SingHealth cyber-attack inquiry: A hard HR lesson

Details emerging from Singapore’s worst data breach suggests a deeper issue of staff disengagement

SingHealth cyber-attack inquiry: A hard HR lesson

Disengaged employees can showcase several symptoms that suggest they have “checked out” of their work. It could be caused by a multitude of personal as well as professional issues and can be hard to pin down, especially in a large organisation.

A formal investigation of Singapore’s worst cyber attack suggests that besides a lack of a more secure system, there was also the worrying issue of a disengaged key staffer which led to a communication breakdown.

In July this year, hackers stole personal information of over 1.5million SingHealth patients, including Prime Minister Lee Hsien Loong and other ministers.

A Committee of Inquiry was launched on 28 August to investigate the attack.

The latest revelation involves a key staffer saying he ignored suspicious cyber activities as it would simply lead to more work and pressure from his bosses.

He claimed that his team would have “no day and no night” once news of the breach was out.

Ernest Tan, senior manager at IHiS’s security management department decided to ignore warning signs after a junior executive alerted the team in an internal chat group. IHiS or Integrated Health Systems is the government’s info-technology arm which supports hospitals and healthcare institutions under SingHealth.

After the junior engineer made the discovery, he attempted to contain the attack and told the team that they “really need to escalate into incident”.

Two days after, Tan decided against reporting the incident to higher management and told his subordinate that once they escalate the issue, “there will be no day and no night” for the team and everyone will be “working non-stop” on the case.

His decision then led to a bottleneck in the reporting of a breach and inaction by management. This ultimately resulted in the compromise of patients’ personal data.

“What do I get?”
At a hearing by the COI, Tan was asked to explain why he decided against reporting the incident. He told the committee that he had thought to himself, “If I report the matter, what do I get?”

“If I report the matter, I will simply get more people chasing me for more updates,” he said.

It was heard that Tan is the designated response manager for all security incidents involving SingHealth. Besides an attempt to avoid additional work pressures, he added that even if a cyber security incident had occurred, he thought it wouldn’t be his job to raise the alarm.

He explained that he believed it was the responsibility of other personnel from IHiS’ senior management to escalate such attacks.

However, he only met with senior management on 9 July, a day before the attack was confirmed and reported to the Cyber Security Agency of Singapore. Tan had declined to meet the exec on 7 July as he was “too stressed to work that weekend”, explaining that his mother was hospitalised.

According to Today, Benedict Tan, SingHealth’s group chief information officer said the senior manager’s concern on excessive work pressure was “not acceptable” to allow the bottleneck.

“Management would (provide) additional resources to assist in the response and management (of the security incident),” CIO Tan said. “I do not think that people will have to go about it alone.”