IT agency involved in SingHealth cyber attack fires 2 staff, fines CEO & 4 members of senior management

A third employee didn't seem able to recognise what a 'security incident' was, and persistently failed to report them.

Joshua Lee | January 14, 2019, 11:33 PM

Days after the Committee of Inquiry (COI) for the July 2018 SingHealth cyber attack released its findings in a 400-page report, the Integrated Health Information Systems (IHiS) announced that two of their employees will be fired for failing to mitigate the effects of the attack.

This was after IHiS engaged an independent human resource panel to assess the actions of the IHiS staff involved in the incident.

Dismissed staff introduced "significant" risk to system; "persistently" passive

According to a statement posted on IHiS's website, the two individuals are a Team Lead in the Citrix Team, and a Security Incident Response Manager. Both were found to be negligent in their duties and had failed to follow orders.

IHiS admitted that the Citrix Team Lead had the necessary technical competencies but failed to mitigate the effects of the cyber attack because he did not "exercise proper compliance and management of the servers". In its statement, it said the team lead had set up the servers in a manner that introduced "unnecessary and significant" risks to the system.

Meanwhile, IHiS said the Security Incident Response Manager had a "persistently held a mistaken understanding" of what constituted a security incident and when one should be reported.

"His passiveness even after repeated alerts by his staff resulted in missed opportunities which could have mitigated or averted the effect of the cyber-attack."

A third employee, identified as a Cluster Information Security Officer, didn't seem to know what a security incident was, and failed to follow incident reporting processes.

However, in the course of its investigation, IHiS established he simply wasn't good enough at the role he occupied, and so he will be demoted and reassigned instead.

CEO & senior management fined

IHiS also imposed a "moderate financial penalty" on the supervisors of the Citrix Team Lead and the Security Incident Response Manager.

Five members of the senior management team, including its CEO, Bruce Liang, were hit with a "significant financial penalty", in recognition of their collective leadership responsibility.

IHiS CEO Bruce Liang was hit with a "significant financial penalty". Via Facebook.

It isn't all bad news though.

IHiS commended three staff from the Database Management Team, SCM Production Support Team, and the Security Management Team for their diligence and proactiveness in handling the cyber attack beyond their job scope and responsibilities.

These three employees were handed letters of commendation.

You can read the IHiS's full statement here.

Top image of IHiS CEO Bruce Liang via IHiS.