The Singaporean government-owned biz responsible for that country's patient database has fined senior executives, including the CEO, and dismissed two managers, after blunders allowed hackers to siphon off private records.
The punishments were meted out by Integrated Health Information Systems (IHiS), which run a patient record database for Singapore healthcare organization SingHealth, a database system that was hacked in 2018. Miscreants gained access to the network, and stole 1.5 million citizens' health records, including those of prime minister Lee Hsien Loong, who is presumed to be the ultimate target of the attack.
The debacle was probed by a committee of inquiry, which among other blunders, revealed last week IHiS had left Citrix systems needlessly exposed to the internet, and that admin accounts lacked two-factor authentication protection.
If you wanna learn from the IT security blunders committed by hacked hospital group, here's some weekend readingREAD MORE
IHiS yesterday announced it had dismissed two managers over the incident: a Citrix team lead, and a security incident response manager. The company's announcement said the two “were found to be negligent and in non-compliance of orders.”
The announcement said the Citrix team lead's “attitude towards security … introduced unnecessary and significant risks” which should have been mitigated.
IHiS is even harsher towards the security incident response manager, saying he “persistently held a mistaken understanding of what constituted a 'security incident,' and when a security incident should be reported.”
The statement continued: “His passiveness even after repeated alerts by his staff resulted in missed opportunities which could have mitigated or averted the effect of the cyber-attack.”
A third individual holding the title “cluster information security officer,” was found to be “unsuitable for the role” and has been demoted and re-assigned.
Five executives were sanctioned over the hack, including CEO Bruce Liang who is also the CIO of Singapore's Ministry of Health, with what IHiS called “significant” financial penalties, while the middle managers who supervised the pair that were sacked will pay “a moderate financial penalty.”
The statement reiterated IHiS's November commitment to 18 security measures which should better protect its systems, and said staff training will be increased to improve vigilance, and make defences more robust.
Three staff – one from database management, one from the software configuration management team, and one security management staffer – not only escaped criticism, but were given letters of commendation for “diligence in handling the incident beyond their job scope and responsibilities.” ®