SINGAPORE — Two staff members from the information technology arm of the Ministry of Health (MOH) testified that while there was a framework in place to report cyber-security incidents, there was insufficient training on what to do.

As a result, they were unclear about what action to take when the data breach happened at public healthcare cluster SingHealth in the middle of this year.

They were giving their testimony on Friday (Sept 21) to a Committee of Inquiry (COI) at a public hearing into the cyber attack on SingHealth's IT system. It is the first of six public sessions the committee is holding.

Ms Katherine Tan, a database administrator with the Integrated Health Information Systems (IHiS), said that when it became apparent SingHealth's electronic medical record database was breached, she informed her immediate supervisor, Ms Teresa Wu, while trying to shut the activity down.

Ms Wu is said to have wondered if the company was dealing with a security incident. Then she sent Ms Tan a slide on the reporting framework, and told her to check with her colleagues who are dealing with such queries, to see if a report should be made.

Ms Tan told the COI that she followed Ms Wu's instructions and asked her colleagues for their opinion.

"No one responded to my query, and I never followed up to press for an answer to the matter," Ms Tan said. She did not elaborate, but said she thought that her company was dealing with a security incident.

URGENT MEETING

She later went home to develop a script to stop more of such "unusual activity" and completed it at midnight, July 5.

It is not known when exactly the script was placed into the system, but Ms Tan testified that she did not receive any alerts of any further queries being made to the affected database.

It was only about five days later that she was called to an "urgent meeting" at IHiS headquarters to respond to the incident. At the meeting, she recounted discussing the July 4 incident, among other issues.

"During the meeting of July 9, the incident was not yet considered by IHiS to be a cyber attack, although it was acknowledged to be a security incident," Ms Tan said.

The next day, she was told to report to a war room set-up, to trawl the database — also known as the Sunrise Clinical Manager database — to look for all failed log-in attempts.

She acknowledged in her evidence that she was "never made aware" of any reporting framework for security incidents.

"No such framework was communicated to me either verbally or in writing. I was never provided with any training or briefing on (such a) framework," Ms Tan said, adding that she also manages more than 50 other databases.

NOTICED FAILED LOG-IN ATTEMPTS EARLIER

It was a similar account by Mr Lum Yuan Woh, assistant director in the systems management department of IHiS' infrastructure division.

He said that while he was aware of a framework, there was "no training or briefing" provided to him or his team of seven staff members.

Mr Lum also testified that it was on June 11 that he had first noticed failed log-in attempts into the Sunrise Clinical Manager database. It went on to June 13, and Ms Tan also said that she had observed the unusual activity during the same period.

They noticed it again on June 26, but it was only on July 4 that they detected the intrusion.

Senior management, including SingHealth's group chief information officer Benedict Tan, was notified only on July 9, Mr Lum said.

Mr Lum later clarified that he "did not think the (breach) would go beyond the local account" it was on. At the onset, he said he and his team regarded it as an "infrastructure incident" not a "security incident".

The attack was confirmed on July 10, and made known to the public on July 20.

PRIVATE TESTIMONY

Ms Tan is expected to continue her testimony — behind closed doors — on next Monday.

Other witnesses expected to be called to give evidence include:

• Chief information officer Bruce Liang from MOH

• Chief information security officer Chua Kim Chuan from MOH

• Mr Dan Yock Hau, director of the national cyber incident response centre at the Cyber Security Agency, who will testify at a private hearing

• Employees from MOH, SingHealth and IHiS

• Solicitor-General Kwek Mean Luck will be leading evidence in the inquiry, which is chaired by retired senior judge Richard Magnus.

The COI was convened on July 24 to examine the events and contributing factors leading to the cyber attack on SingHealth's patient database system — labelled as the country's worst.

DELAY IN COMMUNICATIONS

Asked in Parliament last month why there was a delay from the time the attack was confirmed until the Government went public with details of the attack, Health Minister Gan Kim Yong explained that many things were happening, and that the authorities were engaged in multiple and concurrent "streams of work".

"Our priority at that time was to ensure that our systems were protected, our data would not be subject to further losses or exfiltration, and that took a while," Mr Gan told the House.

The authorities had to trace the attack to its source so that the database could be protected. They also had to determine whether other data had been compromised beyond those they were aware of, and who the affected patients were.

At the same time, SingHealth had begun its preparations to inform patients, which also required time.

BACKGROUND

• Between June 27 and July 4, sophisticated hackers stole the personal data of 1.5 million SingHealth patients including their national identity card numbers, addresses, names and dates of birth.

• 160,000 of the affected patients, including Prime Minister Lee Hsien Loong, also had information on their outpatient medication stolen.

• The attack was the work of an advanced persistent threat group that could be state-linked, Communications and Information Minister S Iswaran said in Parliament last month.

• The hackers used advanced tools including customised malware that was able to evade SingHealth's anti-virus software and security tools, Mr Iswaran said.

• For national security reasons, the Government will not name the party it believes is behind the attack.