SINGAPORE — Left running without security updates for more than a year, a server located at the National Cancer Centre was infected by a virus and exploited by sophisticated hackers, who successfully stole the data of some 1.5 million patients in Singapore’s most severe cyber attack to date.

It was in July that the server was found to have been infected. No data was taken from the server itself, but it and several other servers were used by the hackers as pathways to gain access to the Sunrise Clinical Manager, a platform which contains the electronic medical records of patients. The database is used by SingHealth, the largest public healthcare group here.

During the probe into the cyber attack on Thursday (Sept 27), the Committee of Inquiry (COI) called into question the party responsible for managing the server.

On paper, it came under the Integrated Health Information Systems (IHiS) — the Health Ministry’s IT arm.

In reality, it was a senior manager at the National Cancer Centre, Mr Tan Aik Chin, who was doing it. The centre is one of several health organisations under SingHealth’s umbrella.

Mr Tan’s main role was to oversee the business continuation programme at the National Cancer Centre. He said that while it was not his job to manage the server, he took it on out of goodwill and convenience.

This arrangement, however, was not known to a senior officer at IHiS.

HANDLING ISSUES WITH SERVER SPORADICALLY

Mr Tan was first given the username and password of the local administrator account to the server sometime between 2014 and 2015, “in case” IHiS staff members needed help to look into issues with the server.

IHiS employee Sim Yong Siang died in 2015, leaving Mr Tan and other staff members at the National Cancer Centre to sort out server issues on an adhoc basis.

After helping to resolve a problem in 2016, Mr Tan said that he “took over” management of the server, as it was a “convenient arrangement”.

The server was located where he works, at the National Cancer Centre on the premises of the Singapore General Hospital, whereas IHiS staff member Sim used to be stationed at the ConnectionOne office in Bukit Merah.

Mr Tan said that the last time he updated the server was in May last year. He was instructed at the time by IHiS to update “all Windows servers”. This instruction was in response to the spread of the WannaCry ransomware globally.

After it was done, he assumed that the server had anti-virus software and it would be updated “automatically” without frequent manual input.

In July this year, after he was notified that the server was infected, he was tasked to disconnect the server from the SingHealth network, uninstall the old anti-virus software and put in a new anti-virus software.

After doing so, he performed a scan which yielded “three threats”.

“Two had been cleaned and one was quarantined,” Mr Tan said.

He then reconnected the server to the SingHealth network and did a manual update. He ran another full scan, and this time, no threats were detected.

Mr Tan said he did not know why the anti-virus software had not been updated, and did not know why the three threats were detected.

NO KNOWLEDGE OF SERVER’S MANAGER

All this while, Ms Serena Yong, the director of the infrastructure services division in IHiS, was not aware that Mr Tan was handling the server.

Ms Yong is the highest-ranking government officer to testify in front of the COI so far since the public hearings began on Sept 21.

She was newly appointed to the role this year, and was to oversee and recommend software updates. She joined IHiS in 2009, where she supported end-user computing needs.

Ms Yong said it was only after the events on July 10, when the data breach was exposed, that she learnt that the server was managed by Mr Tan.

She also said she was first notified of “problems” concerning the Sunrise Clinical Manager database sometime during the weekend of July 7 and 8, after getting a call from her deputy director.

She was told that there would be a meeting on July 9, but said “she did not get the impression that it was a serious problem”.

Even after the meeting on July 9, she did not ask her staff members to test the database by running queries to see if it could extract data.

It was only on July 10 that an employee from IHiS found out that a query returned data, as revealed to the COI on Wednesday.

Upon further questioning by the committee’s chair Richard Magnus on Thursday, Ms Yong said that she was not aware of the attempt to extract the first 100,000 electronic medical records.

The COI’s hearings, some of which are held in private in the interest of national security, continue on Friday.

Sign up for TODAY's WhatsApp service. Click here:
 

Sign Up