SINGAPORE: Integrated Health Information Systems (IHiS) has sacked two employees for their negligence over a cyberattack on SingHealth, which saw the personal information of 1.5 million patients stolen – including that of Prime Minister Lee Hsien Loong. 

IHiS, the central IT agency responsible for Singapore's healthcare sector, said on Monday (Jan 14) it has also imposed a "significant" financial penalty on five members of its senior management, including CEO Bruce Liang, "for their collective leadership responsibility". 

A "moderate" financial penalty will be imposed on two middle management supervisors who were supervisors of the two employees terminated. 

IHiS declined to give further details of the financial penalties.

READ: Singapore health system hit by ‘most serious breach of personal data’; PM Lee's data targeted

READ: If they were looking to embarrass me, they would've been disappointed: PM Lee on SingHealth cyberattackers

The decision comes after IHiS appointed an independent panel in November to examine those involved and to provide a set of recommendations to its board, which has "fully accepted" the recommendations.

TWO INDIVIDUALS SACKED, ONE DEMOTED

A Citrix team lead and a Security Incident Response Manager were found to be "negligent and in non-compliance of orders", which resulted in security implications and contributed to the "unprecedented scale of the incident". 

While the Citrix team lead had the necessary technical competencies, his attitude towards security and his setup of the servers introduced unnecessary and significant risks to the system, IHiS said. 

The Security Incident Response Manager had "persistently held a mistaken understanding" of what constituted a security incident, and when such an incident should be reported. His passiveness even after repeated alerts by his staff resulted in missed opportunities which could have mitigated or averted the effects of the cyberattack, IHiS added.

"Whilst there was no intent to cause or facilitate the cyberattack, both of them had failed to discharge the responsibilities entrusted on them," the company said in the media release. 

READ: IHiS officer hesitated before reporting suspected breach

A Cluster Information Security Officer was also found to have misunderstood what constituted a security incident and failed to comply with IHiS’ incident reporting processes. 

IHiS said the panel took into consideration mitigating factors such as his lack of aptitude, which made him unsuitable for the role. The officer will be demoted and redeployed to another role.

THREE EMPLOYEES COMMENDED

IHiS said letters of commendation were given to three employees, who were diligent in handling the incident beyond their job scope and responsibilities. They were "proactive and demonstrated resourcefulness" in managing the cyberattack, it said. 

READ: Officer took initiative to investigate even though it was not his job

IHiS chairman Paul Chan said the cyberattack was a reminder of the need to be more vigilant and prepared for cyber threats.

"IHiS will learn from this incident, and work with the Ministry of Health and the healthcare clusters to implement the necessary changes that will help us emerge stronger from this," he added.

The cyberattack was Singapore’s most serious breach of public data. It saw the records of 1.5 million patients, including their names, NRIC numbers and addresses, along with other information accessed from Jun 28 to Jul 4 last year. Among the data taken were the medication records of close to 160,000 patients.

Among those affected was Prime Minister Lee Hsien Loong, with the attackers repeatedly targeting his personal particulars and information about his outpatient medications.

Seven priority and nine additional recommendations were put forward by the Committee of Inquiry (COI) investigating the SingHealth cyberattack in the public version of its report released last Thursday.

The recommendations relate to five broad areas, which range from building a culture of cybersecurity to the improvement of incident response capabilities.

READ: SingHealth COI report made public: System vulnerabilities, staff lapses, skilled hackers led to cyberattack

READ: ‘The attacker could have been stopped': SingHealth COI report

Chaired by retired chief district judge Richard Magnus, the four-member COI was tasked to establish the events and contributing factors leading to the cyberattack on SingHealth's patient database system on or around Jun 27 last year, and the subsequent “exfiltrating” of data from the network.

IHiS said that it has accelerated and implemented a suite of 18 cybersecurity measures to fortify its cybersecurity safeguards. In addition, staff engagement and training have been increased to heighten vigilance and improve staff awareness of cybersecurity. 

It added that it is studying the findings and recommendations of the COI. 

"The learnings and critical areas of improvement from the COI report necessitate a paradigm shift in how we manage cybersecurity," the company said.