SingHealth COI hearing: Former IHiS CEO dismissed staff for ethical breach, didn’t probe alleged vulnerability
Dr Chong Yoke Sin says Mr Zhao Hainan’s email to solicit interest from a rival software vendor over an alleged systems vulnerability was “clearly reprehensible behaviour”, but didn’t find out from him personally what the loophole was.
(Updated: )
Ricky Lim
Giving her testimony during the Committee of Inquiry into the SingHealth cyberattack, Dr Chong recounted how former employee Zhao Hainan, who discovered the alleged vulnerability, was dismissed from IHis in 2014.
This was because Mr Zhao had contacted a rival vendor over the issue with SingHealth’s Sunrise Clinical Manager (SCM) software.
The software was provided by US vendor Allscripts, but Mr Zhao had emailed a vendor called Epic about a loophole in the system, telling the company to contact him of it wants to leverage this information to increase its market share.
“This alarmed me,” Dr Chong said.
In response to a question by IHiS lawyer Philip Jeyaretnam, she qualified that her concern was not over the purported security breach but of the “ethical breach” that Mr Zhao had committed when he sent that email.
Dr Chong said she instructed Ms Foong Lai Choo, then director of Clinical Apps 1 and the one who implemented the SCM, as well as Mr Clarence Kua, who was then Mr Zhao’s immediate supervisor, to check the system for vulnerabilities.
“However, at the time, I considered this to be primarily a disciplinary issue and not an IT security issue,” Dr Chong said in her statement.
--
So now it clarify that the staff that discover the IT security loophole is fired because of ethical issue and not because he raise the security alert and got dismissed.
At least this is reasonable.
But on the hindsight, why the security risk is not pursue - probably think it is not important - or not so suay - won't be exploited.
But now 搞出一个大头佛。
--
But what I come across is one that was release early because he raise security risk - but to silence him - in case user management found out - the infra manager find excuses to release him.
This was because Mr Zhao had contacted a rival vendor over the issue with SingHealth’s Sunrise Clinical Manager (SCM) software.
The software was provided by US vendor Allscripts, but Mr Zhao had emailed a vendor called Epic about a loophole in the system, telling the company to contact him of it wants to leverage this information to increase its market share.
“This alarmed me,” Dr Chong said.
In response to a question by IHiS lawyer Philip Jeyaretnam, she qualified that her concern was not over the purported security breach but of the “ethical breach” that Mr Zhao had committed when he sent that email.
Dr Chong said she instructed Ms Foong Lai Choo, then director of Clinical Apps 1 and the one who implemented the SCM, as well as Mr Clarence Kua, who was then Mr Zhao’s immediate supervisor, to check the system for vulnerabilities.
“However, at the time, I considered this to be primarily a disciplinary issue and not an IT security issue,” Dr Chong said in her statement.
--
So now it clarify that the staff that discover the IT security loophole is fired because of ethical issue and not because he raise the security alert and got dismissed.
At least this is reasonable.
But on the hindsight, why the security risk is not pursue - probably think it is not important - or not so suay - won't be exploited.
But now 搞出一个大头佛。
--
But what I come across is one that was release early because he raise security risk - but to silence him - in case user management found out - the infra manager find excuses to release him.
No comments:
Post a Comment