be that even if you’re not sure, consult your peers, reports upwards (to superiors), keep them in the loop and at the same time, superiors also have to recognise that people are telling them information without confirmation and should give staff sufficient breathing space,” he said.

Mr Kwek is leading evidence in the inquiry, while IHiS is the IT arm of the Ministry of Health.

Mr Liang told the four-member Committee of Inquiry (COI) looking into the cyber attack that he was dissatisfied with the response of the team in charge of security incidents involving SingHealth, among other things.

The day before, a senior manager of IHiS’ security management department, Mr Ernest Tan, had testified that he was reluctant to raise the alarm to his superiors despite knowing about suspicious logins to the patient database, for fear of working “non-stop” to “deliver answers” to top management.

This had led to a delay in the reporting and detection of the cyber attack, which saw hackers make off with the personal data of 1.5 million SingHealth patients between June 27 and July 4.

Mr Liang said on Thursday that he “liked” how the frontline team had surfaced the suspicious activities to the security team. However, he “had an issue” with the subsequent response of the security team.

The frontline team first identified suspicious attempts to log into the database in early June. Mr Liang said that “while it may not be immediately clear if the incidents are deliberate”, the actions should have become “clearer” over the course of investigations between June 12 and 26.

As such, they “should have been classified as a security incident before June 26”, he said.

While Mr Liang acknowledged that there were staff that showed initiative in reporting cyber incidents, he said: “In general, I think we need to see more initiative across the organisation.”

Mr Liang had joined the IHiS in November 2016, taking over from Dr Chong Yoke Sin. He is concurrently Chief Information Officer at the Ministry of Health.

While there are a “number of improvements” IHiS needs to make “in terms of tweaking culture and processes”, Mr Liang said he did not “spot any major technical incompetence” among his employees who gave evidence to the COI.

Moreover, all of them have been “extremely honest” in their testimonies and there was “complete transparency”, he said.

WEAK SYSTEM OF CHECKS AND BALANCES

The weak system of checks and balances in managing cyber risks within IHiS was also covered at Thursday’s hearing.

This became apparent when “high-risk weaknesses” with a cloud server used to access patients’ medical records were found to not have been rectified more than a year after IHiS executives had been informed of them.

These weaknesses were first found in March 2017 after a simulated attack to test the robustness of IT systems was done from the Singapore General Hospital. The simulated attack was conducted on the H-Cloud, a cloud drive which was a pathway to the patient database.

The vulnerabilities, however, were not crucial for the cyber attack, said Solicitor-General Kwek.

An audit report detailing the findings of the test was sent to IHiS’ audit and risk committee in May 2017, and Mr Liang said he had expected the “relevant IHiS staff to take immediate action” to rectify the vulnerabilities.

While IHiS would recommend the appropriate remedy, approval was needed from Mr Benedict Tan, the group chief information officer of SingHealth.

From May 2017 to August this year, Mr Liang said that he did not receive any indication from his staff or the audit team about implementation of the remedies.

In August after the cyberattack, however, external auditors “surfaced three outstanding issues” from the report.

This revealed a lack of compliance checks, which could be done by a separate team within IHiS to look into whether remedial actions were taken.

Compliance checks are a “second line of defence” and an area that IHiS is looking to improve, Mr Liang said.

DELAY IN SETTING UP THREAT PROTECTION SYSTEM

There was also a delay in the setup of Advanced Threat Protection (ATP) systems.

Advanced persistent threat actors, usually funded by foreign governments, were said by the Government to be behind the SingHealth cyber attack.

Mr Liang said ATP systems were originally scheduled to be installed last year. But due to “long negotiations over terms and conditions” with a supplier, the tender lapsed.

IHiS relaunched the tender and awarded it only in June this year – by which time the cyberattack had already occurred.

The ATP system was initially scheduled to be completed in March 2020, but the data breach prompted IHiS to speed up its installation on all 60,000 end-point devices and more than 6,000 servers across public healthcare institutions.

This was completed in October.

Hearings by the COI, some of which are held in private due to the security concerns, continue on Friday.

Senior management from SingHealth and the Ministry of Health are expected to testify.

CORRECTION: In the previous version of the story, we reported that Mr Bruce Liang was Chief Information Officer at the Ministry of Health before he became chief executive of IHiS. This is incorrect. He holds both appointments concurrently. We are sorry for the error.

SLEW OF MEASURES UNDERTAKEN TO STRENGTHEN CYBERSECURITY

IHiS announced on Thursday (Nov 1) new measures to help public healthcare institutions to better prevent, detect and respond to cyberattacks.

1. All IHiS staff are required to report suspicious IT incidents within 24 hours, even if initial investigations cannot determine if they are security incidents.

2. Two-factor authentication to be implemented for all administrators who manage the installation of software applications on workstations and laptops. Administrators will need to enter a one-time password, generated by a security token or delivered by SMS, to log into systems to reset passwords, among other administrative tasks

3. Employees can only plug in their devices to the network if their devices are patched with the latest anti-virus and anti-malware signatures

4. Advanced Threat Protection (ATP) systems will be further enhanced with new capabilities to pre-empt and study cyber attackers’ behaviour. This will include capabilities like threat hunting, threat intelligence and response services.