Two sacked over SingHealth attack; financial penalties for IHiS CEO & senior management
IHiS finds their negligence had contributed to data breach; also penalises five senior management members, including CEO
Two employees from Integrated Health Information Systems (IHiS), the IT agency at the centre of the SingHealth cyber attack last June, have been sacked after being found to have been negligent in their roles.
Significant financial penalties were also imposed on five members of IHiS' senior management, including chief executive Bruce Liang, for their collective leadership responsibility.
In addition, a cluster information security officer (cluster ISO) has been demoted and re-deployed to another role, while a moderate financial penalty was also imposed on two middle management supervisors of the two terminated employees.
Singapore's worst cyber attack saw the personal data of 1.5 million SingHealth patients and the outpatient medication records of 160,000 people, including Prime Minister Lee Hsien Loong, stolen by a sophisticated and skilled attacker.
A Committee of Inquiry (COI), chaired by retired judge Richard Magnus, was convened to look into the incident. It released a 453-page public report of its findings and recommendations last week.
IHiS said in a statement yesterday that it takes a serious view of the incident and the need for accountability.
The decisions come after recommendations by an independent panel, appointed by IHiS' board to examine the roles, responsibilities and actions of the staff involved, were fully accepted.
The two who were fired from IHiS were a Citrix team lead and a security incident response manager (SIRM).
"Whilst there was no intent to cause or facilitate the cyber attack, both of them had failed to discharge the responsibilities entrusted on them," IHiS said.
It did not release the names of the individuals penalised.
According to the statement, the sacked Citrix team lead had the necessary technical competencies, but his attitude towards security and his set-up of the Citrix servers, which played a critical role in the cyber attack, introduced unnecessary and significant risks to the system.
In the case of the sacked SIRM, his passiveness, despite repeated alerts by his staff, resulted in missed opportunities to prevent the attack and resulting data breach.
IHiS said that in making the decision to demote and re-deploy the cluster ISO, mitigating factors like his lack of aptitude were taken into consideration.
He was found to have misunderstood what constituted a security incident and failed to comply with IHiS' incident reporting processes.
At the same time, three IHiS staff members were commended for being proactive and demonstrating resourcefulness in managing the cyber attack. They were also not named.
IHiS board chairman Paul Chan said: "IHiS will learn from this incident and work with the Ministry of Health and the healthcare clusters to implement the necessary changes that will help us emerge stronger from this."
In the COI's report, which gave a detailed account of the SingHealth attack, the committee had found that the assistant director of IHiS' systems management department Lum Yuan Woh, who led the Citrix team, did not report the cyber attack despite the knowledge that a local administrator account had been compromised, as he did not think the breached account could do any harm.
The committee found that the response by Mr Lum and the Citrix team was "inadequate on the whole".
It also found then SingHealth SIRM Ernest Tan Choon Kiat's definition of a security incident was "clearly misguided" and he had prioritised user complaints over security matters.
The report said: "These are clear failings in the discharge of his duties as the SIRM. Yet at the same time, his comments and failure to act are suggestive of deeper cultural issues within the organisation as to where priorities should lie."
Health Minister Gan Kim Yong and Minister-in-Charge of Cyber Security S. Iswaran will give statements in Parliament today in response to the COI's findings.