SINGAPORE: A server that was exploited in the SingHealth cyberattack had not been updated since May 2017, it emerged on Thursday (Sep 27), the fifth day of public hearings held by the Committee of Inquiry looking into the attack.
Mr Tan Aik Chin, a senior manager for cancer service registry and development with the National Cancer Centre (NCC), took the witness stand on Thursday. NCC is part of the SingHealth cluster.
In his statement, he said that as the server was not connected to the Internet, it was not possible to perform automatic Windows updates. Instead, he would have to perform the update manually.
He only discovered in July this year that the server had been infected with a virus when he received an email from a colleague. He added upon questioning that he did not know what the virus was, or the extent of it.
The cyberattack, which was Singapore’s most serious breach of public data to date, saw a total of 1.5 million patient records accessed and the outpatient dispensed medicine records of 160,000 individuals taken. Database administrators from the Integrated Health Information Systems (IHiS) - the central IT agency for the healthcare sector - discovered the breach on Jul 4 and acted immediately to stop it.
In his statement, Mr Tan revealed that as he had inherited the server from someone else, he did not check if it had antivirus software installed, but assumed it was the case. When questioned by COI chairman Richard Magnus, he clarified that the server did in fact have an older version of an antivirus software installed.
NO OFFICIAL ASSIGNMENT OF SERVER
Mr Tan testified that his main role was to oversee a business continuation plan programme and his understanding of IT security was “very basic”. He added that he was not proficient in managing the security aspects of servers.
However, he was also required to manage a group of servers, and progressively took over more of them as his colleagues left NCC.
Mr Tan said that sometime after October 2014, two of his colleagues shared responsibility for the exploited server - Mr Sim Yong Siang from IHiS’ Site Apps Team (SAT) and Ms Koh Pin Hiang from NCC. However, Mr Tan had been given the password for the server’s local administrator account, in case his help was needed.
When Ms Koh left NCC in 2015 and Mr Sim died later that year, Mr Tan said it left him as the only one who held the password to the server’s local administrator account. Sometime in 2016, Mr Tan took over management of the server.
While Mr Tan said that users would look for him if they had problems involving the server, he stressed that the server was never officially assigned to him, either by NCC or IHiS.
Mr Tan added that an IHiS staff member, Mr Zheng Haoran, was named in a server maintenance list as the system administrator for the server. But Mr Tan said that Mr Zheng had never logged in.
WHOSE ROLE IS IT, ANYWAY?
The issue of who was responsible for the exploited server was further explored in the testimony of Ms Serena Yong, the director for infrastructure services at IHiS and the second witness for the day.
In her statement, some parts of which were redacted as they contained sensitive details, she said: “After July 10, when IHiS began to piece together the events that occurred in June and July 2018, I was informed that the (redacted) server did not have (redacted) anti-virus installed.
“To my knowledge, this was because the server was not in practice being managed by anyone in IHiS. It was managed by NCC by themselves. I was told that the server was managed by Tan Aik Chin, who is a SingHealth employee.”
When questioned by lawyer Stanley Lai, who represents SingHealth, Ms Yong conceded that IHiS had responsibility over the server as Mr Zheng, an IHiS staff, was listed as the assistant manager of the exploited server.
COI chairman Magnus also asked Ms Yong if she was aware of the reporting time for security incidents to be escalated, which she replied in the affirmative.
“I’m asking you this because you’re the highest ranking witness that has appeared in the COI so far,” Mr Magnus said.
“There has been some evidence during the COI hearing that people who are involved in looking at the security incidents of this matter, people from Security Management Department, for example, will only escalate if there is verification of the security incident.”
In response, Ms Yong said that because many incidents happen day-to-day on the ground, there could be a possibility that the team needed to confirm the incident first before escalating it.
The hearings - some of which are held behind closed doors in the interest of national security - are expected to continue on Friday and next week.