Former IHiS CEO did not probe sacked employee’s claim of loophole that posed ‘national security threat’

SINGAPORE — Revelations of an angry employee’s attempt at corporate spying, and the failure of top management to probe an alleged loophole in a critical database, capped an intense week of inquiry into the SingHealth cyber attack.

The angry employee was sacked within a day in 2014, but the top management of the Integrated Health Information Systems (IHiS) — the Ministry of Health’s IT arm — did not investigate his claim, a four-member Committee of Inquiry (COI) heard on Friday (Sept 28).

The senior management assumed that an upgrade of the database’s system architecture at the time would make any vulnerability irrelevant.

As it turned out, the loophole in the database was likely what allowed sophisticated hackers to steal the personal data of 1.5 million SingHealth patients, Solicitor-General Kwek Mean Luck said in his opening statement at the start of the public hearings last week.

Of the affected patients,160,000 including Prime Minister Lee Hsien Loong also had their outpatient medication data stolen.

Five individuals including former IHiS' chief executive officer Chong Yoke Sin testified on Friday.

EMPLOYEE UNHAPPY BECAUSE HE COULD NOT DO CODING

In September 2014, system analyst Zhao Hainan working at IHiS discovered a loophole in the Sunrise Clinical Manager database, which contained electronic medical records.

The loophole, he said, could enable anybody — a medical student, nurse or pharmacist — to gain control of the database and result in a “serious medical data leak, or even a national security threat”.

Mr Zhao was unhappy because he could not do coding in his role. Using his private email account, he wrote to Epic Systems Corporation, the rival of Sunrise Clinical Manager’s vendor Allscripts, about the loophole.

He invited Epic to contact him if it wanted to leverage the vulnerability to gain a larger market share. This was based on evidence given by Mr Zhao’s former superior, Mr Clarence Kua Cheong Kee.

Mr David Chambers, the Asia-Pacific managing director of Allscripts, got wind of Mr Zhao’s email the very next day. How he discovered Mr Zhao’s email to Epic was not mentioned at the hearing.

Mr Chambers wrote to Dr Chong regarding her IHiS employee and included the email. He said Allscripts was treating it as a “very serious matter” and to let him know if she could get any further information.

“Alarmed” by the news of the “unethical” employee, Dr Chong treated it as a disciplinary issue and tasked Mr Zhao’s superiors to verify his private email address. Mr Zhao was fired the same day on Sept 18, 2014.

Later that day, Dr Chong — who is now chief of StarHub’s enterprise business group — wrote to Mr Chambers and assured him that the Sunrise Clinical Manager platform had not been compromised. She believed the loophole Mr Zhao discovered was only available to certain users with the necessary access rights.

“I also asked David to follow up on the alleged vulnerability. I assumed that David’s staff would work together with IHiS on the issue. However, no security incident or case report was created to record Zhao’s discovery,” she said. “There was no formal investigation into the ‘loophole’ that Zhao claimed to have discovered.”

Dr Chong added that she found out from human-resource colleagues that Mr Zhao had poor work performance, but Mr Zhao’s former reporting officer Angela Chen testified that he was a “good worker” with strong technical skills.

‘PERFECTLY NORMAL’ LOOPHOLE?

Questioned by Senior State Counsel Gnanasihamani Kannan, Dr Chong acknowledged: “On hindsight, I would say that I should have gone to get a technical investigation done. My whole aim (then) was to get the person with a possible malicious attempt out.”

She agreed that two issues were raised from Mr Zhao’s email — a disciplinary issue and a vulnerability issue — and that the decision to fire Mr Zhao only dealt with the first issue.

Another witness, however, called the loophole “perfectly normal”. Mr Loo Yew Tuck, senior lead analyst at IHiS’ clinical care department, said that he had seen an Allscripts trainer demonstrate its use and method previously.

Two other senior officers of IHiS were also asked about Mr Zhao’s discovery.

Ms Foong Lai Choo, IHiS’ director of programme delivery for clinical care, acknowledged that she had a duty to investigate what Mr Zhao had found.

She had the impression that it was “not a big deal” at the time, she told the COI.

Mr Kua, Mr Zhao's former superior, was asked why he did not conduct further investigations into the security flaw, especially after reading from Mr Zhao’s email to Epic that the loophole was a potential threat to national security.

He said his focus was to verify if the private email address belonged to Mr Zhao.

Asked by COI member Cham Hui Fong if he was someone who takes initiative to find out more or who acts upon instruction, Mr Kua — an IHiS employee who is currently assigned to SingHealth as deputy director in the chief information officer’s office — said that he was someone who would likely take instructions.

Mr Zhao testified in private on Thursday. At Friday’s public hearing, IHiS’ counsel Philip Jeyaretnam revealed that Mr Zhao was an unhappy employee and questioned his credibility — whether he had shared details of the security loophole that he found with his supervisors.

Mr Kua said he was unsure if he received a hard-copy printout with details of the loophole.

The SingHealth cyber attack took place between June 27 and July 4 this year and was Singapore’s worst to date.

On Thursday, the COI heard that a virus-infected server located at the National Cancer Centre Singapore and several others were used by the hackers as pathways to gain access to the Sunrise Clinical Manager database. The server had been left running without security updates for more than a year.

Hearings by the COI — some of which are held in private in the interest of national security — will continue in October.

CLARIFICATION: SingHealth has clarified that Mr Clarence Kua Cheong Kee is an IHiS employee assigned to SingHealth.