IHiS terminates two employees, demotes one, fines seven following COI report on SingHealth cyber attack

Following the release of the full report on the SingHealth cyber attack last July by the Committee of Inquiry (COI) on Thursday (10 Jan), SingHealth’s information technology arm Integrated Health Information Systems Private Limited (IHiS) has decided to impose penalties on several staff members found to have been negligent in dealing with signals of potential cybersecurity breaches leading up to the attack.

In a statement on Monday (14 Jan), IHiS announced that such penalties range from termination of employment to financial penalties and demotion.

Two employees terminated due to negligence and “non-compliance of orders”

IHiS revealed that it has terminated two staff members, as “both of them had failed to discharge the responsibilities entrusted on them” despite having “no intent to cause or facilitate the cyberattack”.

“Two individuals – a Team Lead in the Citrix Team and a Security Incident Response Manager – were found to be negligent and in non-compliance of orders, which resulted in security implications and contributed to the unprecedented scale of the incident.

“While the Citrix Team Lead had the necessary technical competencies, his attitude towards security and his setup of the servers introduced unnecessary and significant risks to the system. He could have mitigated the effects of the attack if he had exercised proper compliance and management of the servers.

“The Security Incident Response Manager had persistently held a mistaken understanding of what constituted a ‘security incident’, and when a security incident should be reported. His passiveness even after repeated alerts by his staff resulted in missed opportunities which could have mitigated or averted the effect of the cyber-attack,” IHiS elaborated.

One employee demoted due to “failure to comply with IHiS’ incident reporting processes”

One Cluster Information Security Officer, according to IHiS, “will be demoted and re-deployed to another role”, as he “was found to have misunderstood what constituted a ‘security incident’ and failed to comply with IHiS’ incident reporting processes”.

“The Panel took into consideration mitigating factors such as his lack of aptitude which made him unsuitable for the role,” added IHiS.

Seven staff members fined, including IHiS’ CEO, for “collective leadership responsibility”

IHiS has also fined seven of its staff members, including CEO Bruce Liang, for “their collective leadership responsibility”.

“A significant financial penalty will be imposed on 5 members of the IHiS senior management team, including the CEO,” said IHiS, while “a moderate financial penalty will be imposed on 2 middle management supervisors who were supervisors of the two staff terminated”.

“The CEO and management team have acknowledged their responsibilities and accepted the penalties,” IHiS noted.

Letters of commendation issued to three staff members for “proactive” measures and “resourcefulness” in handling the attack

However, not all staff members who were responsible for stopping the cybersecurity breaches were penalised by IHiS.

IHiS awarded Letters of Commendation to “3 IHiS staff from the Database Management Team, SCM Production Support Team, and Security Management Team respectively” for their “diligence in handling the incident beyond their job scope and responsibilities”.

“They were proactive and demonstrated resourcefulness in managing the cyberattack,” it noted.

Independent HR panel selected to “assess the appropriate HR actions to be taken”

IHiS noted that in deciding on the appropriate penalties and commendations, “an independent Human Resource (HR) Panel” was formed “to examine the roles, responsibilities and actions of the IHiS staff involved, and assess the appropriate HR actions to be taken”.

“The Panel was chaired by an IHiS Board Director, and comprises two other members from the public and private sectors, with HR and IT experience,” said IHiS.

“The Panel has examined the roles and responsibilities of IHiS staff involved in the incident, and conducted interviews to understand the facts of the case and the staff’s perspectives.  It has completed its work and submitted its recommendations to the IHiS Board,” added IHiS, and emphasises that the recommendations were “fully accepted” by the Board.

IHiS said: “In recommending the HR actions to be taken, the Panel noted the sophistication and skill of the cyber-attacker. Notwithstanding the nature of the attack, there were factors within IHiS which were exploited by the attacker in the incident.”

“A number of individuals within the IHiS organisation were in a position to mitigate or avert the extent of the attack, but had failed to adequately discharge their responsibilities,” it stressed.

Chairman of the IHiS Board Paul Chan thanked the HR Panel for “their comprehensive evaluation and recommendations”, adding that the cyberattack “has been a reminder of our need to be ever more vigilant and prepared for new cyber threats”.

“IHiS will learn from this incident, and work with the Ministry of Health and the healthcare clusters to implement the necessary changes that will help us emerge stronger from this,” concluded Mr Chan.