SINGAPORE — Two employees from the Integrated Health Information Systems (IHiS) were sacked on Monday (Jan 14) while seven other staff members, including chief executive officer Bruce Liang, will be fined for their roles in the SingHealth cyber attack last year.

A 10th employee, who misunderstood what constituted a security incident and failed to comply with IHiS’ incident reporting processes, will be demoted and redeployed, the organisation said in a statement on Monday. He is understood to be the cluster information security officer, Mr Wee Jia Huo.

IHiS, the IT arm of the Ministry of Health, stated the designations of those punished but did not mention their names in its press release.

The two who have been sacked are understood to be Mr Lum Yuan Woh, the leader of the Citrix team, and Mr Ernest Tan Choon Kiat, the security incident response manager.

IHiS said that the two individuals' negligence and non-compliance with orders contributed to the large scale of the SingHealth cyber attack, which took place between June 27 and July 4 last year. Sophisticated hackers stole the personal data of 1.5 million patients with the public healthcare group, as well as the outpatient medication data of 160,000 of these patients, including Prime Minister Lee Hsien Loong.

IHiS’ announcement of these disciplinary actions came after portions of a 450-page report was made public last week by the Committee of Inquiry investigating the cyber attack. The full report, detailing the attacker's identity and modus operandi, was submitted to Communications and Information Minister S Iswaran on Dec 31 last year.

The disciplinary actions were recommended by an independent human resource panel set up to examine the roles, responsibilities and actions of the IHiS employees involved.

The panel also assessed the appropriate human resource actions to be taken and its recommendations were accepted by the IHiS board. The panel was chaired by an IHiS' board director and included two other members from the public and private sectors who have human resource and IT experience.

IHiS also said that it gave out letters of commendation to three staff members who were “proactive and demonstrated resourcefulness” in managing the cyber attack. They are from its database management team, its Sunrise Clinical Manager production support team and its security management team.

SACKED

• IHiS’ Citrix team lead Lum Yuan Woh and the security incident response manager Ernest Tan Choon Kiat were fired.
• IHiS said that their negligence and non-compliance with orders resulted in “security implications and contributed to the unprecedented scale” of the cyber attack.
• While the duo had no intent to “cause or facilitate” the cyber attack, both of them had failed to discharge their responsibilities. “While the Citrix team lead had the necessary technical competencies, his attitude towards security and his setup of the servers introduced unnecessary and significant risks to the system. He could have mitigated the effects of the attack if he had exercised proper compliance and management of the servers,” IHiS said.
• The security incident response manager “persistently held a mistaken understanding of what constituted a security incident, and when a security incident should be reported. His passiveness even after repeated alerts by his co-workers resulted in missed opportunities which could have mitigated or averted the effect of the cyber-attack”, IHiS said.

RE-DEPLOYED

• In demoting and redeploying cluster information security officer Wee Jia Huo to another role, IHiS said that the independent panel took into consideration mitigating factors such as his lack of aptitude, which made Mr Wee unsuitable for the role.

FINED

• A “significant financial penalty” will be imposed on five members of the IHiS senior management team, including its chief executive officer Bruce Liang, “for their collective leadership responsibility”.
• Two middle management supervisors who had supervised Mr Lum and Mr Tan will be given “moderate” financial penalties. IHiS did not disclose how much were the fines.

OTHER MEASURES

• IHiS has introduced several technical measures to heighten cyber security, it said.
• In November, it put in place 18 cyber-security measures, which include setting up two-factor authentication for all administrators who manage endpoint devices such as workstations and laptops across all public hospitals, to thwart sophisticated hackers.
• Employee engagement and training have been increased to heighten vigilance and improve their awareness on cyber security.
• IHiS is also carefully studying the findings and recommendations of the four-member Committee of Inquiry.
• “The learnings and critical areas of improvement from the COI report necessitate a paradigm shift in how we manage cyber security. Further improvements are being made to redefine our cyber-security strategy and make our cyber defence safeguards more robust,” it said.