Lots of interesting, but not surprising, information is being made public about the Singhealth data breach.
The Commitee of Inquiry has been told that there was an IHIS employee who found a bug in the Allscripts “Sunrise Clinic Manager” EMR in 2014 who then made the loophole known to a rival of Allscripts, Epic Systems Corporation. Both of these vendors products are closed, proprietary and, IMHO, unnecessarily and excessively expensive products.
From this report (again, this is MSM reporting, so take it with two pinches of salt – you have to read the court transcript which I am not sure if available, yet, if ever), says that the IHIS employee was “unhappy” that he could not do coding in the job role he was doing and so, he then decided to contact Epic to tell them of the issue so that it could “… leverage the vulnerability to gain a larger market share” (emphasis mine).
Larger market share? How so? The hospital clusters in Singapore are about evenly locked-in between these two proprietary vendors. Moving from one to another is not a simple thing. And one bug does not even start the thinking process. Who knows if the Epic product has similar issues?
Not being able to ascertain if the reason offered by the former IHIS employee is indeed valid, I find that it seems to be a fluffy afterthought. Having been caught out, the former IHIS employee is offering excuses.
Not Allowed To Code?
I find that reason to be intriguing. Did the job that the IHIS exmployee took on involve coding? No indication in the report. If that was what the person wanted to do, why not channel the skills an open source project that could use help? No one will stop you from doing that, unless, the terms of employment of IHIS says that a developer “cannot work on any software project other than what is part of the job”.
I have no insights on what the terms of employment are, but here is an example of an enlightened and correct way to encourage developers:
“Participation in an open source project, whether maintained by the Company or by another commercial or non-commercial entity or organization, does not constitute a conflict of interest even where such participant makes a determination in the interest of the project that is adverse to the Company’s interests.”
Software developers are artists. Software development is an art form. One would not constraint a painter, so why would one shackle a software developer?
Bug Reporting, Fixing and Regression Testing
If a bug is reported – whether it is a “the button is of the wrong shape” or “this option dumps out the entire database”, assuming that proprietary vendors have a bug reporting process – nope, they don’t – then things can be moved along without too much excitement. All software have bugs. If a vendor (open or closed) does not offer a way to report bugs, you have to demand that there is a way to do it. Red Hat has both bugzilla.redhat.com and access.redhat.com to submit bug reports on all of the open source projects and open source products (go here for an understanding of the differences between open source projects and an open source products) that Red Hat is involved in and makes available to paying customers (access.redhat.com).
Maybe there is a some place at Allscripts and at Epic Systems that one can file bug reports, but it is not immediately evident.
Regardless of being able to report bugs, I do wonder how these vendor organizations manage bug reporting/fixing and regression testing. I have to assume that they do it properly (for some definition of properly) but it is telling that a trainer of Allscripts said this:
“Another witness, however, called the loophole “perfectly normal”. Mr Loo Yew Tuck, senior lead analyst at IHiS’ clinical care department, said that he had seen an Allscripts trainer demonstrate its use and method previously.”
Really? There is a “perfectly normal” loophole? Or did he mean, backdoor (of the NSA type)?
I particularly concerned with this paragraph – as reported in another MSM report –
“… She also did not know the details of the alleged loophole. Neither did she ask her staff for it to be verified. She also assumed that the problem would be rendered “irrelevant” as IHIS had just upgraded the EMR system architecture”.
If the bug is not reported, how would one know if it was really an issue and if so, if it was indeed fixed? Granted, we cannot all be on top of things all the time, but if there isn’t a process to track issues, what then?
“… did only what … was asked to …”
Leadership and empowerment failure. Whether it is real or otherwise it is hard to tell. Perhaps there is a culture of empowerment but not everyone got the memo. Of maybe not. I can’t tell.