Some “high-risk weaknesses” found during an internal audit in 2016 of the network link between Singapore General Hospital and cloud-based systems that host patient databases were not remedied, a high-level panel looking into SingHealth’s cyber attack heard yesterday.
While it is not known if SingHealth’s attackers had exploited these weaknesses to access the patient databases, the new evidence pointed to more inadequacies at Integrated Health Information Systems (IHiS), tasked to run the IT systems of all public healthcare operators in Singapore.
Mr Bruce Liang, chief executive of IHiS, provided the evidence before the four-member Committee of Inquiry (COI).
Following up on this point with a summary of what was heard privately on Wednesday, Solicitor-General Kwek Mean Luck said yesterday that IHiS’ operations team reported to upper management that action had been taken to plug the flagged vulnerabilities but without anyone verifying that it had been done.
The Cyber Security Agency (CSA) of Singapore spotted the same vulnerabilities – along with others – in its July investigations into June’s cyber attack on SingHealth that led to the biggest data breach here.
CSA said in previous private…