Protecting Your Health Information

Protecting Your Health Information

How we prevent improper access and use of your NEHR records

Generally, only authorised healthcare professionals in a healthcare organisation are allowed to access and use your NEHR records to provide care to you. Therefore:

  • A doctor cannot access your NEHR records for employment or insurance purposes.

  • Unauthorised personnel in the same organisation, such as admin staff, are not allowed to access your NEHR records.

Entities can be required to take corrective action

The HIB will empower MOH to instruct healthcare providers to correct any non-compliances. Corrective actions may include:

  • Stopping unauthorised access and usage of NEHR records.

  • Destroying all health information collected in an authorised manner.

  • Stopping further unauthorised sharing of health information beyond the data-sharing framework under the HIB.

  • Putting in measures to fulfil the cybersecurity and data security requirements.

NEHR has safeguards to protect against cyber-attacks

A comprehensive set of security measures and processes protect the NEHR against cyberattacks. Both system and users’ access are periodically subjected to third-party audits to ensure compliance with security standards for government-owned systems.  

While the HIB will require healthcare organisations to implement systems that can connect to NEHR, a robust onboarding process is in place to ensure such systems have met the appropriate connectivity and security requirements before they are allowed to connect to NEHR.

Restricting access to Sensitive Health Information

Sensitive Health Information are secured behind four safeguards within NEHR and HealthHub.

Firstly, MOH restricts the healthcare professions which can access the Sensitive Health Information. Not all healthcare professions require such information to carry out their duties.

  • For example, doctors are generally allowed such access as the information may shape the treatment plan for their patients.

  • However, other healthcare professionals, such as physiotherapists, may not require such information to deliver care for their patients, and as such currently do not have access to Sensitive Health Information.

Secondly, for healthcare professionals who are allowed access to the Sensitive Health Information, NEHR has implemented a double log-in mechanism such that healthcare professionals will need to consciously assess that they require this information for their care delivery.

To further support these user controls, NEHR has also implemented identity management features to notify when an unauthorised access to Sensitive Health Information occurs.

Thirdly, access to Sensitive Health Information will be audited. Healthcare professionals found to have inappropriately accessed or disclosed Sensitive Health Information may be penalised under the HIB or other written laws (e.g., the Infectious Disease Act).

Lastly, the display of Sensitive Health Information from NEHR in HealthHub will continue to be blocked. This minimises the risk of accidental leakage of the records on Sensitive Health Information. However, this also means that you will not be able to access such records via HealthHub. You may approach your healthcare institution to provide you with a copy of the records on Sensitive Health Information.

Baseline cybersecurity and data security measures

Healthcare providers are required to meet cyber and data security measures if they:

  1. Have access to NEHR;

  2. Need to contribute data to NEHR; OR

  3. Participate in data-sharing arrangements allowed under the HIB.

This ensures the safe and secure handling of health information. Similar security requirements apply to any third-party vendor that the healthcare provider engages to process health information under the HIB. More details on the specific security measures can be found in the Cyber and Data Security Guidelines for Healthcare Providers.

MOH will also conduct random audits to ensure that healthcare providers have fulfilled the security measures.

What happens when a cybersecurity incident or data breach occurs?

The HIB requires healthcare providers to report cybersecurity incidents or data breaches to MOH.

  • An initial report of the confirmed cybersecurity incident or data breach must be provided to MOH within 2 hours.

  • The detailed incident report must be submitted after 14 days.

The mandatory reporting of such incidents enables MOH to coordinate and respond to incidents that may adversely impact patient safety and privacy. It also allows MOH to spot patterns that signal a larger-scale attack and pre-emptively take action to protect the integrity of our healthcare system.

Healthcare providers are also required to notify the affected individuals in the event of a notifiable data breach. Notifiable data breaches refer to:

  1. Data breaches involving Sensitive Health Information; OR

  2. Data breaches involving more than 500 individuals*.

The HIB will not require healthcare providers to report data breaches involving non-health information, such as the loss of only financial data or account login details. However, they may still be required to report such data breaches to PDPC if it meets the PDPA's data breach notification criteria.

*The “500 individual” threshold is aligned with PDPA’s data breach notification criteria.

PREVIOUS

Restricting Access to Your Health Information

NEXT

Glossary