The twists, turns and the web of intrigue surrounding the deletion of data in the National Medicines Regulatory Authority (NMRA) grows and far from distorting, the who dunnit may slowly be emerging. What appeared to be an innocuous act of human error at the time, is taking the familiar route of a scam, something for which Sri Lanka is fast becoming a paradise. Last week the CID arrested the software engineer, formerly a lieutenant in the navy, who owned up to deleting the files. He had been working for Epic Lanka Technologies (ELT) for some 2. 5 years before he got embroiled in the scam. Despite his admission, the CIDs first choice of arrest was the CEO of the company who was later released on bail. The engineer’s arrest came belatedly and he was refused bail by the Colombo Additional Magistrate who said a reasonable time will be needed to investigate the incident further because of its complexities and subtleties. At the time the engineer is said to have deleted the files on 9 July, he had handed in his resignation to the company which had accepted it and he was completing a mandatory knowledge transfer period of six weeks. But following the incident, Epic asked the engineer to withdraw the resignation until the matter is resolved. The engineer continues to be a salaried employee even though the company has relieved him of his duties. In general a security incident could be due to internal reasons which are intentional or unintentional or it could be from external sources. Known as the 20/80 rule, while the number of incidents due to external reasons are higher than for internal reasons, the damage to the system is less whereas the number of incidents due to internal reasons are low but the damage is far greater. Irrespective of whether it is an internal or external incident, it has to be a decision of a company’s top management how the damage should be rectified and whether or not its addressed while the system is ongoing or when it is shut down. This continuity is decided based on the need for the availability of the system as opposed to the damage which is caused by not shutting it down. Samagi Jana Balawegaya MP Harin Fernando revealed in parliament last week that the engineer will be joining an entertainment company, which he alluded to as belonging to a friend of President Gotabaya Rajapakse. In further revelations, Fernando stripped bare some of the claims made by State Minister of Production, Supply and Regulation of Pharmaceuticals Channa Jayasumana in parliament, showing him up as a liar. Jayasumana told parliament that the data that was lost was limited to the period between September 2019 and July 9 this year and some 5925 files were deleted. The data in about 3117 of these files, around 53 percent, had general information connected to the registration of pharmacies and not data about patents. According to annextures he had tabled in parliament 143 files with data about foreign manufacturing site approvals for medicines had been deleted. Other information that had been deleted according to the annexture was 909 files about foreign manufacturing sites for medical devices and 462 files with sample import licenses for medicines. Jayasumana also told parliament that no applications related to the supply of Covid medicines and devices were called for by the eNMRA, the digitized workflow and document management system which was set up by Epic for the NMRA. Contradicting Jayasumana, Fernando read out a notice where on the 26th of October the NMRA had called for the supply of medicines and devices for Covid related material. Eventually, PPE, facemasks, syringes, Rapid Antigen Test kits and PCR kits to the value of 10 billion rupees had been brought into the country and herein is the crux of the issue at a time when the government is dogged by accusations of propagating a pharmaceuticals mafia and monopoly. The fact remains that in October 2020 the CEO of the NMRA gave approval to George Steuart Health (Pvt) Ltd to import Covid related devices. Whether the process to procure the devices was adhered to or not and the cost of any digression will be something that will have to determined from the audit trail, a facility which the eNMRA introduced.
The contract to develop the eNMRA document and workflow management system was awarded to Epic Lanka Technologies (ELT) in 2018. It took place through a competitive tender and after a stringent evaluation process. The company’s focus is on small scale projects in the government sector. They have about 15 projects which are currently ongoing. 50 percent of ELT is owned by Epic Lanka and 90 percent of its focus is on the banking and financial services sector. In its 23 years of service the company has implemented over 100 large-scale ICT solutions including mission-critical systems, in private and public sector organizations both in Sri Lanka and South -East Asia. They have about 14 banks on their client list and their transactions run into trillions of rupees every month and there have been no glitches. In keeping with the company’s contractual obligations it had separate file server each for data in the main database and heavy documents such as attachments, in the Lanka Government Cloud.
Around 6000 applications from some 150 vendors were in the pipeline when the attachments were deleted. The data which was deleted are the attachments or supporting documents which are submitted with the applications. This is non sensitive information which is in the public domain and include company profiles and brochures, research papers and information about patents is also provided to prevent infringement. One of the ways to deal with the current crisis is by asking the applicants to re submit their attachments because the vital information that is needed to make a decision is contained within the body of the application and which is intact. Epic has offered to provide the infrastructure to do this. It was also preparing for a forensics recovery process to retrieve the attachments. A court order prohibiting them from accessing the system prevented them from carrying out the forensic recovery process but the court subsequently directed the NMRA, ICTA and Epic to jointly recover the deleted attachments and a reluctant NMRA, which has been dragging its feet has offered to provide a hard disk of the database.
In addition to retrieving the deleted attachments, a forensics recovery process will also identify what went wrong including whether the act was one of sabotage and who the responsible party was. Before a forensics investigation takes place, the police have to be informed and a copy of the hard disk has to be taken using write blocker and hash computer to ensure its integrity and authority and this information has to be registered. Another copy of the original copy has to be made and kept in safe custody to be handed over for forensic purposes only. The chain of custody of the disks has to be recorded. But a forensics recovery process will also minimize damage in the future
Among the criticisms of the eNMRA is that it did not have a Disaster Recovery System (DRS) in place. The deleted attachments could have been retrieved in one day if so. Epic is a software developer and providing a DRS was not a part of its scope. Nevertheless during several rounds of talks that they had with ICTA and the NMRA it was suggested that a DRS is put in place with the help of another company. These talks however did not go beyond February or March this year and it was also around this time that the NMRA was going through an upheaval and the resignation of several of its Board members.
The introduction of the eNMRA was not plain sailing with opposition to the digitalization from outside and within the NMRA. Following its implementation there were complaints that the system was slow or that it did not work but the complaints were addressed and proven it was not the system that did not work.
Prior to digitalization, applications were submitted manually and in addition to the time it took to process it which could have been as much as two tears, it also left room for leaving room for malpractice. When an importer sent in an application, there are around 150 importers, there was room for the pharmacist in the NMRA who processes the application to be selective about which importers application can be chosen for processing. Similarly, an importer could have handpicked a pharmacist to favour and process their application. With the new workflow system an algorithm would assign the application to a pharmacist, minimizing room for malpractice. Nevertheless the system was not completely foolproof because manual applications continued to be accepted, including those for the provision of Covid related medicines and devices.
The eNMRA system was introduced to streamline and to make the application process operationally efficient. Additionally, it allows workflow activities to be tracked and keeps records of them as audit trails, strengthening the integrity of the NMRA’s processes. A return to the manual system will make room for a return of old practices and questions of transparency.
