SingHealth COI: How bo chup can you get?

When ex-SMRT chief Desmond Kuek raised “cultural issues’’ as a reason for the train operator’s mishaps, he didn’t say exactly what he meant. We had to surmise that they had to do with disregard for standard operating processes and even safety protocols, lack of rigorous checks and an overall lackadaisical attitude towards maintenance works. Hence, delayed train service, flooded tunnel and even deaths.

But SingHealth IT chaps take the cake when it came to blunders. What emerged from five days of public hearings into how health data of 1.6million people could have been hacked is a bo chup culture. Some phrases to illustrate this: “don’t know got problem’’, “not my problem’’, “not a big problem’’, “normal problem’’, “other people’s problem’’.

It’s disconcerting that such attitudes prevail at a time when there have been so many exhortations to stay alert to cyber intrusions and so many examples of the harm that can be done. You wonder at first if security and protection protocols are keeping pace with the progress of Smart Nation initiatives. You also wonder if the problem is “technical’’, because technological advances, changes and “solutions’’ occur in leaps and bounds before you can catch your breath. There’s simply too little time to keep pace with yet another genius hacker.

Or is the fundamental problem a “cultural’’ one, that is, it is an attitude problem rather than an ability problem? It seems like this is more the case despite repeated statements that the hacking was a sophisticated exercise.

You don’t need a cyber brain to discern the import of the near-comical series of “confessions’’ .

From what I can gather, here’s what happened:

First, the hacker used a publicly available hacking tool to get into an end-user workstation. This was easy because the station was using an old version of Microsoft Outlook that had not been patched to deal with this tool. This happened in August 2017.

Once in, the hacker started sniffing around from December 2017 and May this year. He found that there were inactive administrative accounts that connected to the medical records database. These accounts should have been de-activated or firewalls introduced because the data had already been moved to a private cloud. Somewhere else. One administrator account also had a silly password : P@ssw0rd.

Once through to the next level server, he started making bulk enquiries for data. Because this system didn’t have rules to detect such queries, he was able to exfiltrate data from June 27 to July 4.

His snooping was stopped by a staffer, Ms Katherine Tan, who wasn’t clear about what she was supposed to do with the knowledge. Her boss, Ms Teresa Wu, told her to ask colleagues but no one replied to her email.  Ms Tan assumed that someone would have escalated the matter upstairs by now. (No, she didn’t say that was her boss’ job, going by the COI news reports.)

During the investigations into the breach, one compromised server, which was at the National Cancer Centre, was found. It hadn’t been patched in 14 months.

What’s worse is that the higher-ups already knew that there was a vulnerability in the system way back in 2014, when a disgruntled staffer decided to tell a vendor about the loophole. His bosses were alerted to his action and he was sacked for the ethical breach. They didn’t check the veracity of his claim about a loophole.

Even when it became clear that there was an attack, they didn’t even think it was a serious security incident. Or at least not a reportable one.

It could have been classed as a series of unfortunate events or a comedy of errors if we weren’t also exposed to attempts to re-direct responsibility or shabby excuses.

Some examples:

• Mr Clarence Kua, deputy director of the Chief Information Officer’s Office at the Integrated Health Information System, said he was more concerned about the ethical breach by the staffer than his allegation of vulnerability. That was because that appeared to be what his CEO boss, Dr Chong Yoke Sin, was interested in. He even admitted that he wasn’t a person to exercise initiative, but to take orders. His reporting officer, Ms Foong Lai Choong also thought that the “case was closed’’ with the dismissal.

(In other words, I just do what my boss says)

• Then, there was Mr Tan Aik Chin, a senior manager at the NCC, who said he “inherited’’ the server after a colleague quit and another died. He did so out of “goodwill’’ even though he had little technical expertise and was in charge of business. In fact, this server seems to be nobody’s child. Ms Serena Yong of iHIS didn’t even know who was supposed to be managing the server, or whether iHIS had oversight of it.

(Which also means: How did this become MY problem?)

• Mr Wee Jia Hou, cluster information security officer at iHIS, said he didn’t have a framework for reporting cyber-threats. He depended on Mr Ernest Tan Choon Kiat, who is in charge of security management, to alert him. He merely glanced at emails which referred to the matter.

(Nobody told me about a problem, not loudly anyway)

• But during that critical period, Mr Tan was on leave and Mr Wee made no arrangements for “cover’’ either. When Mr Tan returned on July 18, he thought the whole fuss was just a malware investigation of a front-end workstation, and therefore not a ‘’reportable security incident’’. Even if so, it wasn’t his job to escalate the matter. That was Mr Wee’s job.

(It’s not a problem, and even if so, it’s not my problem)

What can we make of all this buck pushing, deference to authority and lack of initiative, personal accountability and responsibility? I suppose it would be tough to deal with “human” folly and foibles but it does seem that the whole electronic medical records system need a dusting down or an external audit of systems and processes to ensure clear reporting lines and timeliness of alerts.

What I am a little surprised by is why the COI didn’t go further back in time to ask why internet separation hadn’t been employed earlier, like it was for other government agencies. The response from the G that they had been assessing its suitability for the healthcare sector  for the past two years doesn’t seem to hold much water given that it took just two days or so to effect the change. Perhaps, this wasn’t the part of the COI’s remit…

I just hope this sort of bo chup culture doesn’t prevail in big organisations. How can we trust them with data if they don’t think it’s worth going the extra mile (or just the right mile) to protect them?