SingHealth cyber attack: Operational constraints and challenges could be why IT system weaknesses were not fixed quickly

SINGAPORE — Operational constraints and challenges faced by public healthcare institutions could explain why IT system weaknesses were not fixed quickly, the Committee of Inquiry (COI) probing the SingHealth cyber attack heard on Friday (Nov 2).

On Thursday, the committee was told that “high-risk weaknesses” with the H-cloud server — used to access the patient database — were not rectified more than a year after executives at the Integrated Health Information Systems (IHiS) had been informed of them in 2017. IHiS is the info-technology arm of the Ministry of Health (MOH).

Taking the stand at the public hearing on Friday, Mr Goh Aik Guan, managing director of the Ministry of Health Holdings (MOHH), laid out the operational constraints and challenges that IHiS faced in fixing vulnerabilities, which could result in cyber risks not being eliminated entirely on the ground.

MOHH is the holding company of Singapore’s three public healthcare clusters — National University Health System, National Healthcare Group and Singapore Health Services. In 2016, the information systems division of MOHH merged with IHiS, which runs the IT systems of the three healthcare clusters.

Referring to patching devices with anti-virus software as an example, while the call may be to patch all devices across the clusters, that is “clearly not going to be possible” in reality, given the “constraints” between resources and operational directives, said Mr Goh.

“(Taking) the risk-based approach would (mean looking) at devices with the highest risk, then slowly working down that level to devices which are rarely used and have the lowest risk,” he said, explaining what could have resulted in the time lag such that identified vulnerabilities were not fixed.

Even then, at the end, he said there will be “residual” devices that may not be installed with the necessary patches because the effort and cost to do so might be disproportionate. “System owners have to make the call whether residual risk is tolerable.”

In addition, Mr Goh highlighted two other challenges that public healthcare institutions face when rectifying IT system weaknesses.

Firstly, the need to operate round the clock meant that there is little downtime set aside for IT measures to be implemented. Secondly, other applications may be affected when one system is patched.

‘POTENTIAL’ CONFLICT OF INTEREST

The COI also heard that key management executives who wear “double-hats” in the MOH and IHiS could potentially result in a conflict of interest where compliance checks are not done to ensure that directives have been carried out.

Executives with dual roles include IHiS’ chief executive officer Bruce Liang, who is concurrently MOH’s chief information officer, and Mr Chua Kim Chuan, who is MOH’s chief information security officer as well as director of the cybersecurity governance department in IHiS.

Mr Goh, in his testimony on Friday, at first said that he did not think there would be a conflict of interest in Mr Liang and Mr Chua’s positions.

“This double-hatting by Bruce and Kim Chuan helps to ensure alignment between MOH’s priorities in IT and cyber-security strategy, policy and programme, and IHiS’ planning and implementation of the same for MOH.

“It also ensures a channel for IHiS to provide feedback to MOH from the running of programmes on the group, so as to inform MOH’s policy-making,” he said.

However, when asked by Solicitor-General Kwek Mean Luck whether there was a potential conflict of interest given that the roles might involve them checking on one another, Mr Goh agreed that there could be.

“There will always be a possibility of a conflict of interest, because (here) you have the one who implement the directives (being) the one who promulgates (them),” he said.

Mr Goh then said that measures would have to be taken to mitigate the risk, such as the need for Mr Liang and Mr Chua to report back to other officers in MOH.

Hearings by the COI, some of which are held in private due to the national security concerns, continue on Monday. Senior management from SingHealth are expected to testify.