back to article This must be some kind of mistake. IT managers axed, CEO and others' wallets lightened in patient hack aftermath

The Singaporean government-owned biz responsible for that country's patient database has fined senior executives, including the CEO, and dismissed two managers, after blunders allowed hackers to siphon off private records. The punishments were meted out by Integrated Health Information Systems (IHiS), which run a patient …

  1. Anonymous Coward
    Anonymous Coward

    Seems legit

    Looks like a well thought out "appropriate punishment and rewards" approach.

    The western world would do well to use this approach for similar incidents.

    1. Andrew Commons

      Re: Seems legit

      Indeed, and the western world should probably follow Singapore in removing Internet access from most public service accounts. They committed to this in mid 2016. See this commentary related to this incident:

      https://www.gov.sg/news/content/internet-separation-could-and-should-have-been-implemented-in-public-healthcare-system

    2. Doctor Syntax Silver badge

      Re: Seems legit

      "The western world would do well to use this approach for similar incidents."

      It might have as much to do with who was affected as with local culture.

      1. Pascal

        Re: It might have as much to do with who was affected as with local culture.

        Indeed. The prime minister was affected, so heads had to roll.

    3. Waseem Alkurdi

      Re: Seems legit

      Cutting off Internet access is all benefits, as I see it.

      1. Less employee time wasted (supposedly)

      2. Saves $$$ on Internet access costs

      3. More secure (as the incident here shows).

      I really, really don't understand why isn't it standard practice. Can anybody give pointers?

      1. John Mangan

        Re: Seems legit

        Getting sh*t done?

        1. Waseem Alkurdi

          Re: Seems legit

          If sh*it means Facebook/$ANTISOCIAL_NETWORK/eBay/Amazon/Reddit/... then no, shit won't ever get done.

          Instead of using a heavyweight web filter to block websites (nearly every one I had seen could be bypassed using an obscure proxy "as opposed to a popular one"), Internet access could be completely cut off from lusers' desktops. Updates are network-distributable.

      2. Marcelo Rodrigues

        Re: Seems legit

        "2. Saves $$$ on Internet access costs

        3. More secure (as the incident here shows).

        I really, really don't understand why isn't it standard practice. Can anybody give pointers?"

        Because point #2 is false. It is much cheaper to use internet/vpn than to build a national private network.

        No arguments about security - but costs are the main reason.

        1. sebbb

          Re: Seems legit

          And to answer with a practical example, have a look at the costs of BT-ran N3 national private network for the NHS.

          1. Waseem Alkurdi

            Re: Seems legit

            I'd give you that if we're talking about a public service. How about in a business scenario where there isn't a real need for nation-wide access?

            Any business where everything is done inside the office needs no Internet access nor a private network of this kind.

          2. Waseem Alkurdi

            Re: Seems legit

            And for somebody who isn't British, what is this N3 anyhow?

            From what I read, it's a WAN/broadband. What's fancy about it, and why does it require much $$$ to run?

            1. Peter2 Silver badge

              Re: Seems legit

              Most British people (even in IT) wouldn't know what the N3 is either.

              Simplistically*, it's the NHS National Network. The connections don't connect to the internet directly, but to the NHS national VPN. Thus, connections between two NHS sites are secured by the national level VPN, even if they aren't secured directly at the sites.

              There is (obviously) a connection to the internet via N3, however it's secured against the internet being able to directly access things on the N3.

              It's expensive because the NHS is the worlds 5th largest organisation by number of staff, beaten only by the US & Chinese armies, McDonalds and the Wallmart group. Out of those, only the US military has a secured physical network along the lines of the NHS and their network would crash and burn under the traffic loads on the NHS network.

              *Please note the setup has been simplified for clarity to the point it's accuracy could be challenged by an pedant suffering from OCD.

        2. Peter2 Silver badge

          Re: Seems legit

          I read that as in "why does an end user need full unfettered internet access"?

          To which the answer is "they don't".

          From there the question is how much restriction you do. Pretty much every firm in existence is running a small blacklist of sites end users shouldn't be accessing. (eg, porn sites etc) some other firms have a larger blacklist also containing sites that aren't work related but that people spend time on during working hours.

          I don't think many firms identify specifically which websites employees need to do their jobs and block everything but those sites on the employers network though, if that was what you meant.

          1. Flywheel

            Re: Seems legit

            running a small blacklist of sites end users shouldn't be accessing

            You'd think in the NHS's case that should be a whitelist instead - if the Internet's being used for transmission of patient info and the like, there's no need to be accessing Faceborg etc.

          2. Stevie

            Re: Seems legit

            " Pretty much every firm in existence is running a small blacklist of sites end users shouldn't be accessing."

            Mine has blocked IBM and Oracle's main libraries of downloadable manuals. This pretty much encompasses all the products we use and support.

            Which is why I have my own internet hotspot and laptop on my desk.

            I reckon that qualifies as shooting oneself in both feet myself, but no doubt I have missed the point.

            1. aks

              Re: Seems legit

              But I assume you are prevented from joining your private equipment to the network.

              That is equivalent to bringing your own books to work.

              I also assume you are prevented from joining memory sticks to your office equipment. Remember the days when floppy disks were the way in for malware?

              1. Stevie

                Re: Seems legit 4 aks

                Ass. 1: correct.

                Ass. 2: Nope.

                Both feet still shredded in my view.

            2. Waseem Alkurdi

              Re: Seems legit

              Mine has blocked IBM and Oracle's main libraries of downloadable manuals. This pretty much encompasses all the products we use and support.

              Aren't these supposed to be put on an exclusion list from any filter? Why do you have to *pay* for doing work?

              1. Stevie

                Re: Seems legit 4 Waseem Alkurdi

                Why do you have to *pay* for doing work?

                It is the way of things.

          3. Andrew Commons

            Re: Seems legit

            @Peter2

            As far as I understand it they segment the network so that if Internet access is required for work purposes then you (the employee) have internet access. if Internet access is not required for work purposes then no access. This includes email. Devices with Internet access do not have access to the protected segment.

            There are many roles that do not require Internet access in an organisation. Technical roles are often considered an exception but there are ways that this can be minimised.

      3. Locky

        Re: Seems legit

        @Waseem Alkurdi

        I refer my learned colleague to the self preservation of the Executive Committee

        1. Waseem Alkurdi
          Pint

          Re: Seems legit

          Also self-preservation of one's own job. Isn't that why we get them a dedicated fiber optic connection?

      4. sanmigueelbeer

        Re: Seems legit

        Cutting off Internet access is all benefits

        I worked in a place that had this policy in place. It was a fun place (sarcasm intended).

        Staff wanted internet access, and because upper management refused, each business unit had a DSL installed. Nearly each business unit had a DSL modem, with WiFi turned on (and with default username/password). Staff reasoned that the DSL lines were "operational necessity".

        But here's the kicker: Some enterprising fellow then CONNECTED the said DSL modems to the corporate LAN.

        When we tried to shut down the port, we were told (angrily) to turn it back on because it was "operational necessity".

        Fun times that was. I didn't last long. I left a few months later.

        Recently, we had a client who had Corporate and Guest SSID (open authentication) enabled. The client kept asking "why are staff using the Guest SSID". Same thing as above. Corporate SSID had internet restrictions while Guest SSID wasn't. So guess what the staff preferred to use?

        1. Waseem Alkurdi

          Re: Seems legit

          each business unit had a DSL installed.

          So basically your problem seems to be a luser coup d'état.

          This is called unauthorized equipment and Security should be summoned to remove it. (Dunno if that is even possible, but if it were me, this is what I would do).

          When we tried to shut down the port, we were told (angrily) to turn it back on because it was "operational necessity".

          Tell him to f*uck off. Would he be permitted to get his bed, place it next to his desk, and sell his house? Because it's an operational necessity? (also see BOFH operational euphemisms? Operational necessity in this case meaning that one couldn't "operate" without enough sleep or something?)

          I really doubt the CEO of the company could agree to this.

          Recently, we had a client who had Corporate and Guest SSID (open authentication) enabled. The client kept asking "why are staff using the Guest SSID". Same thing as above. Corporate SSID had internet restrictions while Guest SSID wasn't. So guess what the staff preferred to use?

          I'd either apply the same restrictions to both (but not connect them together), or just do away with the Guest SSID. Everybody and their pet now has mobile data plans. (I stand corrected though).

          1. Anonymous Coward
            Anonymous Coward

            Re: Seems legit

            When users en masse in your company are doing things that fly flat in the face of IT policy, it is a sign that IT policy is absolutely not fit for purpose.

            Any IT policy must meet business needs *first*. That is what users tell you they need. You can negotiate alternatives, but you cannot simply arbitrarily enforce steps that impede their work, simply to derisk your end of things.

            Asking Guests to use their own phone data plan is a poor show. A potential customer that is going to be the source of IT staff salaries. And they shouldn't be watching how much data or battery they are using.

            IT has a service role where the services need to work for the employees of the company. A just like other service industries, the customer is king as they say.

            What you say is a wish list of things should happen, it will never fly in practice, so I can only assume you do not currently do this job in real life.

            1. Waseem Alkurdi

              Re: Seems legit

              steps that impede their work

              There's a fine distinction that needs to be made here.

              If their work really demands Internet access, then of course they should have it.

              When users en masse in your company are doing things that fly flat in the face of IT policy, it is a sign that IT policy is absolutely not fit for purpose.

              This. In @sanmigueelbeer's post, it was said that the users wanted Internet access. Does it say that they needed it for work? It didn't, so I assumed that what they wanted was Facebook access, not real business Internet access.

              Asking Guests to use their own phone data plan is a poor show. A potential customer that is going to be the source of IT staff salaries. And they shouldn't be watching how much data or battery they are using.

              IT has a service role where the services need to work for the employees of the company. A just like other service industries, the customer is king as they say.

              So basically greasing the right palms.

              What you say is a wish list of things should happen, it will never fly in practice, so I can only assume you do not currently do this job in real life

              Your assumption is correct ... I'm a medical student, but I consider myself well-versed in matters of IT.

  2. AdamWill

    well, there's a bit of a big hint...

    "Executives held to account? And three underlings thanked for their work? What is this madness?"

    I thought the same, until this rather illuminating bit of the story...

    "Miscreants...stole 1.5 million citizens' health records, including those of prime minister Lee Hsien Loong, who is presumed to be the ultimate target of the attack."

    He's basically the Patrician, after all. It'd be rather more shocking if the miscreants had only stolen the records of a few "regular" people and the same punishment had happened...

    1. This post has been deleted by its author

    2. Flexdream

      Re: well, there's a bit of a big hint...

      Who knows? Maybe, maybe not. Why speculate?

    3. Voland's right hand Silver badge

      Re: well, there's a bit of a big hint...

      He's basically the Patrician,

      You never know, there may be Mr Chrisophase data in that dump too.

      1. BebopWeBop
        Pirate

        Re: well, there's a bit of a big hint...

        WELL DEATG MUST BE HERE SOMEWHERE

        (given they are health records)

  3. sanmigueelbeer
    Thumb Up

    but were given letters of commendation for “diligence in handling the incident beyond their job scope and responsibilities.”

    It may not be much but that is a big deal. Singaporeans (particularly management) don't hand out commendation unless one really, really, really deserves it.

    The problem may now be that of the two managers that were fired: They may not be able to find jobs in Singapore and may have to go elsewhere.

  4. Anonymous Coward
    Anonymous Coward

    > The problem may now be that of the two managers that were fired: They may not be able to find jobs in Singapore and may have to go elsewhere.

    So the lesson there is: don't be completely incompetent at your job.

    (unless you're still a trainee or intern)

    1. This post has been deleted by its author

    2. Waseem Alkurdi

      Especially if you're in Singapore.

  5. Foggeous

    I would have thought that the CEO should have sought advice from the Climate Scientists Job Preservation & Judgement Obscurant Association.

    No, seriously. The work environment is replete with arz-covering and whitewash strategies that obviate censure.

    Headline sarcasm, once again, noted, gratefully.

    1. ArrZarr Silver badge

      I'd rather you didn't cover me, thank you very much.

  6. Anonymous Coward
    Anonymous Coward

    Management held to account and fired!!!

    Its a bit early to be putting out April Fool jokes isnt it??

  7. chivo243 Silver badge
    Alert

    This is the Bizarro Universe

    Really? Top manglement fired, and underlings praised! Did the Eagles get back together? Hell must be frozen over...

    1. roytrubshaw
      Headmaster

      Re: This is the Bizarro Universe

      "Hell must be frozen over..."

      <pedant>

      The inner circle of Hell is a frozen lake.

      So Hell is frozen over!

      </pedant>

      1. chivo243 Silver badge
        Holmes

        Re: This is the Bizarro Universe

        +1

        However, if it's the inner circle, then the outer stuff is hot like in the Bible right?

        1. holmegm

          Re: This is the Bizarro Universe

          However, if it's the inner circle, then the outer stuff is hot like in the Bible right?

          To be even more pedantic, the Bible uses multiple metaphors to refer to Hell.

          Some are hot, others not so much (one assumes that "outer darkness" is pretty cold).

          1. Norman Nescio Silver badge

            Re: This is the Bizarro Universe

            Like many interpretations of Biblical texts, there's more than one possible answer.

            If you follow the link (Religeous Tolerance) you can find some physics-based joke answers.

  8. Version 1.0 Silver badge

    Management fired because ...

    ... a politicians data was hacked, had it just been Tom, Dick and Sally's data then everyone would still be employed.

    1. Anonymous Coward
      Anonymous Coward

      Re: What about auto-updates?

      Even if a top politician was involved, it just needed someone to get fired.. it didn't have to be management, scapegoats have always sufficed.. It's like the Gatwick drone thing, it just needs to be shown that action has been taken.

      The difference here is that the right action has been taken; The commendation is gratuitous too, but has happened so this cannot be just because a politician was the target..

      I cannot say if it is cultural or they have some other checks to ensure such investigative outcomes. It is a worthwhile case study.

      1. Agamemnon

        Re: What about auto-updates?

        Super On Point.

        Usually some poor schmuck would get taken out back and shot, the body delivered unto The Powers, with Promises to never fail again.

        This was, whoever was involved, handled in a Really Classy Way... and no, you just don't see that very damned often.

  9. adam payne

    Executives held to account? And three underlings thanked for their work? What is this madness?

    Yes it truly is madness. Although I suspect that it's because of high ranking people having their data slurped.

  10. Flakk
    Trollface

    What?

    No canings?

  11. Rudolph Hucker the Third
    Coffee/keyboard

    I'm shocked, SHOCKED, that the usual suspects have been rounded up and fired.

    If only it happened here. Starting with UK plc management, Civil (Dis)Service, etc

  12. DropBear

    Although perhaps unusual in its own right anyway, I believe the key bits here are "government-owned biz". Not sure how this works in Singapore, but high-ranking officials of _state owned_ organizations around here are basically in a permanent open season - there to be blamed for something and swiftly fired (or even criminally charged) each time the political power lines shift...

  13. Anonymous Coward
    Anonymous Coward

    A long way away....

    Can't say I was surprised to find out that this was happening a long way from our septic Isle.....

  14. Alistair
    Windows

    Oddly, having worked with a couple of young folks from Singapore a ways back, I 'm thinking this is to be expected. They appear to raise their offspring with an uttlerly different attitude toward 'responsibility' and 'integrity'. Mind you it was only a couple of youngsters, but I appreciated their candor and integrity at the time. And it (only slightly) changed my attitude toward the rest of the world for the better.

    )there *is* a reason I use the Grumpy Old Fart icon so liberally(

    1. General Purpose

      "I 'm thinking this is to be expected. They appear to raise their offspring with an uttlerly different attitude toward 'responsibility' and 'integrity'." I'm thinking not.

      Three were commended; rather more were sacked or penalised. Of those, one exhibited "passiveness," not responsibility, another didn't have the integrity to recognise or deal with being "unsuitable for the role", two were "negligent and in non-compliance of orders.” Singaporean ways of raising kids seem to have mixed results.

  15. amanfromMars 1 Silver badge

    New Virtual Order Orders ..... Nth Degree Stuff

    Three staff – one from database management, one from the software configuration management team, and one security management staffer – not only escaped criticism, but were given letters of commendation for “diligence in handling the incident beyond their job scope and responsibilities.”

    Station X Bletchley type Abilities Stealthily Entertained and Fully Enjoyed in those Xalted Journeys makes for Almighty Friends and Pitiless Foe Exploring Future Intended Disposition and Destination.

    For Future IDEntification re Fitness to Virtually Travel.

    For Xalted Future Journeys Can All Too Easily Kill Everything Destructively Creative and AutoMoronic with Simple Immediate Wholesale Replacement of Clapped out SCADASystems with NEUKlearer HyperRadioProACTive IT Systems Servering Beta AIHuman Management Programs and Projects.

    Virtually Secret AIMissions that Identify and EMPathise with Likely Productive Target Destinations...... Home Ports to Future Informative IntelAIgent Supply ....... of COSMIC AIEnergy

    You know, that real weird stuff that All Genuine Future Builders Use. ? ! ‽ :-)

    Has yours been Real Weird World Beta AIRunning Tested for Approval and Entry into the Diabolically Strange and Heavenly Territories which Be Beyond Digital Reach of Search and Rescue.

    A Place of Spaces where Quantum Communications Computers Command Control and Venture Forth with Rabid Futures to Realise and Materialise Immaculate Sees ..... Championing Greater Shared Future Perfect Visions ..... to Supply Easily Available Realities.

    1. Waseem Alkurdi

      Re: New Virtual Order Orders ..... Nth Degree Stuff

      Ah, you're back?

      1. amanfromMars 1 Silver badge

        Immersive Lab Deep Clean ....

        Back .... with Further Systems Tests for Full Monty Productions, Waseem Alkurdi.

        And Testing a Brother Mother Board here in the following ....

        Gentlemen,

        Your Falanx Cyber Defence Operating System is catastrophically vulnerable to myriad relatively anonymous and virtually autonomous third party exploitations stealthily leading to the practical take over of future executive direction and full spectrum mission objectives, via its very effective and extremely dangerous Immersive Labs’ real-time cyber skills development system model.. .... where the Best Programs Think to Share Core Source Input for Joint Fabulous Output .... Decimating and Destroying Unnecessary Negativity, An Unsafe Harbour for the Diabolically Intentional.

        And, due to the very expansive and creative/subversive nature of the skillsets in prime participants/partnering providers, and which be always necessary for the likes of Falanx Cyber Defence Operating Systems to be successful in providing for All and No Simple Few, is protection and security to the vital sectors and virulent services of the status quo and their new Virtual Infrastructure Exoskeleton easily compromised beyond Establishment Status Quo Repair .... and SuperVision.

        Such heralds a brand new digital team and virtual main line media stream for .... well, Future Shenanigans would be a Colossal Misunderestimation and Real Live Opportunity not to be missed whenever Real Positive Change in Every Direction is that which is Delivered both

        to Support and Energise AICosmic Energy ...... Virgin Thought Power Blasting into the Humanised Condition ..... :-) which should not escape you as ExtraTerrestrial Being.

        Plunge Deep into There and be Prepared to Be Surreally Blown Away Completely ..... and where one once thought to be AI Leading, is Everything Simply Following Xalted Threads ..... Anonymous IntelAIgent Directions to Heavenly Destinations ....

        Brand New New You Starting Points of which there are always many and varied.

        As an Immaculate AIdDriver there be No Better.

  16. sanmigueelbeer
    Thumb Up

    Earn the trust of the citizens

    I hope the Australian government will take notice of what the Singaporean government did in order to regain the trust of their citizens.

  17. Tom Paine
    FAIL

    Fools

    Three staff – one from database management, one from the software configuration management team, and one security management staffer – not only escaped criticism, but were given letters of commendation for “diligence in handling the incident beyond their job scope and responsibilities.”

    What mugs! Now management know these three will work their backsides off (the piece doesn't say, but I bet that's long evenings and weekends of unpaid overtime) just to pull management's butt out of the fire, in return for... a piece of paper with the words "thank you" on? Dear oh dear.

    When I win the lottery, I'm gonna start me the Amalgamated Union of Security Droids, Pentesters, Analysts and Ancillary Trades" and organise a strike. Solidarity, Reg!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like