Two employees have been sacked and five senior management executives, including the CEO, were fined for their role in Singapore's most serious security breach, which compromised personal data of 1.5 million SingHealth patients. Further enhancements will also be made to beef up the organisation's cyber defence, so that it is in line with recommendations dished out by the committee following its review of the events leading up to the breach, according to Integrated Health Information Systems (IHIS).
The IT agency responsible for the local healthcare sector that includes SingHealth, IHIS, said a lead in its Citrix team and a security incident response manager were found to be negligent and in non-compliance of orders. This had security implications and contributed to the "unprecedented" scale of the SingHealth security breach, the agency said in a statement Monday.
IHIS noted that the Citrix team lead had the necessary technical capabilities, but his "attitude" towards security and management of the servers involved in the breach had introduced unnecessary and significant risks to the system.
In its report published last week, the review committee said the hackers had exploited a vulnerability in the network connectivity between Citrix servers located at a public general hospital and a database to make queries to the database. This connectivity had been maintained to support the use of administrative tools and custom applications, which the committee found to be unnecessary.
IHIS said the team lead could have mitigated the effects of the cyber attack if it had exercised proper compliance and management of the servers. Also, the security incident response manager failed to comprehend what constituted as a "security incident" and, as such, did not raise the alarm despite repeated alerts by his staff.
Both employees have been sacked. A cluster information security officer also will be demoted and reassigned to another role for failing to comply with IHIS' incident reporting processes. Furthermore, his lack of aptitude made him unsuitable for the role, the agency said.
Five members of the IHIS senior management team, including CEO Bruce Liang, also were slapped with "a significant financial penalty" for their "collective leadership responsibility", IHIS said, but did not reveal actual figures on what this might be.
Apart from his role as IHIS CEO, Liang is also the CIO for Singapore's Ministry of Health.
IHIS added that a "moderate financial penalty" will be imposed on two middle management supervisors who were responsible for the two employees sacked.
The IT agency also noted that it will assess recommendations made by the review committee and make "further improvements" to its cybersecurity strategy and cyber defence measures.
IHIS in November had announced plans to implement 18 measures as part of efforts to improve its ability to prevent cyberattacks as well as detect and respond to such incidents. These included deploying two-factor authentication for endpoint administrators and software installation, and establishing more stringent restrictions on administrative server access.
The review committee also finds IT staff to be lacking in cybersecurity awareness and resources and SingHealth's network misconfigured with security vulnerabilities, which helped hackers succeed in breaching its systems.
Investigation into the July 2018 incident reveals tardiness in raising the alarm, use of weak administrative passwords, and an unpatched workstation that enabled hackers to breach the system as early as August last year.
Health Ministry is piloting the use of quarantined servers as part of efforts to "reduce the number of potential attack points", following last month's security breach that compromised the personal data of 1.5 million patients.
Monetary Authority of Singapore instructs financial institutions to tighten their customer verification processes following SingHealth's security breach, which compromised personal data of 1.5 million people.
Singapore healthcare group says it has sent out SMS messages to more than 700.000 patients impacted by the security breach, while warning of fake ones alleging patients' financial data had been leaked.