SINGAPORE: Integrated Health Information Systems (IHiS) senior manager Ernest Tan on Wednesday (Oct 31) returned to the stand to shed more light on the reasons why he did not report suspicious network activities to his superiors, after previously unavailable chat logs between him and his colleagues were provided to him.



Mr Tan said the chat logs were from TigerConnect, a workplace messaging platform that deletes messages after a stipulated period of time.



The messages included those from seven other individuals from his team - Benjamin Lee, Wee Jia Huo, Muhammad Azzlan Zainuddin, Alvin Chua, Lum Yuan Woh, Zac Lim and Sean Navin - between Jun 13 and Jul 9, during which the cyberattack was conducted.



In several of the chat logs, his subordinates had flagged suspicious activities but Mr Tan chose not to escalate these to higher-ups for various reasons.





One example was on Jun 26, when a conversation about access to the Citrix servers using a certain user account took place. Mr Tan said he found this action to be “weird” but said he “was not concerned” when his subordinate Benjamin indicated “it’s possible that the attacker guessed the password”.



“I was not concerned by this, as Benjamin was only proposing a possible means by which the account had been compromised,” the senior manager said. “He was not confirming that this was how the account was compromised.”



Mr Tan was giving testimony in the third tranche of public hearings held by the Committee of Inquiry looking into the cyberattack targeting SingHealth in June this year.

The online attack is Singapore’s most serious breach of personal data to date, in which 1.5 million patient records were accessed and 160,000 individuals had their outpatient dispensed medicine’s records taken, including that of Prime Minister Lee Hsien Loong.



“IF I REPORT THE MATTER, WHAT DO I GET?”



Another instance was on Jul 4 - the day the cyberattack was discovered and thwarted by another IHiS employee Katherine Tan - when Benjamin told him “we really need to escalate into incident … Seems like someone managed to get into SCM (Sunrise Clinical Manager) db (database) already … Attack is going on right now”.



To this, Mr Ernest Tan said he “did not see any reason to report the incident upwards” and did not agree with his subordinate’s assessment.



He added: “To me, I need to be able to obtain all the following information before the matter is reportable:



a. All the information about the impact of the attack;

b. The identity of the attacker;

c. Where the attack is coming from;

d. Whether the attacker is an ’internal’ or ‘external’ attacker i.e. whether the attacker is a SingHealth user or whether the attacker is from outside of SingHealth;

e. Whether data in the SCM database had in fact been accessed;

f. Whether there was more than one instance of access to the SCM database.”



The senior manager added that his focus was “on isolation and containment” and the fact that patient data had been accessed “just aroused (his) suspicions” but not enough for him to flag it to management.



Mr Ernest Tan’s mindset towards incident reporting could perhaps be best captured by the message he sent to his team on Jul 6, in which he said: “As mentioned, we need to isolate, contain and defend first … our tightening by infra is not strong enough … even if report now (and) bring down the experts, they’ll say our tightening is not well done … once we escalate to mgt, there will be no day no night … everyone I meant everyone in IHiS will be working non-stop on this case.”



He acknowledged that at this point in time, it occurred to him he should report the incident to the management but chose not to, reiterating that he was “so busy” isolating, containing and defending the incident to do so.



“In fact, I thought to myself: ‘If I report the matter, what do I get?’ If I report the matter, I will simply get more people chasing me for more updates,” the senior manager said, adding reporting would “add a lot of pressure” on his team as external agencies like the Cyber Security Agency (CSA) and Ministry of Health would want information from them.



The IHiS senior manager mentioned he was asked to inform Ms Serena Yong, director for infrastructure services at IHiS, about the incident on Jul 7, but he said he did not want to, as he "was too stressed to work that weekend”. There was a meeting on Jul 9 to run through the events, he added.



Asked by IHiS lawyer Philip Jeyaretnam to clarify the reason for the “stress”, Mr Ernest Tan turned emotional and teared while recounting his mother was ill and had to go to the hospital on Jul 6. His family, knowing he had a lot of work to clear then, did not want to bother him.



TAN’S CRITERIA FOR INCIDENT REPORTING “NOT REQUIRED”: SINGHEALTH GCIO



However, the second witness for the day, IHiS’ Benedict Tan, said the information needed to report IT incidents as stated by Mr Ernest Tan was “not required”.



Mr Benedict Tan, who is SingHealth’s Group Chief Information Officer (GCIO), told the court that he valued the need for speed over the channel used when it comes to incident reporting.



“In my opinion, the speed of reporting is more important than the chain of reporting,” he said in his testimony.



He also took issue with Mr Ernest Tan’s claim that the consequence of his reporting of the incident would have resulted in a lot of pressure for information on him and his team, which would result in them not being able to tackle the incident.



“The entire IHiS would be mobilised (as a result of the incident),” Mr Benedict Tan said, adding that more resources would be added to aid in the efforts to contain and nullify the threat.



“A single team (like Mr Ernest Tan’s) will not lead the effort,” he added.



SHOULD HAVE "PRESENCE OF MIND" TO IDENTIFY ADVANCE PERSISTENT THREATS: IHIS DIRECTOR



The day's third witness, IHiS' director of Cyber Security Governance Chua Kim Chuan, pointed out that as part of the rules set by the Cyber Security Agency of Singapore, all critical sectors are required to run cybersecurity exercises annually for their critical information infrastructure (CII) operators.

Mr Chua shared in his testimony that three table-top exercises were conducted for SingHealth since 2016, and these exercises were to "understand the CII owners' and IHiS' effectiveness and preparedness in responding to cyberattacks". Mr Ernest Tan was one of the participants in the 2017 edition, he added.

As part of these exercises, the executive told the court that advanced persistent threats (APTs) were used in all of them as one of the threats to train on. Minister for Communications and Information S Iswaran had previously said the SingHealth incident was “the work of an APT group” that is “usually state-linked”.



"Staff should have the presence of mind to identify APTs," Mr Chua said.

COI panel member T K Udairam asked the IHiS director why didn't Mr Ernest Tan learn to flag such incidents given that he had gone for such table-top exercises.

To this, Mr Chua said in a classroom setting like these, participants would have responded to the task at hand as a confirmed incident, unlike the SingHealth cyberattack.

"Take them outside the classroom setting (and their) situation awareness may not be there," he added.

Mr Udairam then pointed out that the lack of such awareness would appear to have defeated the purpose of these exercises.

Some of the hearings on Wednesday were held behind closed doors in the interests of national security as the evidence given may be sensitive in nature. It is expected to continue on Thursday.