2 iHiS staff take stand for first COI public hearing on SingHealth cyberattacks

SINGAPORE — Two staff members from the Health Ministry's Integrated Health Information Systems (IHiS) took the stand on Friday (Sept 21) at the start of public hearings for the cyber attack on public healthcare cluster SingHealth.

Mr Lum Yuan Woh, assistant director in the systems management department of IHiS' infrastructure division, will be the first to give evidence before a Committee of Inquiry (COI), followed by his colleague, Ms Katherine Tan, a database administrator with iHiS.

Solicitor-General Kwek Mean Luck, who will lead evidence in the inquiry, stressed in his opening statement that the focus of the inquiry was "not on fault-finding". Instead, the focus is "on probing and learning, so that we identify areas that would strengthen the defences of our organisations against future cyber attacks".

Friday's hearings is the first of six sessions — open to the public — that will be held over the coming fortnight, the COI secretariat said on Thursday evening.

CNA Games

Guess Word

Crack the word, one row at a time

Buzzword

Create words using the given letters

Mini Sudoku

Tiny puzzle, mighty brain teaser

Mini Crossword

Small grid, big challenge

Word Search

Spot as many words as you can

Show More

Show Less

Other witnesses who are expected to testify in the coming days include the Health Ministry's chief information officer, the Cyber Security Agency (CSA) of Singapore, and other iHiS and SingHealth employees.

Cyber-security experts will also be called to give evidence to the committee, Mr Kwek said.

Evidence that will be adduced will include how the cyber attack — which had the characteristics typical of an advanced persistent attack — took place, and the corresponding response that iHiS and SingHealth took.

EVIDENCE TO BE ADDUCED

• The attacker first gained access unto the network as early as August 2017 by infecting workstations.
• The malware from one of the computers then spread to others laterally in the network — with an “ultimate objective” of reaching the medical records database, CSA assessed.
• The attacker’s modus operandi fit the profile of an Advanced Persistent Threat attack group that CSA had encountered before. It will attribute — at a closed-door hearing — the identity of these attackers.
• There were inadequacies in network monitoring. For example, inactive accounts were not disabled.
• The password for one local administrator account was “P@ssw0rd”.
• Internet Surfing Separation, where different computers are set aside for work and for surfing the Web, was considered as early as 2015, but there were concerns over the impact of implementing it.

WHO ARE ON THE COI AND WHAT IT IS FOR

• Retired senior judge Richard Magnus is the chair for the COI, first convened on July 24.
• Three other members are: Mr Lee Fook Sun, executive chairman of cyber-security firm Ensign InfoSecurity; Mr T K Udairam, group chief operating officer of healthcare technology firm Sheares Healthcare Management; and Ms Cham Hui Fong, assistant secretary-general of the National Trades Union Congress.
• Its task is to examine the events and contributing factors leading to the cyber attack on SingHealth's patient database system — the worst attack by far — which occurred on or around June 27.
• The first private hearing was held on Aug 28.
• Some hearings will be held behind closed doors, or on camera, in the interests of national security. For instance, the evidence may be exploited to carry out further cyber attacks or patients' personal data may be revealed.

SINGHEALTH CYBER ATTACK: BACKGROUND

• Between June 27 and July 4, sophisticated hackers stole the personal data of 1.5 million SingHealth patients including their national identity card numbers, addresses, names and dates of birth.
• 160,000 of the affected patients, including Prime Minister Lee Hsien Loong, also had information on their outpatient medication stolen.
• The attack was the work of an advanced persistent threat group that could be state-linked, Communications and Information Minister S Iswaran said in Parliament last month.
• The hackers used advanced tools including customised malware that was able to evade SingHealth’s anti-virus software and security tools, Mr Iswaran said.
• For national security reasons, the Government will not name the party it believes is behind the attack.

DATES AND TIMINGS OF PUBLIC HEARINGS

• Sept 24: 2pm – 6pm
• Sept 26: 9.30am – 6pm
• Oct 2: 10.30am – 6pm
• Oct 4: 9.30am – 6pm
• Oct 5: 9.30am – 6pm
• An updated schedule will be published by 6pm daily at http://mci.gov.sg/coihearings

Clarification: An earlier version of this story reported that Mr Lee Fook Sun was executive chairman of cyber-security solutions firm Quann World. The Ministry of Communications and Information clarified that he is now with Ensign InfoSecurity.