COI for SingHealth cyberattacks: Officer took initiative to investigate even though it was not his job

COI for SingHealth cyberattacks: Officer took initiative to investigate even though it was not his job

Among the witnesses who took the stand on Tuesday (Sep 25) was IHiS officer Chai Sze Chun, who was commended by Solicitor-General Kwek Mean Luck for being alert and taking the initiative to investigate the incident, even though it was not his job to do so.

Mr Chai Sze Chun, who is assistant lead analyst at Integrated Health Information Systems (IHiS), the central IT agency for the healthcare sector, was commended by Solicitor-General Kwek Mean Luck on the second day of public hearings for the SingHealth cyberattack’s Committee of Inquiry (COI). Lee Li Ying with more. 

SINGAPORE: When Mr Chai Sze Chun first received a series of alerts about unusual activity on the electronic medical records software system used by SingHealth, he took the initiative to investigate further, even though it was not his job to do so.   

On Monday (Sep 24), Mr Chai - who is assistant lead analyst at Integrated Health Information Systems (IHiS), the central IT agency for the healthcare sector – was commended by Solicitor-General Kwek Mean Luck on the second day of public hearings for the SingHealth cyberattack’s Committee of Inquiry (COI).

The cyberattack is Singapore’s most serious breach of personal data to date, in which 1.5 million patient records were accessed and 160,000 individuals had their outpatient dispensed medicine’s records taken. 

Mr Chai’s job, noted Mr Kwek, was not that of cybersecurity management, but of ensuring operational efficiency.

“Nevertheless, when faced with unusual circumstances, he was alert and showed initiative into investigating the security incident,” said Mr Kwek, who is leading the process of presenting evidence at the COI.

HE NOTICED SOMETHING THAT “DOESN’T MAKE SENSE TO HIM”

In his statement, Mr Chai said that on the afternoon of Jul 4, he had noticed that an unusual query had been running in the system for a long period of time.

Even though the query was no longer running when he checked the system again after a while, he decided to investigate further.

Mr Chai said that his division, the Production Enhancement Team, is mainly responsible for troubleshooting end-user issues, and has no direct role in managing or configuring the system database.

He said that four possibilities came to his mind when he saw the unusual query, but that he did not report the matter to the Security Management Department because he could not be sure the account had been misused.

Mr Chai said he later sent an email to several people to report that he had “noticed something (that) doesn’t make sense” to him.

He sent the email to several people across different divisions because he did not know who would be able to shed light on what he had seen.

“I was thinking that if I sent the email out to more people, someone would be able to provide some insight into what was going on,” he said.

It was later discovered that the person behind the queries had made a number of direct queries for data, including the identity card details of Prime Minister Lee Hsien Loong.

The rest of the queries made, said Mr Chai, had to do with patient demographic data and dispensed medication data.

Data was unlawfully accessed and exfiltrated between Jun 27 and Jul 4. This belonged to 1,495,367 patients comprising their demographic records, according to Mr Kwek’s opening statement on Friday (Sep 21).

The attackers also made off with 2,001,008 dispensed medication records pertaining to about 159,000 of these patients.

These activities were only terminated by IHiS database administrator Katherine Tan on Jul 4.

SUPERVISOR “DID NOT THINK THERE WAS ANY POINT” IN REPORTING QUERY HIMSELF

Mr Chai’s supervisor, Steven Kuah, was the second witness on Monday. He testified that sometime in July, Mr Chai had informed him that he had found queries on the database that had been running for a long time.

Mr Kuah said that he told Mr Chai to continue monitoring the situation, as he was unsure what the queries were for. He also told Mr Chai to keep him informed if he needed someone else to help.

Mr Kuah also said that he was added to a WhatsApp chat group by Mr Chai on Jul 4. Mr Kuah did not send any messages, and left the chat group on Jul 5, he added.

When asked by the committee why he had done so, Mr Kuah said he felt that “nothing much” was being communicated in the chat group.

Mr Kuah also testified that when Mr Chai showed him the query he had found, he found it “unusual”, as the query would not have been run by anyone in his team. However, he said he was “not concerned” at first, because he initially thought the query was to a customised table that he assumed did not contain any medical data.

Later that day, when he was informed that the table did in fact contain medical data, he grew concerned that there might have been a data breach.

As Mr Chai had told him that he had already informed Mr Kuah’s reporting officer, Mr Kuah said he did not think there was any point in reporting the query himself.

Mr Kuah added that he believed that because both his reporting officer and a representative from the security management department were aware of the situation, he kept the information to himself “as (he) did not want to broadcast it”.

He then relieved Mr Chai of his normal work so he could concentrate on following up on the queries.

In his statement, Mr Kuah also detailed the processes by which a security incident could be reported. He said that in the event a security incident was detected, he would report to his immediate superior, and they would discuss whether there was a need to escalate the issue to senior management.

While he was aware that IHiS had a formal Security Incident Reporting Framework in place, he did not know the details of it. No training or briefing, he added, was provided on this framework.

In total, three witnesses testified on Monday. Apart from Mr Chai and Mr Kuah, Mr Chan Chee Choong, who is from the infrastructure services division, also testified. 

In his statement, Mr Chan gave details on the containment measures immediately following the attack. This included the blocking of domain administrators’ access to the servers, and triggering a password reset for all SingHealth users.

Public hearings are expected to continue on Tuesday and Wednesday. 

Source: CNA/lc(aj)

Bookmark