IHiS sacks two employees and imposes financial penalties on five senior management staff in response to COI report
In response to the public report that was released last week by the Committee of Inquiry (COI) for the SingHealth cyberattack which occurred in July 2018, Integrated Health Information Systems (IHiS), the Ministry of Health’s IT vendor, has announced in an official statement on 14 January 2019 that two staff members involved in the incident would be terminated from employment.
In addition, a Cluster Information Security Officer would be demoted and redeployed to another role, “a significant financial penalty would be imposed on five members of the IHiS senior management team, including the CEO, for their collective leadership responsibility” and “a moderate financial penalty would be imposed on two middle management supervisors who were supervisors of the two staff terminated.”
According to the statement, the IHiS Board of Directors had appointed an independent Human Resource (HR) Panel to examine the roles, responsibilities and actions of the IHiS staff involved, and assess the appropriate HR actions to be taken. The Panel was chaired by an IHiS Board Director, and comprises two other members from the public and private sectors, with HR and IT experience.
The Panel has examined the roles and responsibilities of IHiS staff involved in the incident, and conducted interviews to understand the facts of the case and the staff's perspectives. It has completed its work and submitted its recommendations to the IHiS Board. The IHiS Board has fully accepted the Panel's recommendations.
For the two staff members (a Team Lead in the Citrix Team and a Security Incident Response Manager) who would be terminated from employment, both were found to be negligent and in non-compliance of orders, which resulted in security implications and contributed to the unprecedented scale of the incident.
In recognition for their proactiveness and resourcefulness in managing the cyberattack, Letters of Commendation have been presented to 3 IHiS staff from the Database Management Team, SCM Production Support Team, and Security Management Team respectively.
"I would like to thank the HR Panel for their comprehensive evaluation and recommendations. The cyberattack has been a reminder of our need to be ever more vigilant and prepared for new cyber threats. Patient care will continue to be our priority. IHiS will learn from this incident, and work with the Ministry of Health and the healthcare clusters to implement the necessary changes that will help us emerge stronger from this," said Mr Paul Chan, Chairman IHiS Board.