Two key figures in the SingHealth Cyber-attack. Ms Ivy Ng, CEO of SingHealth and Mr David Koh, Head of Cyber Security Agency.

COI on cyber security breach at SingHealth, reveals certain troubling attitudes within upper echelons of power in Singapore

The public Committee of Inquiry (COI) set up to investigate the high profile cyber security breach at SingHealth earlier this year has revealed certain troubling attitudes within the upper echelons of power in the Integrated Health Information Services (IHiS).

The latest revelation is the sacking of an employee who had discovered a vulnerability within the databases of IHiS. According to reports, this employee was unhappy with his job scope at IHiS and took the misguided decision to contact a rival of IHiS in relation to this vulnerability. Unfortunately for him, instead of the competitor gratefully offering him a job, the rival contacted IHiS and informed them of this employee’s actions.

While this employee should not have contacted a rival, it is unfortunate that IHiS did not take any follow up action in relation to the vulnerability. Instead of finding out more about the vulnerability and looking at ways to rectify the problem, IHiS decided to sack the errant employee immediately and leave it at that. Why didn’t IHiS take the opportunity to use this employee’s knowledge and skills to find out more about the vulnerability? Has the upper management of IHiS taken too rigid a view to employees who do not toe the line?

I understand that it is unethical for the employee of one company to snitch on his employers to a competitor. However, if IHiS was pragmatic and realistic about the situation, they would have found a way to motivate this disgruntled employee while leveraging off his obvious talents to its own benefit. Was IHiS blindsided with their need to punish? Is this a prevalent attitude in Singapore, which has been extended to the civil service and government linked companies? Are we too eager to punish those who have the temerity to challenge those in authority such that we miss the forest for the trees?

In the case of the SingHealth hack, it has become apparent that the attack could have been prevented, or least, minimised. There were so many missteps on the part of IHiS. It beggars belief that a vulnerability that is exposed and handed on a plate to senior management could have been simply ignored the way it was. Even if the CEO of IHiS decided to sack the errant employee without trying to use his in-depth knowledge on the vulnerability, the fact that she did nothing on her part to investigate the vulnerability further is beyond negligent!

What is our selection criteria for upper management? Is it a lack of foresight? Are they too focused on punishment without a corresponding interest in ensuring the viability of the entity? This former CEO is clearly misplaced in a corporate setting. She may fare better in law enforcement where punishment is of paramount concern.

This COI is a good example of why COIs are so important for accountability. If the COI had not been conducted, none of these missteps and errors would have been made public. They would likely have been swept under the carpet until the next disaster.