Singapore’s Ministry of Health (MOH) has released new “Cybersecurity and Data Security Essentials” guidelines to support the rollout of the Health Information Act (HIA). The guidelines set out baseline requirements for healthcare providers handling patient data. They will be introduced in phases through early 2027.
The guidance applies to a wide group of entities, including providers licensed under the Healthcare Services Act 2020, as well as users and contributors to the National Electronic Health Record (NEHR). It also covers other organizations allowed to share health data under the HIA. Both electronic records and physical documents are in scope.
Cybersecurity, data security, and common practices are three main areas of focus. On the technical side, organizations are expected to keep systems updated regularly, secure devices, and maintain data backups. For data handling, they must control access, limit retention, and prevent improper data sharing. Training, vendor oversight, and regular audits are required.
To build strong internal processes, organizations are now expected to have plans for incident response, business continuity, and proper data disposal. As implementation continues, healthcare providers should review their current practices and prepare for full compliance with the HIA.
Written by: Ames Gross – President and Founder, Pacific Bridge Medical (PBM)
Mr. Gross founded PBM in 1988 and has helped hundreds of medical companies with regulatory and business development issues in Asia. He is recognized nationally and internationally as a leader in the Asian medical markets. Mr. Gross has a BA degree, Phi Beta Kappa, from the University of Pennsylvania and an MBA from Columbia University.