SINGAPORE: A failure on the part of the Integrated Health Information Systems' (IHiS) management to follow up on an alleged coding vulnerability in its electronic medical records (EMR) system was brought into sharp focus during the Committee of Inquiry’s (COI) public hearing into the SingHealth cyberattack on Friday (Sep 28).
Solicitor-General Kwek Mean Luck had said in his opening statement last Friday that there was evidence pointing to “insecure coding vulnerability” in the Allscripts Sunrise Clinical Manager (SCM) software, and that it was “highly probable” the vulnerability allowed the attacker to easily retrieve log-in credentials and use them to access the database.
This vulnerability was flagged in 2014 by a former employee Zhao Hainan, who had informed Allscripts' commercial competitor about the alleged flaw.
READ: COI for SingHealth cyberattack: IT gaps, staff missteps contributed to incident, says Solicitor-General
During the COI hearing on Friday, more details about the events of 2014 were revealed during the testimony of Mr Clarence Kua, the deputy director of the Chief Information Officer’s Office at IHiS.
The first email, which stated “Keep this confi”, contained correspondence between Dr Chong and Mr David Chambers, Allscripts Asia Pacific managing director.
The email contained a forwarded message by Mr Chambers of a letter Mr Zhao had sent to Epic Systems Corporation on Sep 17 - a rival electronic medical records system vendor. The letter stated there was a “loophole” in the Allscripts SCM “where user can gain admin control of the whole database easily” due to the “architecture of the product”, Mr Kua recounted in his statement.
The letter to Epic Systems also mentioned that “this could lead to a serious medical data leak, or even a national security threat”, Mr Kua added.
Mr Chambers' email to Dr Chong also stated that the matter had to seen as "very serious" and "not just a prank" as Mr Zhao used to work in the joint development laboratory run by IHiS and Allscripts, Mr Kua recounted.
In a second email sent that day, Dr Chong asked Mr Kua to ask Mr Zhao for his private email account. This was so they could verify if Mr Zhao did indeed send the letter to Epic.
Mr Kua, after discussing with his reporting officer Ms Foong Lai Choo - who was also copied on the first email - decided to ask Mr Zhao in person if he had sent the email to Epic. Mr Zhao admitted doing so.
“To the best of my recollection, I had only asked Zhao about the email that he had sent, together with Lai Choo. I do not recall that Zhao showed me, on his computer, the vulnerability that he found in SCM, or that he gave me any hard copy print-out showing the vulnerability,” Mr Kua said, adding that they then updated Dr Chong of their findings.
LACK OF INITIATIVE QUESTIONED
Mr Kua actions were called into question by most members of the COI.
One of them was Mr T K Udairam, group chief operating officer of Sheares Healthcare Management. He questioned Mr Kua - who had been officer-in-charge of Clinical Systems in 2014 - if he had been at least curious, if not concerned, about the vulnerability flagged by Mr Zhao.
To this, Mr Kua replied that he was “a bit concerned”, but that his focus was on double-checking that Mr Zhao’s private email address matched that of the email sent to Epic.
COI chairman Richard Magnus also asked the IHiS executive if he paid “scant regard” to the contents of the first email, which mentioned the alleged software vulnerability.
“I would be concerned by what was written there, but then Yoke Sin’s (Dr Chong) email directed me” to verify the email address, Mr Kua said, adding that he was more focused on the second email as it was directly addressed to him.
In reply, Mr Magnus said he should be able to “focus on two things at the same time”.
Another COI member, Ms Cham Hui Fong, assistant secretary-general of the National Trades Union Congress (NTUC), questioned his working and management style.
Specifically, she asked if Mr Kua was someone “who does not take initiative” given that he did not appear to want to gather more information beyond what he was told to do, such as on the alleged vulnerability flagged.
To this, Mr Kua said: “Yes, I usually will act on instruction.”
Ms Foong, who also gave testimony on Friday, similarly said that she did not recall asking Mr Zhao anything further about the loophole he claimed to have discovered.
It was revealed that Mr Zhao was dismissed by the company on Sep 18, the same day Mr Chambers sent that first email to Dr Chong.
She added that before Mr Zhao left the office, someone asked him about the loophole he had discovered, but she did not recall who asked the question or when it was asked or what Mr Zhao had said in reply.
In her statement, Ms Foong said she believed an investigation into the incident was held on the same day or the day after the dismissal but she did not recall who carried it out or what the results were.
“I have the impression that the case was closed. I did not make any further efforts to investigate Mr Zhao’s claims,” she said.
The COI hearings - some of which will be held behind closed doors in the interest of national security - are expected to continue next week.