SingHealth COI hearing: Employees questioned about their inaction over alleged coding vulnerability
Friday's public hearing revealed details about how SingHealth employees who were asked to verify whistleblower Zhao Hainan’s identity did only that, and did not investigate the possible software vulnerabilities that Mr Zhao had flagged.
Read more at https://www.channelnewsasia.com/news/singapore/singhealth-coi-employees-questioned-inaction-coding-loophole-10769158
28 Sep 2018 08:23PM
The letter stated there was a “loophole” in the Allscripts SCM “where user can gain admin control of the whole database easily” due to the “architecture of the product”, Mr Kua recounted in his statement.
The letter to Epic Systems also mentioned that “this could lead to a serious medical data leak, or even a national security threat”, Mr Kua added.
One of them was Mr T K Udairam, group chief operating officer of Sheares Healthcare Management. He questioned Mr Kua - who had been officer-in-charge of Clinical Systems in 2014 - if he had been at least curious, if not concerned, about the vulnerability flagged by Mr Zhao.
It was revealed that Mr Zhao was dismissed by the company on Sep 18, the same day Mr Chambers sent that first email to Dr Chong.
--
This Mr Zhao was dismissed because he is genuinely concern that the leak could cause a serious medical data leak, or even a national security threat” - by raising the alert.
--
I also recall a similar incident when one was released early - before his contract ends - because he keep raising a network security issue that will cause the network to be breached --- and the infra manager view him as a threat to his position for raising the security alert.
--
The moral of the story :---- "One can be genuine in caring about the well-being of the company" --- but the consquences is that - he may lose his job while doing so.
This happen in Government linked organisation and private sector.
Now the dilemma is - should staff raise any potential security threat when they discover them in the course of doing their work.
But they are worried - will their immediate supervisor or even higher level management view them as "troublemaker" - and find excuses to fire them.
Because plugging the security holes will :-
(1) take time and cause project to delay
(2) cost money to put in security measures
(3) put management in a bad light for not having foresight in the planning.
Most of the time, the staff that raise the security alarm got "cruxified" and some management will hide the security risk - hoping that it will not be found and exploited - while firing the staff that discover and raise it.
Now Singhealth suay - got breached, VVIP info. got compromised and COI convene to vindicate that staff.
But what about some others that do not?
Like · Reply ·
Ricky Lim This is the deep seated culture that people are talking about in Singapore. Many reputable large MNCs have "whistle blowing" policies in place to encourage anyone to point out lapses in the system for example, possible corruption, unfair/unethical practices etc while remaining anonymous. The independent Management Team appreciate such red flags and will investigate all anonymous notifications with the intention to improve the existing systems and they are not interested in who provide the information. On the contrary, some organizations here would require the whistle blower to be identified first and invited for "coffee" before they investigate the alleged incident. With this kind of culture and mindset, do you think anybody in the normal frame of mind would whistle blow to expose the discrepancies ??? Most probably, these whistle blowers would choose to remain silent and let that things happen instead and the rot in the system continue...
William Loh - I have come across throughout my career (in Govt, Govt link and private enterprise) :-
(1) 50% of the time that management are transparent, open, encourage collaboration, encourage highlighting of the issues and problems that will impact the organisation, public, the Country, the customers - there is alot of positive energy and alot of motivation from top down and ground up.
I have plenty of respect for such corporate culture, management culture - and there are alot of positive energy in the organisation.
(2) I have also come across 50% of the time - where "office politics master" rule the day - where people are motivated to play "office politics" - to ensure their jobs are secured, their position are secure, or 瞒上骗下 - so that they can personally advance upwards - at the expense of others and the corporate objectives that they are employed to serve.
I have little respect for such culture.
Such culture start to appear in tandem with the change in HR framework - of "hire and fire" when every year appraisal they will have to "let go" say 5% or 10% of staff - who so called "underperform".
And this have poison the corporate climate - and turn it into negative energy throughout the organisation - as people start to play "office politics" to make themselves look good and not fall into the "5% - 10%: -- rather than serving the holistic corporate objective.
Thus no one want to raise any "negative issue" - for afraid being penalised - and have a bad appraisal -- and thus everyone start to play "office politics" to look good.
It end up - the whole corporate culture turn negative.
Workers are more like actors and actresses - rather than staff and workers serving the organisation, public and customers.
Strange...why was Zhao being dismissed first instead of getting him to disclose more abt the loophole n help to patch it up?? Dismissed immediately just becos he shared the info w a rival company n not worrying that the loophole still exists??? Or that he brings this info to join another company that could pose a threat to Singhealth?
So if you value a Foreign Talent, and yet unwilling to hear him out or value his views, how do you expect him to be loyal to you?? Contradicting policy.
obviously, this whole bunch of said senior management is good at playing "tai chi" to cover their own backside . the top pushed down to the lower level, then the level below just followed instruction n gave the answer the top wanted to hear or kept the problems as the top management normally likes staff who gives no problem, otherwise the staff would be seen as troublemaker or incompetent, thus pretented issues being solved n sat back n relax in hoping that things would go happy n lucky as usual.unfortunately, the worst really occured before they had promoted to next level or retired, so they had to face the music now.
said someone asked Mr.Zhao but also said could not recall who n when, this answer was was same as no answer,said investigation had been carried but said could not recall who done it n what the results were, no followed up? what kind of management?
wonder y the one who knew the lophole was dismissed? it was obvious that the relationship among staff was no good that caused the dismissed staff had no interest to feedback the lophole he detected in the system instead the info was passed to the rival.
Please read the news report properly. Especially on the relationship between AllScripts and EPIC. FT Zhao works for IHIS and together with IHIS' vendor, AllScripts. BUT, he reported the issues to EPIC which is a competitor of AllScripts...我们华人有句话叫做“吃里爬外”。
Freddy Chin
fair enough, this zhao got fired that served him right but u just see the wood n missed the whole jungle( 见木不见林)。u missed the big picture n more important issue here.
The fact here was the system was being hacked n our senior management's answers were they could not recalled this n that, n even more ironically, they were informed there was a lophole in the system, yet they just made a few e-mail n then forgot abt it pretending everthing was ok, the potential threats would disappear by itself. where was the accountablity? u read carefully, one asked her subordinate to check n the one answer was she just followed instruction, this reflected what kind of staff relationship in this company, so read carefully my comment, pls!
欢陈 , sad to say, I did not miss that portion which you have mentioned but you did miss the portion on FT Zhao's ulterior motive. Please read my other post...point 3.."Why IHIS management did not verify the "claims" by FT Zhao? I would be wetting my pants if I come to know of this issue. Btw, where is this ex-CEO working now? Hopefully, she is not dealing with security." Wish you a good weekends ..chill..
:)
It can been seen that the FT has his own agenda. By exposing to the competitor, he is not whistleblowing but might be trying to get something from the competitor. But EPIC did not buy his story and sent the email to AllScript (backstab him) and AllScript forwarded the email to ex-CEO of IHIS for questioning and further action. There are many questions...
1) Did the FT Zhao report the vulnerability to his superior? Did the superior take any actions if it was reported?
2) Is it morally correct to work together with AllScript and then backstab AllScript by sending its vulnerability issues to competitor, EPIC? I do not want to have such employee working for me for sure as I do not know when this FT will backstab me without my knowledge.
3) Why IHIS management did not verify the "claims" by FT Zhao? I would be wetting my pants if I come to know of this issue. Btw, where is this ex-CEO working now? Hopefully, she is not dealing with security.
how come there are so many senior manager, deputy directors and other fancy titled managerial positions but no one can even think of changing a simple password for all the production servers? are they so obsesses with title that they simply ignore the cause for good IT skills and knowledge?
I would think that people there are busy playing tai chi and politics. The passionate, good and hardworking ones would not thrive under such environment as their credits would be taken by those people who "smoke" well. Hence, many would have left after knowing that they would get more "sai kang" tasks to do as those tai chi masters are incompetent to do themselves but are getting all the promotions. The time has come to show the public how problematic the organization is.
Most of the senior rank in govt dept do not work hard for their pay they get. They are good in pointing finger when there are troubles but quickly take credit for work done by the lower rank staff.
Some small dept they have Director, Dy director, senior manager, 2 section heads at each dept etc follow by many senior staff doing nothing but good at pointing finger.
I have work at such dept before and I retired the moment I reach age 62. Before that sad to say I play and work smart.
No comments:
Post a Comment