Singapore’s personal data protection commission (PDPC) has levied fines on both the Integrated Health Information Systems (IHiS) as well as SingHealth in response to them breaching their data protection obligations under the personal data protection act (PDPA), following the SingHealth data breach.
Revealed via a company statement, the PDPC has fined IHiS, the company behind Singapore’s healthcare IT needs, S$750,000, while SingHealth was fined S$250,000.
“PDPC’s investigations into the data breach arising from a cyber attack on SingHealth’s patient database system, found that IHiS had failed to take adequate security measures to protect the personal data in its possession,” said the statement.
"PDPC found that the SingHealth personnel handling security incidents was unfamiliar with the incident response process, overly dependent on IHiS, and failed to understand and take further steps to understand the significance of the information provided by IHiS after it was surfaced.
"Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers."
Furthermore, according to the statement, the financial penalties imposed are the highest ever imposed by PDPC, with both organisations expected to pay their fines within a 30-day period.
“In addition, the penalties took into account the fact that IHiS and SingHealth were cooperative throughout the investigations and took immediate remedial actions,” the statement added.
“PDPC also recognised that both organisations were victims of a skilled and sophisticated threat actor bearing the characteristics of an advanced persistent threat group, using numerous advanced, customised and stealthy tools and carrying out its attack over a period of more than 10 months.”
These fines follow the conclusion of a committee of inquiry report into the SingHealth cyber attack, which highlighted in detail what happened and made suggestions to improve future cyber defence.
“We are determined to strengthen our organisational structure and processes, increase oversight on compliance, and close the gap between policy and practice,” said IHiS in a statement. “To fortify cyber security safeguards, IHiS has accelerated a suite of 18 cyber security measures which are being progressively implemented.
"In addition, staff engagement and training have been increased to heighten vigilance and improve staff awareness on cyber security."
As a result of the findings, an independent human resource panel was appointed to examine the roles, responsibilities and actions of the IHiS staff involved, and assess the appropriate actions to be taken in regards to those involved.
The findings noted the sophistication and skill of the cyber attacker in their recommendations, however, action was taken against a number of staff as they were in a position to mitigate or avert the extent of the attack, but had failed to adequately discharge their responsibilities.
Consequently, two individuals had their employment with IHiS terminated; a team lead in the Citrix Team and a security incident response manager.
While there was no intent to cause or facilitate the cyber attack, both of them had failed to discharge the responsibilities entrusted on them, read a statement by IHiS.
However, they were found to be negligent and in non-compliance of orders, which resulted in security implications and contributed to the unprecedented scale of the incident.
A further information security officer was also found to have misunderstood what constituted a 'security incident' and failed to comply with IHiS' incident reporting processes.
As a result, the officer was demoted and re-deployed to another role taking into account mitigating factors such as his lack of aptitude which made him unsuitable for the role.
Furthermore, financial penalties were imposed on five members of the IHiS senior management team, including the CEO, for their collective leadership responsibility.
A further moderate financial penalty will also be imposed on two middle management supervisors who were supervisors of the two staff terminated.
“The CEO and management team have acknowledged their responsibilities and accepted the penalties,” read a statement, “they have committed to leading IHiS to improve our cyber security defence and preparedness, and rebuild public trust in our healthcare system.”
However, several IHiS staff were commended for their actions during the incident, for acting beyond their job scope and responsibilities in mitigating impact of the attack.
“I would like to thank the HR Panel for their comprehensive evaluation and recommendations,” said Paul Chan, chairman of the board at IHiS. "The cyber attack has been a reminder of our need to be ever more vigilant and prepared for new cyber threats.
“Patient care will continue to be our priority. IHiS will learn from this incident, and work with the Ministry of Health and the healthcare clusters to implement the necessary changes that will help us emerge stronger from this.”