Staff Disciplined in Wake of SingHealth BreachTwo Organizations Also Fined by Singapore Government
(This story has been updated with information about regulators fining two organizations).
The organization that manages IT, including cybersecurity, for Singapore's public healthcare sector says it has terminated, demoted or financially penalized several employees for their roles in the handling of a 2017 cyberattack on SingHealth, the island nation's largest healthcare group. The breach affected 1.5 million individuals.
The actions by the Integrated Health Information Systems Pte. Ltd., or IHiS, come in the wake of a report issued last week by a Committee of Inquiry, a government appointed group designated to examine the breach at SingHealth (see: Lessons From Report on Massive Singapore Healthcare Hack.)
IHiS is Singapore's Ministry of Health's division responsible for administering and operating SingHealth's Sunrise Clinical Manager database, containing patient's electronic health records. U.S.-based Allscripts sells the Sunrise system.
The disciplinary measures that IHiS is taking with its employees in the aftermath of the SingHealth cyberattack differ from the approach often taken in the U.S. healthcare sector, some security experts say.
"Based on my experience in healthcare in this country, it runs counter to the approach we typically take [in the U.S.]," says former healthcare CIO David Finn, executive vice president at security consultancy CynergisTek. The U.S. approach, he says, "is completely aligned with building a culture of security. The trick is to focus on getting the problem fixed so it doesn't happen again, not blaming and punishing people."
But other observers argue that if IHiS failed to impose some kind of sanctions on employees who knowingly violated policy and procedures, that would send the wrong message to its workforce.
In addition to IHiS sanctioning certain employees in the wake of the SingHealth cyberattack, regulators in Singapore on Tuesday announced they were imposing financial penalties against both IHiS and SingHealth for "breaching their data protection obligations" under the nation's Personal Data Protection Act.
The combined 1 million Singapore dollars ($738,000) fine imposed by Singapore's Personal Data Protection Commission is the highest it has ever levied, the agency said in a statement.
PDPC's investigations into the data breach arising from the cyberattack on SingHealth's patient database system found that IHiS had failed to take adequate security measures to protect the personal data in its possession. For this, PDPC has imposed a financial penalty of S$750,000 ($554,000) on IHiS.
In addition, a financial penalty of S$250,000 ($184,000) has also been imposed on SingHealth as the owner of the patient database system.
IHiS' responsibilities include cybersecurity, security incident response and reporting. Key findings of the committee report on the SingHealth cyberattack included criticism of how certain IHiS employees and leaders handled the cyberattack, including:
- Certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate, effective or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack.
- IHiS staff did not have adequate levels of cybersecurity awareness, training and resources to appreciate the security implications of their findings and to respond effectively to the attack.
The report also found that a number of vulnerabilities, weaknesses and misconfigurations in the SingHealth network and SCM system - many of which could have been remedied before the attack - contributed to the attacker's success in obtaining and exfiltrating the data.
The committee report also laid out more than a dozen recommendations for IHiS addressing the security weaknesses and other issues that contributed to the cyberattack. The top recommendations include adopting an enhanced security structure and readiness; improving staff awareness on cybersecurity to enhance capacity to prevent, detect and respond to security incidents; and enhancing security checks on critical information infrastructure systems.
In a Jan. 14 statement, IHiS says it formed an independent human resources panel to examine the roles, responsibilities and actions of the IHiS staff involved with the incident and assess the appropriate HR actions to be taken. As a result, IHiS decided to:
- Terminate two individuals, including a team lead in the Citrix team and a security incident response manager, who were found to be negligent and not in compliance with orders, which contributed to the scale of the incident;
- Demote and redeploy to another role an information security officer who was found to have misunderstood what constituted a "security incident" and failed to comply with IHiS' incident reporting processes;
- Impose financial penalties, which were not disclosed, on seven managers; that includes a "significant" penalty on five members of the IHiS senior management team, including the CEO, for their collective leadership responsibility, and a "moderate" penalty on two middle-management supervisors who were supervisors of the two staff members terminated;
- Recognize three IHiS staff members with "letters of commendation" because they "acted with diligence in handling the incident beyond their job scope and responsibilities."
How U.S. Approach Differs
In the U.S., most healthcare organizations take an approach that promotes system improvements over individual punishment after a security incident, Finn contends. This approach holds organizations accountable for the systems they design and for how they respond to staff behaviors fairly and justly, he says.
"Some corporate cultures focus on the issues and what to fix, while others look for someone to blame."
—Keith Fricke, tw-Security
"This is really an approach that holds individuals accountable for their actions but fixes problems by addressing the bigger issues around people, processes and technology rather than simply punishing a few carefully chosen individuals - who may be scapegoats or who may be ultimately responsible for the problem," he says.
While managing people and individual accountability is very important in business, particularly around critical functions, including security, it's imperative to balance carrots with sticks, Finn contends.
"Fining individual managers and demoting employees doesn't really build a supportive, collaborative culture," he argues. "It may, in fact, lead to more of the behavior that they are trying to overcome - hiding information, not escalating bad news and keeping potential problems from non-IT executives who must be involved in decision making."
Keith Fricke, principle consultant at tw-Security, points out: "Some corporate cultures focus on the issues and what to fix, while others look for someone to blame."
Addressing breach issues requires an appropriate mix of addressing the root causes and holding people accountable, he contends. "Responsibilities for the root causes of a breach may lie in different areas depending on circumstances. For example, it is one thing if an organization provides training for IT workers to understand and implement security processes and tools and these workers fail to apply that knowledge," he says. "It is another thing if the IT workers have requested training or bringing in third parties to help them and the organization denied funding, leaving the workers to do their best with what they have."
Who should be held accountable depends on the situation, Fricke argues. "Another key concept is that someone with technical competence does not automatically ... have incident response competence."
Other U.S. security experts, however, argue that say IHiS is taking an appropriate approach by imposing sanctions on some employees.
"As suggested in the report, it might seem harsh given the sophistication of the attack. Nevertheless it appears that the sanctioned individuals had the responsibility, resources and ability to follow internal policies and procedures yet chose not to," says Jon Moore, chief risk officer at security and privacy consultancy Clearwater Compliance.
"Failing to implement some sort of sanction for knowingly violating policy and procedures would send the wrong message if as one would believe the intent is to increase the discipline with which the organization operates it cybersecurity program."
Moore says IHiS taking the initiative to commend staff members who excelled in their actions following the cyberattack also is a good move.
"It's as important, if not more important, to incentivize the behavior that we want, as it is to punish the behavior that we do not want," he says. "To the extent that these folks went above and beyond their responsibilities to minimize the impact of this attack, it should be recognized and rewarded."
To fortify cybersecurity safeguards, IHiS says it has accelerated implementation of 18 cybersecurity measures and is bolstering "staff engagement and training" to improve workforce awareness on cybersecurity.
Among those measures are steps to address advanced persistent threats, including detecting indicators of compromise, recording and monitoring endpoint system-level behaviors and events, detecting advanced malware and removing the threats. Two-factor authentication is also being implemented for endpoint local administrators who manage end-user devices and installation of software, IHiS said in a statement issued in November.
IHiS also says it's studying the findings and recommendations in the committee report. "Further improvements are being made to redefine our cybersecurity strategy and make our cyber defense safeguards more robust," it says.
IHiS did not immediately respond to an Information Security Media Group request for additional information, including details about the "significant" and "moderate" financial penalties being levied.