SINGAPORE: Even though he was aware of a possible security breach of the electronic medical records software system used by SingHealth, Wee Jia Huo did not report the situation as a security incident, preferring instead to get confirmation that a breach did indeed occur.
This is despite the fact that there would be no consequences for raising a false alarm, should that be the case, it emerged in Day 4 of public hearings for the Committee of Inquiry (COI) looking into the Singhealth cyberattack.
READ: COI for SingHealth cyberattacks: Officer took initiative to investigate even though it was not his job
The Cluster Information Security Officer (CISO) for SingHealth, who is employed by Integrated Health Information Systems (IHiS) - the central IT agency for the healthcare sector - took the witness stand on Wednesday (Sep 26).
His responsibilities include ensuring that standard operating procedures for incident response are complied with, and escalating security incidents to higher management.
A total of 1.5 million patient records were accessed and 160,000 individuals had their outpatient dispensed medicine’s records taken in the attack, which is Singapore’s most serious breach of public data to date.
It also saw the personal particulars of Prime Minister Lee Hsien Loong, as well as information on his outpatient dispensed medicines, being “specifically and repeatedly” targeted.
READ: Singapore health system hit by ‘most serious breach of personal data’ in cyberattack; PM Lee's data targeted
Data was unlawfully accessed and exfiltrated between Jun 27 and Jul 4, and the activities were only terminated by IHiS database administrator Katherine Tan on Jul 4.
In his statement, Mr Wee testified that based on standard operating procedures for incident response, if there had in fact been a breach in the system, it would be considered a Category 1 security incident.
Such incidents, he explained, are those that affect Critical Information Infrastructures (CII) such as SingHealth’s electronic medical records system, and covers incidents which could lead to the compromising of sensitive information in a CII system.
Mr Wee, who operates without a team reporting to him, said that sometime in July, he viewed a set of slides together with his colleague, Ernest Tan, a senior manager in IHiS’ security management department.
The title of the slides suggested that there had been a breach in the system, he said. But as it was not confirmed, he viewed this as only a “potential breach”.
READ: COI for SingHealth cyberattack: IT gaps, staff missteps contributed to incident, says Solicitor-General
He said given that Mr Tan had already taken the initiative to speak to the database administrator, he did not suggest any further action. Furthermore, as Mr Tan was still investigating, he “did not think it was appropriate” to report the matter.
“At that point in time, my understanding was that based on the (standard operating procedures), only a confirmed breach of CII would need to be escalated,” he said.
When asked by COI member Lee Fook Sun if he were to suffer any consequences should the security incident he reported turn out to be a false alarm, Mr Wee replied that he would not.
When Mr Lee further pressed him about how he would determine whether a security incident is reportable or not, Mr Wee said he would, at all times, seek guidance from Mr Tan.
“They are the subject matter experts,” he said, adding that over the two years he has been in the role, he did not think he and Mr Tan have had any disagreements over whether an incident is reportable.
Mr Tan, who took the witness stand on Tuesday, had testified that while he was alerted to some suspicious activity in mid-June, it did not ring any alarm bells. He had also just returned from overseas leave, and was busy clearing emails.
INVESTIGATE FIRST, REPORT LATER
However, other witnesses who testified on Wednesday insisted that reporting an incident is not something to be taken lightly.
The day’s second witness Han Hann Kwang, who is IHiS’ assistant director for infrastructure services - security, clarified that according to standard operating procedures, once a security incident is detected, the notification and reporting process should be triggered.
Mr Han, who had authored a set of standard operating procedures for security response in March 2018, added that for specific scenarios, the documents instructed that once such incidents are confirmed, the CISO - Mr Wee - could activate the response team to investigate and analyse the situation.
However, he noted that doing so is something that is “not to be taken lightly”, and would require an assessment by the officer to ensure that it is a legitimate security incident.
As to how an officer would qualify a “confirmed” security incident, he said it is “a matter of experience and judgment”, and that it is not possible to express relevant thresholds in words or policy.
“The relevant officer will have to make judgment calls and perform analysis, rather than escalating every indicator. It would not be professional of him to do that,” Mr Han said.
Upon further questioning by COI chairman Richard Magnus, Mr Han said that when looking at a spreadsheet containing details of security incidents taking place in June and July and the actions taken, he would have drawn the conclusion that there had been an attack.
“But there’s also a part that ... as a security engineer or manager, you need to gather more information to make sense of it,” he said.
When asked by Mr Magnus what the best action would be, besides reporting it, Mr Han responded that he would form a bigger team to gain more understanding of the situation first, before escalating the incident.
Another witness also did not flag the incident at the onset of the cyberattack.
Mr Henry Arianto, who is in charge of the team taking care of the electronic medical records database for SingHealth, said he was first prompted by Mr Wee about another IT issue and decided to access the daily logs of the database on Jun 14.
In his statement, he said that these logs record queries which are attempts to retrieve data as well as failed attempts to log in to the database. They are sent daily to Mr Arianto and his two subordinates but are not examined on a regular basis.
When he saw at the log for Jun 13, Mr Arianto said he felt “weird” when he saw end-user IDs attempt to log in directly onto the records database.
He considered this to be unauthorised access but when asked why he did not report the incident, Mr Arianto said that this was the first instance that he has encountered; he claimed he would have reported it if he had seen more cases.
On Jul 4, a colleague informed Mr Arianto that there was a long-running query to the database, to which he instructed the colleague to kill the query to prevent it from impacting the database’s performance.
His first thought was that an internal audit was being conducted even though he had not experienced it before. His second thought was that a staff was “mischievously” accessing the database.
But he decided to not report it because he was informed that the security team is already aware of the queries.
“I did not report the incident to my reporting officer because, at my level, before a matter is reported to my reporting officer, I must be certain that there is a security breach,” he added.
When questioned, Mr Arianto said that he did not want to create a “false alarm” and “unnecessary work for senior management”. He added that he had to rely on his intuition because he has never been informed of the standard operating procedures in the case of a security incident.
Some of the COI’s hearings are held behind closed doors. This is in the interests of national security, where the evidence may be exploited to carry out further cyberattacks, or where patients’ personal data may be revealed.
The hearing continues on Thursday.