Employees sacked, CEO fined in SingHealth security breach
Two employees have been sacked and five senior management executives, including the CEO, fined for their role in Singapore’s most serious security breach, which compromised personal data of 1.5 million SingHealth patients. Further enhancements also will be made to beef up the organisation’s cyber defence, in line with recommendations dished out by the committee that reviewed the events leading up to the breach, according to Integrated Health Information Systems (IHIS).
The IT agency responsible for the local healthcare sector including SingHealth. IHIS said a lead in its Citrix team and a security incident response manager were found to be negligent and in non-compliance of orders. This had security implications and contributed to the “unprecedented” scale of the SingHealth security breach, the agency said in a statement Monday.
IHIS noted that the Citrix team lead had the necessary technical capabilities, but his “attitude” towards security and management of the servers involved in the breach had introduced unnecessary and significant risks to the system.
In its report published last week, the review committee said the hackers had exploited a vulnerability in the network connectivity between Citrix servers located at a public general hospital and a database, to make queries to the database. This connectivity had been maintained to support the use of administrative tools and custom applications, which the committee found to be unnecessary.
IHIS said the team lead could have mitigated the effects of the cyberattack if he had exercised proper compliance and management of the servers. Also, the security incident response manager failed to comprehend what constituted as a “security incident” and, as such, did not raise the alarm despite repeated alerts by his staff.
Both employees had been sacked. A cluster information security officer also will be demoted and reassigned another role for failing to comply with IHIS’ incident reporting processes. Furthermore, his lack of aptitude made him unsuitable for the role, the agency said.
Five members of the IHIS senior management team, including CEO Bruce Liang, also were slapped with “a significant financial penalty” for their “collective leadership responsibility”, IHIS said, but did not reveal actual figures on what this might be.
Apart from his role as IHIS CEO, Liang also is CIO for Singapore’s Ministry of Health.
IHIS added that a “moderate financial penalty” would be imposed on two middle management supervisors who were responsible for the two employees sacked.
The IT agency also noted that it would assess recommendations made by the review committee and make “further improvements” to is cybersecurity strategy and cyber defense measures.
IHIS in November had announced plans to implement 18 measures as part of efforts to improve its ability to prevent cyberattacks as well as detect and respond to such incidents. These included deploying two-factor authentication for endpoint administrators and software installation and establishing more stringent restrictions on administrative server access.