SINGAPORE: Integrated Health Information Systems (IHiS) senior manager Ernest Tan on Wednesday (Oct 31) returned to the stand to shed more light on the reasons why he did not report suspicious network activities to his superiors, after previously unavailable chat logs between him and his colleagues were provided to him.
Mr Tan said the chat logs were from TigerConnect, a workplace messaging platform that deletes messages after a stipulated period of time.
The messages included those from seven other individuals from his team - Benjamin Lee, Wee Jia Huo, Muhammad Azzlan Zainuddin, Alvin Chua, Lum Yuan Woh, Zac Lim and Sean Navin - between Jun 13 and Jul 9, during which the cyberattack was conducted.
In several of the chat logs, his subordinates had flagged suspicious activities but Mr Tan chose not to escalate these to higher-ups for various reasons.
One example was on Jun 26, when a conversation about access to the Citrix servers using a certain user account took place. Mr Tan said he found this action to be “weird” but said he “was not concerned” when his subordinate Benjamin indicated “it’s possible that the attacker guessed the password”.
“I was not concerned by this, as Benjamin was only proposing a possible means by which the account had been compromised,” the senior manager said. “He was not confirming that this was how the account was compromised.”
Mr Tan was giving testimony in the third tranche of public hearings held as part of the Committee of Inquiry into the cyberattack targeting SingHealth in June this year.
The online attack is Singapore’s most serious breach of personal data to date, in which 1.5 million patient records were accessed and 160,000 individuals had their outpatient dispensed medicine’s records taken, including that of Prime Minister Lee Hsien Loong.
“IF I REPORT THE MATTER, WHAT DO I GET?”
Another instance was on Jul 4 - the day the cyberattack was discovered and thwarted by another IHiS employee Katherine Tan - when Benjamin told him “we really need to escalate into incident … Seems like someone managed to get into SCM (Sunrise Clinical Manager) db (database) already … Attack is going on right now”.
To this, Mr Ernest Tan said he “did not see any reason to report the incident upwards” and did not agree with his subordinate’s assessment.
He added: “To me, I need to be able to obtain all the following information before the matter is reportable:
a. All the information about the impact of the attack;
b. The identity of the attacker;
c. Where the attack is coming from;
d. Whether the attacker is an ’internal’ or ‘external’ attacker i.e. whether the attacker is a SingHealth user or whether the attacker is from outside of SingHealth;
e. Whether data in the SCM database had in fact been accessed;
f. Whether there was more than one instance of access to the SCM database.”
The senior manager added that his focus was “on isolation and containment” and the fact that patient data had been accessed “just aroused (his) suspicions” but not enough for him to flag it to management.
Mr Ernest Tan’s mindset towards incident reporting could perhaps be best captured by the message he sent to his team on Jul 6, in which he said: “As mentioned, we need to isolate, contain and defend first … our tightening by infra is not strong enough … even if report now (and) bring down the experts, they’ll say our tightening is not well done … once we escalate to mgt, there will be no day no night … everyone I meant everyone in IHiS will be working non-stop on this case.”
He acknowledged that at this point in time, it occurred to him he should report the incident to the management but chose not to, reiterating that he was “so busy” isolating, containing and defending the incident to do so.
“In fact, I thought to myself: ‘If I report the matter, what do I get?’ If I report the matter, I will simply get more people chasing me for more updates,” the senior manager said, adding reporting would “add a lot of pressure” on his team as external agencies like the Cyber Security Agency (CSA) and Ministry of Health would want information from them.
The IHiS senior manager mentioned he was asked to inform Ms Serena Yong, director for infrastructure services at IHiS, about the incident on Jul 7, but he said he did not want to, as he "was too stressed to work that weekend”. There was a meeting on Jul 9 to run through the events, he added.
Asked by IHiS lawyer Philip Jeyaretnam to clarify the reason for the “stress”, Mr Ernest Tan turned emotional and teared while recounting his mother was ill and had to go to the hospital on Jul 6. His family, knowing he had a lot of work to clear then, did not want to bother him.
TAN’S CRITERIA FOR INCIDENT REPORTING “NOT REQUIRED”: SINGHEALTH GCIO
However, the second witness for the day, IHiS’ Benedict Tan, said the information needed to report IT incidents as stated by Mr Ernest Tan was “not required”.
Mr Benedict Tan, who is SingHealth’s Group Chief Information Officer (GCIO), told the court that he valued the need for speed over the channel used when it comes to incident reporting.
“In my opinion, the speed of reporting is more important than the chain of reporting,” he said in his testimony.
He also took issue with Mr Ernest Tan’s claim that the consequence of his reporting of the incident would have resulted in a lot of pressure for information on him and his team, which would result in them not being able to tackle the incident.
“The entire IHiS would be mobilised (as a result of the incident),” Mr Benedict Tan said, adding that more resources would be added to aid in the efforts to contain and nullify the threat.
“A single team (like Mr Ernest Tan’s) will not lead the effort,” he added.
The hearings will continue in the afternoon, with some of these to be held behind closed doors in the interests of national security as the evidence given may be sensitive in nature.
Read more at https://www.channelnewsasia.com/new...s-reluctance-to-report-suspicious-it-10882890