Protecting Your Health Information

Protecting Your Health Information

How we prevent improper access and use of your NEHR records

Generally, only authorised healthcare professionals in a healthcare organisation are allowed to access and use your NEHR records to provide care to you. Therefore:

  • A doctor cannot access your NEHR records for employment or insurance purposes.

  • Unauthorised personnel in the same organisation, such as admin staff, are not allowed to access your NEHR records.

Entities can be required to take corrective action

The HIB will empower MOH to instruct healthcare providers to correct any non-compliances. Corrective actions may include:

  • Stopping unauthorised access and usage of NEHR records.

  • Destroying all health information collected in an authorised manner.

  • Stopping further unauthorised sharing of health information beyond the data-sharing framework under the HIB.

  • Putting in measures to fulfil the cybersecurity and data security requirements.

NEHR has safeguards to protect against cyber-attacks

A comprehensive set of security measures and processes protect the NEHR against cyberattacks. Both system and users’ access are periodically subjected to third-party audits to ensure compliance with security standards for government-owned systems.  

While the HIB will require healthcare organisations to implement systems that can connect to NEHR, a robust onboarding process is in place to ensure such systems have met the appropriate connectivity and security requirements before they are allowed to connect to NEHR.

Baseline cybersecurity and data security measures

Healthcare providers are required to meet cyber and data security measures if they:

  1. Have access to NEHR;

  2. Need to contribute data to NEHR; OR

  3. Participate in data-sharing arrangements allowed under the HIB.

This ensures the safe and secure handling of health information. Similar security requirements apply to any third-party vendor that the healthcare provider engages to process health information under the HIB. More details on the specific security measures can be found in the Cyber and Data Security Guidelines for Healthcare Providers.

MOH will also conduct random audits to ensure that healthcare providers have fulfilled the security measures.

What happens when a cybersecurity incident or data breach occurs?

The HIB requires healthcare providers to report cybersecurity incidents or data breaches to MOH.

  • An initial report of the confirmed cybersecurity incident or data breach must be provided to MOH within 2 hours.

  • The detailed incident report must be submitted after 14 days.

The mandatory reporting of such incidents enables MOH to coordinate and respond to incidents that may adversely impact patient safety and privacy. It also allows MOH to spot patterns that signal a larger-scale attack and pre-emptively take action to protect the integrity of our healthcare system.

Healthcare providers are also required to notify the affected individuals in the event of a notifiable data breach. Notifiable data breaches refer to data breaches involving more than 500 individuals*.

The HIB will not require healthcare providers to report data breaches involving non-health information, such as the loss of only financial data or account login details. However, they may still be required to report such data breaches to PDPC if it meets the PDPA's data breach notification criteria.

*The “500 individual” threshold is aligned with PDPA’s data breach notification criteria.

PREVIOUS

Restricting Access to Your Health Information

NEXT

Glossary