IHiS deputy director ‘shocked’ to find data stolen after being told otherwise

SINGAPORE — For several days after sophisticated hackers made off with the personal data of 1.5 million SingHealth patients, the team supporting end-users of the database did not realise that the theft had occurred.

The cyber attack on the IT system of Singapore's largest public healthcare group took place from June 27 to July 4, but it was only at a July 10 meeting that a deputy director from the Integrated Health Information Systems (IHiS) discovered that data had been extracted from the Sunrise Clinical Manager database holding electronic medical records.

Before that, Mr Henry Arianto — the IHiS deputy director who heads the Sunrise Clinical Manager team providing day-to-day support for end-users —had told others that the unusual queries of July 4 “had returned zero results”. This was based on information from a team member who was familiar with the set-up of the database’s servers.

While discussions were going on at the meeting, Mr Arianto decided to “double-check” if one of the unusual queries seen on July 4 returned any results.

To his shock, it did.

Things kicked into high gear after that, and the Cyber Security Agency was informed. The Committee of Inquiry (COI) examining Singapore’s worst cyber attack heard on Wednesday (Sept 26) that a “war room” was set up and the team found out the next day that Prime Minister Lee Hsien Loong’s data had been accessed.

AUDIT LOGS NOW CHECKED DAILY

Mr Arianto also said that he would have flagged a series of failed log-in attempts from June 11 to 13 as a security incident, had he reviewed several days’ worth of audit logs of the Sunrise Clinical Manager system.

The COI heard on Tuesday that another group of IHiS employees had set up a group chat on June 13 about these attempts to connect with the database, involving a suspicious workstation and a Citrix server.

After he was asked about “dropped connections” by a colleague on June 14, Mr Arianto checked part of the log for June 13 and found it “weird” that an end-user ID had attempted to log in directly to the database instead of via an application. He tried to uncover the identity of the person from the database manager, but said no one got back to him.

Mr Arianto said that he receives but does not review the audit logs daily or regularly. One of two staff members he assigned to do so would just check the logs “randomly”.

Since the cyber attack, staff members have been tasked to check the audit logs every day and investigate every failed log-in attempt, he added.

Failed log-ins should have been monitored in the first place, he said.

FALSE ALARM MAY MAKE ONE LOOK BAD

Apprehension about raising false alarms of IT security incidents was a common testimony among witnesses at the COI hearings on Tuesday and Wednesday.

Mr Ernest Tan Choon Kiat, senior manager at IHiS’ security management department, testified on Tuesday that only malicious attempts to access a server containing sensitive data would be classified as a security incident, for instance.

SingHealth’s cluster information security officer Wee Jia Huo said on Wednesday that he understood “an incident must be confirmed before being reported” to the leader of the cyber-security governance department.

“Even a few failed attempts to log in would not be conclusive, as it could be a user who had forgotten his password trying to guess or remember his password,” Mr Wee said. “If there were multiple persistent attempts to log in to the same server over a period of a few days, this would still not be conclusive, but it should, minimally, be investigated.”

Mr Han Hann Kwang, who wrote up the standard operating procedures, said that what he meant by “confirmed” is the “need to gather enough information to make a judgment or assessment that it is a security incident (and not just an event) before (staff members) report it”.

The assistant director of infrastructure services–security management at IHiS added: “Reporting a security incident and activating the Security Incident Response Team is not to be taken lightly.”

When a security incident is reported, it activates a whole team including senior management, Mr Han said. “If a security incident is declared, and it turns out there is no security incident, this may look bad on the person who made the declaration.”

Asked by COI member Lee Fook Sun if there were any consequences for false alarms, Mr Wee said no.

While Mr Ernest Tan said on Tuesday that he did not consider what happened around June 13 to be a security incident which warranted a report, Mr Han felt otherwise. “With the benefit of seeing the relevant events presented in (a spreadsheet), there is a high chance that by 13 June 2018, I would have reported the matter to (IHiS group chief information officer Benedict Tan) in accordance with the (standard operating procedures),” Mr Han said.

PASSIVE OR ACTIVE?

Coming under the spotlight during Wednesday's inquiry was also the matter of whether Mr Wee was passive or active, being the person responsible for escalating a security incident to Mr Benedict Tan and the cyber-security governance group.

Mr Wee was on medical leave from June 20 to July 3. But when he was back at work and he received slides from a colleague that “suggested there had been a breach” of the Sunrise Clinical Manager database, he viewed it “only as a potential breach, as it was not confirmed”.  A breach of the database would have been considered an incident of the highest severity.

He noted an attempt to retrieve 100,000 electronic medical records in the database, but said: "Though I knew the query was seeking 100,000 records, I drew the conclusion that no sensitive data had been returned, based only on the result of the one test query. I left work for the day soon after that.”

Quizzed by COI chairman Richard Magnus on how he came to that conclusion, Mr Wee, who operated alone, said that he relied solely on Mr Ernest Tan's cyber-security team for the information.

There were no regular meetings between Mr Wee and Mr Ernest Tan’s team.

Mr Wee also revealed that in his two years as the cluster information security officer for SingHealth, he had never disagreed with Mr Ernest Tan.

"At all times, I will seek guidance from Ernest (and his team) because they are the subject matter experts. We do not escalate incidents if they are not confirmed and may be false positives," Mr Wee said.

The COI’s hearings, some of which are held behind closed doors in the interest of national security, continue on Thursday.

Sign up for TODAY's WhatsApp service. Click here:
 

Sign Up