IHiS sacks 2 employees, slaps financial penalty on CEO over lapses in SingHealth cyber attack

SINGAPORE - The technology agency pulled up for its lapses in last June's cyber attack on SingHealth has fired two employees and imposed "significant financial penalty" on five members of its senior management team, including its chief executive.

In a statement on Monday (Jan 14), the Integrated Health Information Systems (IHiS), the central IT agency responsible for Singapore's healthcare sector, said: "IHiS takes a serious view of the incident and the need for accountability."

The cyber attack resulted in the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong, being stolen by hackers, and the lapses by IHiS were highlighted by a high-level panel that probed the incident.

The disciplinary action follows the release of a 453-page public report last week by the Committee of Inquiry (COI) probing the incident.

On Monday, IHiS said that two individuals found to be negligent during the data breach will have their services terminated.

One was a team lead in the infrastructure systems team. While he had the necessary technical competencies, his attitude towards security and his set-up of the servers introduced unnecessary and significant risks to the system. The other was a senior manager in charge of cyber security at IHiS. He held a mistaken understanding of what constituted a security incident and when a security incident should be reported.

"His passiveness even after repeated alerts by his staff resulted in missed opportunities which could have mitigated or averted the effect of the cyber attack," said IHiS.

One key recommendation is that SingHealth appoint its own cyber-security "risk man" rather than rely solely on its IT management vendor, Integrated Health Information Systems (IHiS), for such oversight.

A cluster information security officer will be demoted and redeployed to another role.

He was found to have misunderstood what constituted a security incident and failed to comply with IHiS' incident reporting processes.

The disciplinary panel took into account mitigating factors such as his lack of aptitude, which made him unsuitable for the role.

On the financial penalty imposed on five senior management team members, IHiS said this was "for their collective leadership responsibility". The five include CEO Bruce Liang. In addition, two middle-management personnel, who were supervisors of the sacked employees, will bear "moderate" financial penalties.

"The CEO and management team have acknowledged their responsibilities and accepted the penalties. They have committed to leading IHiS to improve our cyber-security defence and preparedness, and rebuild public trust in our healthcare system," IHiS said, adding that three employees were commended for demonstrating resourcefulness in managing the cyber attack.

Mr Paul Chan, chairman of IHiS board, said: "The cyber attack has been a reminder of our need to be ever more vigilant and prepared for new cyber threats. Patient care will continue to be our priority."

Human resource experts said financial penalties would likely come in the form of bonus reduction. Singapore Human Resources Institute president Erman Tan said: "This is so that... they see a duty to safeguard personal data."

This article was first published in The Straits Times. Permission required for reproduction.