14 January 2019 - The Integrated Health Information Systems (IHiS) is committed to improving cyber defence in public healthcare.

2.            The Committee of Inquiry (COI) proceedings into the SingHealth cyberattack have highlighted important learnings about the threat actors in the evolving cybersecurity landscape, as well as many critical areas of improvement for IHiS. We are determined to strengthen our organisational structure and processes, increase oversight on compliance, and close the gap between policy and practice.

3.            To fortify cybersecurity safeguards, IHiS has accelerated a suite of 18 cybersecurity measures [1] which are being progressively implemented. In addition, staff engagement and training have been increased to heighten vigilance and improve staff awareness on cybersecurity.

4.            IHiS is also carefully studying the findings and recommendations from the COI. The learnings and critical areas of improvement from the COI report necessitate a paradigm shift in how we manage cybersecurity. Further improvements are being made to redefine our cybersecurity strategy and make our cyber defence safeguards more robust.

Ensuring Accountability

5.            IHiS takes a serious view of the incident and the need for accountability. The IHiS Board of Directors had appointed an independent Human Resource (HR) Panel to examine the roles, responsibilities and actions of the IHiS staff involved, and assess the appropriate HR actions to be taken. The Panel was chaired by an IHiS Board Director, and comprises two other members from the public and private sectors, with HR and IT experience.

6.            The Panel has examined the roles and responsibilities of IHiS staff involved in the incident, and conducted interviews to understand the facts of the case and the staff's perspectives.  It has completed its work and submitted its recommendations to the IHiS Board.  The IHiS Board has fully accepted the Panel's recommendations.

7.            In recommending the HR actions to be taken, the Panel noted the sophistication and skill of the cyber-attacker. Notwithstanding the nature of the attack, there were factors within IHiS which were exploited by the attacker in the incident. A number of individuals within the IHiS organisation were in a position to mitigate or avert the extent of the attack, but had failed to adequately discharge their responsibilities.

Termination of Employment

8.            Two individuals – a Team Lead in the Citrix Team and a Security Incident Response Manager - were found to be negligent and in non-compliance of orders, which resulted in security implications and contributed to the unprecedented scale of the incident.

9.            While the Citrix Team Lead had the necessary technical competencies, his attitude towards security and his setup of the servers introduced unnecessary and significant risks to the system. He could have mitigated the effects of the attack if he had exercised proper compliance and management of the servers.

10.            The Security Incident Response Manager had persistently held a mistaken understanding of what constituted a 'security incident', and when a security incident should be reported. His passiveness even after repeated alerts by his staff resulted in missed opportunities which could have mitigated or averted the effect of the cyber-attack.

11.          Whilst there was no intent to cause or facilitate the cyberattack, both of them had failed to discharge the responsibilities entrusted on them. They will be terminated from IHiS employment. 

Demotion and Re-assignment

12.          A Cluster Information Security Officer was found to have misunderstood what constituted a 'security incident' and failed to comply with IHiS' incident reporting processes. The Panel took into consideration mitigating factors such as his lack of aptitude which made him unsuitable for the role. The Cluster Information Security Officer will be demoted and re-deployed to another role. 

Financial Penalties

13.          A significant financial penalty will be imposed on 5 members of the IHiS senior management team, including the CEO, for their collective leadership responsibility.

14.          A moderate financial penalty will be imposed on 2 middle management supervisors who were supervisors of the two staff terminated.

15.          The CEO and management team have acknowledged their responsibilities and accepted the penalties. They have committed to leading IHiS to improve our cyber security defence and preparedness, and rebuild public trust in our healthcare system.

Commendation

16.          Several IHiS staff acted with diligence in handling the incident beyond their job scope and responsibilities. They were proactive and demonstrated resourcefulness in managing the cyberattack.

17.          Letters of Commendation have been presented to 3 IHiS staff from the Database Management Team, SCM Production Support Team, and Security Management Team respectively.

18.          Mr Paul Chan, Chairman IHiS Board said: "I would like to thank the HR Panel for their comprehensive evaluation and recommendations. The cyberattack has been a reminder of our need to be ever more vigilant and prepared for new cyber threats. Patient care will continue to be our priority. IHiS will learn from this incident, and work with the Ministry of Health and the healthcare clusters to implement the necessary changes that will help us emerge stronger from this."

[1] Announced on 1 November 2018.