SINGAPORE - The technology agency that was pulled up for its lapses in last June's cyber attack on SingHealth has responded by firing two of its employees and slapping "significant financial penalty" on five members of its senior management team, including its chief executive.
In a statement issued on Monday (Jan 14), the Integrated Health Information Systems (IHiS), which is the central IT agency responsible for Singapore's healthcare sector, said: "IHiS takes a serious view of the incident and the need for accountability."
The cyber attack resulted in the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong, being stolen by hackers, and the lapses by IHiS were highlighted by a high-level panel that probed the incident.
IHiS said on Monday that two individuals found to be negligent in protecting SingHealth from Singapore's worst data breach will have their services terminated, while a cluster information security officer will be demoted and redeployed to another role.
The agency also said its board has imposed a financial penalty on its chief executive officer, Mr Bruce Liang.
The disciplinary action follows the release of a 453-page public report last week by the Committee of Inquiry (COI) probing the incident.
The report offered recommendations to shore up defences at organisations responsible for critical information infrastructure systems. It also provided a blow-by-blow account of the events that led to the cyber attack.
IHiS did not name the remaining four members in the senior management team that it was penalising, but said they will be disciplined for their "collective leadership responsibility".
A moderate financial penalty of an unknown amount will also be imposed on two middle management supervisors, who were supervisors of the two terminated employees. IHiS did not specify any of the financial penalties it imposed.
"The CEO and management team have acknowledged their responsibilities and accepted the penalties. They have committed to leading IHiS to improve our cyber-security defence and preparedness, and rebuild public trust in our healthcare system," IHiS said.
The cluster information security officer at IHiS who will be demoted and redeployed is Mr Wee Jia Huo.
He was found to have misunderstood what constituted a security incident and failed to comply with IHiS' incident reporting processes, said the statement.
The IHiS board considered mitigating factors such as his lack of aptitude which made him unsuitable for the role.
One of the two terminated employees was a senior manager (Infra Services-Security Management) at IHiS.
He held a mistaken understanding of what constituted a security incident, and when a security incident should be reported, according to the statement.
"His passiveness even after repeated alerts by his staff resulted in missed opportunities which could have mitigated or averted the effect of the cyber attack," said IHiS.
The other person who was fired was a team lead in the Citrix team, whose set-up of the servers introduced unnecessary and significant risks to the system, it added.
Three employees - including system engineer Benjamin Lee and database administrator Katherine Tan - were commended for being proactive and demonstrating resourcefulness in managing the cyber attack.
Mr Paul Chan, chairman of IHiS board said: "The cyber attack has been a reminder of our need to be ever more vigilant and prepared for new cyber threats. Patient care will continue to be our priority. IHiS will learn from this incident, and work with the Ministry of Health and the healthcare clusters to implement the necessary changes that will help us emerge stronger from this."
https://www.straitstimes.com/singap...enalty-on-ceo-over-lapses-in-singhealth-cyber