SINGAPORE: More details of the alleged software vulnerability in SingHealth’s electronic medical records (EMR) system and the immediate steps taken were revealed by the former CEO of Integrated Health Information Systems (IHiS) Chong Yoke Sin on Friday (Sep 28).
Dr Chong led the organisation, which runs the IT systems of all public healthcare systems in Singapore, from April 2008 to December 2016.
Giving her testimony during the Committee of Inquiry into the SingHealth cyberattack, Dr Chong recounted how former employee Zhao Hainan, who discovered the alleged vulnerability, was dismissed from IHiS in 2014.
This was because Mr Zhao had contacted a rival vendor over the issue with SingHealth’s Sunrise Clinical Manager (SCM) software.
The software was provided by US vendor Allscripts, but Mr Zhao had emailed a vendor called Epic about a loophole in the system, telling the company to contact him if it wants to leverage this information to increase its market share.
Dr Chong said she was first aware of the alleged vulnerability in that system when she received an email from Allscripts’ David Chambers on the morning of Sep 18, 2014, which included the email from Mr Zhao to Epic.
“This alarmed me,” Dr Chong said.
In response to a question by IHiS lawyer Philip Jeyaretnam, she qualified that her concern was not over the purported security breach but of the “ethical breach” that Mr Zhao had committed when he sent that email.
Dr Chong said she instructed Ms Foong Lai Choo, then director of Clinical Apps 1 and the one who implemented the SCM, as well as Mr Clarence Kua, who was then Mr Zhao’s immediate supervisor, to check the system for vulnerabilities.
“However, at the time, I considered this to be primarily a disciplinary issue and not an IT security issue,” Dr Chong said in her statement.
READ: SingHealth COI hearing: Employees questioned about their inaction over alleged coding vulnerability
To her, Mr Zhao’s email was tantamount to “blackmail” and she thought of him as the immediate vulnerability, which was why she decided to dismiss him as quickly as possible.
In between the time Dr Chong received Mr Chambers’ email at 11.19am to the time she sent a reply email to inform him of what happened at 7.17pm, Mr Zhao was dismissed from IHiS.
A police report was also made, but police said the case “didn’t necessitate a follow-up”, according to Dr Chong.
NO QUESTIONS ASKED OF ALLEGED VULNERABILITY
Despite being made aware of a possible vulnerability in the system, the former CEO said there was no formal investigation into what Mr Zhao claimed to have discovered. Ms Foong and Mr Kua did not submit any written report to her - either on Mr Zhao’s conduct or the technical details of his discovery, said Dr Chong.
“At the time, we had just upgraded the SCM’s system architecture, so we thought it would render any vulnerability discovered by Zhao irrelevant,” Dr Chong said.
“Lai Choo, Clarence and I believed that Zhao was referring to a database script that had direct access to the SCM database,” she added, explaining later that IHiS had a script to scrape database content independent of the SCM system.
She also said she had not spoken to Mr Zhao directly after being alerted of the situation.
READ: COI for SingHealth cyberattack: IT gaps, staff missteps contributed to incident, says Solicitor-General
In the Sep 18 email to Mr Chambers, which was referenced by Senior Counsel Jeyaretnam, Dr Chong again dismissed the possible “exposure” to the SCM system, and said it was a programming of code to extract data from the database that was done as a “normal course of work”.
“At the time, I believed that the main problem was the fact that an employee had misused his position and contacted Epic in this manner, in what would appear to be an attempt to compromise Allscripts, who was our vendor,” she said in the statement.
However, during an exchange with the Senior State Counsel G Kannan, Dr Chong did admit: “On hindsight, (we) should have gotten a COI done and all that (on the SCM system).”
Friday’s hearings also included the testimony of Ms Angela Chen, who was project manager in the team Mr Zhao was in back in 2014.
She said he had mentioned to her on Sep 15 that he had security concerns about the SCM system design, to which she instructed him to log the issue with Allscripts. However, she did not follow up on whether this was done before Sep 18 as she was either out of office or on leave.
Ms Chen said Mr Zhao would regularly inform her whenever he finds something, which she said is “a good habit” to have. She also described him as a “very good worker” and “technically very strong”.
He also had a “very good working relationship” with the team in question, she added, when asked why they organised a farewell lunch for Mr Zhao a few months after his dismissal.
Some of the hearings on Friday were held behind closed doors in the interests of national security as the evidence given may be sensitive in nature.
The hearing continues on Monday.