In response to the general public report that was launched final week by the Committee of Inquiry (COI) for the SingHealth cyberattack which occurred in July 2018, Integrated Health Information Systems (IHiS), the Ministry of Health’s IT vendor, has introduced in an official assertion on 14 January 2019 that two staff members concerned in the incident can be terminated from employment.
In addition, a Cluster Information Security Officer can be demoted and redeployed to one other function, “a significant financial penalty would be imposed on five members of the IHiS senior management team, including the CEO, for their collective leadership responsibility” and “a moderate financial penalty would be imposed on two middle management supervisors who were supervisors of the two staff terminated.”
According to the assertion, the IHiS Board of Directors had appointed an unbiased Human Resource (HR) Panel to study the roles, duties and actions of the IHiS staff concerned, and assess the suitable HR actions to be taken. The Panel was chaired by an IHiS Board Director, and includes two different members from the general public and personal sectors, with HR and IT expertise.
The Panel has examined the roles and duties of IHiS staff concerned in the incident, and carried out interviews to perceive the details of the case and the staff’s views. It has accomplished its work and submitted its suggestions to the IHiS Board. The IHiS Board has totally accepted the Panel’s suggestions.
For the two staff members (a Team Lead in the Citrix Team and a Security Incident Response Manager) who can be terminated from employment, each have been discovered to be negligent and in non-compliance of orders, which resulted in safety implications and contributed to the unprecedented scale of the incident.
In recognition for his or her proactiveness and resourcefulness in managing the cyberattack, Letters of Commendation have been introduced to 3 IHiS staff from the Database Management Team, SCM Production Support Team, and Security Management Team respectively.
“I would like to thank the HR Panel for their comprehensive evaluation and recommendations. The cyberattack has been a reminder of our need to be ever more vigilant and prepared for new cyber threats. Patient care will continue to be our priority. IHiS will learn from this incident, and work with the Ministry of Health and the healthcare clusters to implement the necessary changes that will help us emerge stronger from this,” stated Mr Paul Chan, Chairman IHiS Board.