On 4 December 2023, the Ministry of Health (MOH) issued the Cyber & Data Security Guidelines for Healthcare Providers (Guidelines). The Guidelines intend to familiarise healthcare providers with the regulatory cyber and data security requirements applicable to health information to be imposed under the proposed Health Information Bill (HIB) that will be introduced in mid-2024. The Guidelines apply to healthcare providers with systems that contain, or connect with other systems that contain, health information.
In this regard:
- ‘Healthcare providers’ includes licensees under the Healthcare Services Act 2020, approved National Electronic Health Record users (such as retail pharmacies), MOH entities and relevant community partners (such as community care organisations).
- ‘Health information’ includes administrative data (i.e., personal information relating to the use or provision of any healthcare or community health service, such as demographics, contact details and service utilisation information) and clinical data (i.e., information about an individual’s physical and mental health and/or diagnosis, treatment and care).
Summary of Key Cyber and Data Security Requirements
The table below summarises the key cyber and data security requirements in the Guidelines.
Table with Cybersecurity, Data Security, and Common Requirements
Cybersecurity |
- Promptly install software updates and patches from legitimate sources.
- Secure and protect information by using anti-malware and anti-virus solutions, implementing information access controls and using secure settings for procured hardware and software.
- Regularly back up data essential for business continuity and recovery and store them offline.
- Regularly train staff on cyber-hygiene practices.
- Implement an asset management system to keep track of what assets are being used and to manage how, when and by whom they can be used.
- Implement policies and processes to identify and protect business-critical data, including measures to secure data at rest and to prevent employees from leaking confidential or sensitive information.
|
Data Security |
- Store health information securely and within legal and contractual retention periods.
- Reproduce copies of sensitive health information only where necessary.
- Securely transfer health information to avoid unwanted data exposure.
- Properly classify and mark health information according to its sensitivity levels to apply appropriate security safeguards.
- Access to sensitive information should be made on a need-to-know basis to staff who have been trained on data protection and security requirements.
|
Common Requirements for Cyber & Data Aspects |
- Clearly understand service providers’ security practices, including how they store, process and transfer data, and clearly set out responsibilities in case of a cyber/data incident.
- Develop an incident response plan to respond to, manage and mitigate the impact of cyber/data incidents.
- Properly dispose of health information to mitigate the risk of unauthorized access.
- Establish a business continuity plan to ensure resilience against common disruption scenarios, including cyber/data incidents.
- Regularly review compliance with corporate policies, including cyber and data security safeguards.
|
Conclusion
The Guidelines establish best practices that healthcare providers should implement when handling health information. Healthcare providers should comply with the Guidelines, as they set out the cyber and data security requirements that will be imposed under the proposed HIB and they also reflect policies and processes that are helpful for complying with the Personal Data Protection Act 2012.
For More Information
OrionW regularly advises clients on data protection and cyber security matters. For more information about compliance with Singapore data protection laws and regulations, or if you have questions about this article, please contact us at info@orionw.com.
Disclaimer: This article is for general information only and does not constitute legal advice.