Exploited server in SingHealth hack had no security updates in a year
Exploited server in SingHealth hack last received software updates in May 2017
A server exploited by hackers to reach SingHealth's critical system, leading to Singapore's worst data breach in June, had not received the necessary security software updates for more than a year.
This server became one of the many pathways exploited by hackers after it fell through the cracks of Integrated Health Information Systems' (IHiS) oversight. Servers are typically patched several times a month.
Mr Tan Aik Chin, a senior manager of cancer service registry and development at the National Cancer Centre Singapore (NCCS), as well as Ms Serena Yong, newly minted director of IHiS infrastructure services division, testified yesterday at a Committee of Inquiry (COI) hearing into the breach.
Mr Tan said he became the "convenient" custodian of the server in 2014. As the server is located at the NCCS, his counterparts at IHiS felt it was "convenient" for him to do so, he told the four-member committee.
These counterparts later left the organisation, and no one else took over the management of the server.
Formed in 2008, IHiS runs the IT systems of all public healthcare institutions here.
Mr Tan, whose main job is to plan business continuation programmes, said he was not trained in cyber security or server administration and had not been given any standard operating procedures for managing security incidents.
The exploited server last received software updates in May last year, following the spread of the WannaCry ransomware. IHiS had circulated instructions to update all Windows servers. In July this year, Mr Tan learnt that the exploited server was infected with a virus.
Automatic anti-virus software updates could not be made to the server as the software was too old. Mr Tan had to disconnect the server from the SingHealth network to manually install the anti-virus software. Only then could the virus signatures be updated.
On July 10, when Mr Tan scanned the server, he detected three security threats: Two had been cleaned up but one had been "quarantined".
The intrusions on Sing-Health's electronic medical records system began undetected on June 27 before being discovered on July 4 and terminated by an IHiS employee. The Cyber Security Agency of Singapore, and upper management at IHiS and SingHealth were told of the attack on July 10.
That was when Ms Yong realised Mr Tan had been managing the server. She had given a directive in 2014, under a previous role, that IHiS would not manage eight research servers, and they came under Mr Tan's care.
The exploited server was not supposed to be among the eight, and the public hearings have not addressed how IHiS lost oversight of it.
Asked by COI chairman Richard Magnus, Ms Yong said she would review processes and structures for greater accountability.
Get The New Paper on your phone with the free TNP app. Download from the Apple App Store or Google Play Store now
