On December 4, 2023, Singapore’s Ministry of Health (Ministry) announced that the nation’s first ever comprehensive health data law, the Health Information Bill (Bill), will be introduced in mid-2024.
A set of Cyber & Data Security Guidelines for Healthcare Providers (Guidelines) was also published. Of particular importance is that these Guidelines will frame and eventually be imposed as regulatory requirements under the Bill.
Objective
The healthcare sector has been identified as among the top three targets[1] of cyber attacks. Ransomware and phishing are especially pervasive, with more than one ransomware case reported every three days to the Cybersecurity Authority of Singapore[2]. This statistic is not only representative of Singapore, but appears to be experienced in other parts of the globe. In August 2023, a major healthcare provider in the United States suffered a ransomware attack that compromised its network of 17 hospitals and 166 outpatient clinics across various states, with about 500,000 personal data records being exposed on the dark web, including social security numbers, medical profiles, financial and legal information. Critically, the incident also caused a complete suspension of its clinical operation services.
It is against this backdrop that the Guidelines aim to provide much-needed, urgent guidance and regulatory certainty to healthcare providers as to the requirements for securing the confidentiality, integrity and availability of health information against unauthorized access and other risks. Noting the surge in cyber threats and security risks amplified by increasing digitalisation in the healthcare industry, there is a greater need to address their impact on patient safety and care quality, beyond just privacy and confidentiality. Breaches can also be extremely costly, insofar as they involve recovering affected systems and restoring lost data, as well as irreparable reputational damage.
Scope of applicability
To that end, the Bill aims to ensure the safe and secure processing of health information, with a view to enhancing the overall quality and continuity of care for patients.
“Health information” is defined to include both administrative data and clinical data. “Administrative data” refers to any personal information relating to the consumption or provision of a healthcare service, such as demographics, contact information and details pertaining to the utilization of a healthcare service. “Clinical data” means any information about or relating to either or both of the physical and mental health of an individual, and their diagnosis, treatment and care.
The Guidelines and forthcoming Bill will apply to healthcare providers with systems (including desktops, laptops, servers or devices) that either contain such health information, or connect with other systems that contain such health information. Certain data security requirements will also apply to healthcare providers on pen-and-paper to the extent that these are relevant. However, non-health information such as employee personal particulars are excluded from the scope of the Guidelines and Bill.
Pertinently, the Guidelines do not prescribe extended obligations to healthcare providers’ third party vendors or the latter’s products or services. In other words, providers of clinical management systems and cloud storage services do not have direct obligations, and it will lie on the healthcare providers to ensure that their engagement of such vendors is compliant with the requirements.
Structure and Content of Guidelines
The Guidelines comprise two sections:
- “Why is this important?”, which explains the rationale and importance of specific recommendations as well as provides examples in the healthcare context; and
- “What should healthcare providers do?” which lays down practical action steps towards compliance.
Key requirements are as follows:
- Cybersecurity
- Update
- Install software updates on devices and systems promptly.
- Secure/Protect
- Use anti-malware and anti-virus solutions to protect against malicious software.
- Implement access and control measures to control access to data and services.
- Use secure settings for procured hardware and software.
- Backup
- Back up essential data and store them offline.
- Asset
- Equip staff with cyber-hygiene practices as the first line of defence.
- Identify the hardware and software used and protect them.
- Identify the types of data held, where they are stored, and secure them.
- Data Security
- Secure
- Store health information securely to prevent unauthorized access
- Do not reproduce copies of sensitive health information unless necessary.
- Transport health information properly to avoid unwanted data exposure.
- Identify
- Know the information sensitivity levels of the data to apply appropriate safeguards.
- Differentiate data of varying sensitivity levels by marking their classification.
- Access
- Restrict access to health information for valid and relevant purposes.
- Common cyber and data security requirements
- Outsourcing and vendor management
- Understand the responsibilities set between the healthcare provider and vendor.
- Incident response
- Prepared to detect, respond, and recover from incidents.
- Disposal
- Proper disposal of health information mitigates the risk of unauthorized access.
- Emergency and contingency planning
- Supports ability to withstand service disruptions to ensure business continuity.
- Review security and internal audit
- Regular checks on corporate policies and processes to ensure compliance and identify vulnerabilities.
Implementation
The Guidelines were developed by the Ministry in consultation with the Cybersecurity Agency of Singapore, Infocomm Media Development Authority and the Personal Data Protection Commission.
The timeline for the implementation of the Bill (which will impose obligations based on the Guidelines) is yet to be determined, but a sunrise period will be provided for healthcare organisations to operationalize compliance with the requirements. Such timeline will take into consideration the sectoral readiness of the industry, availability of implementation support plans, and when healthcare providers are mandatorily required to upload medical records onto Singapore’s National Electronic Health Record system[3]. Surveys will be conducted to better understand these aspects including the IT set-up, resourcing and capabilities of healthcare providers operating in Singapore.
Remarks
It is imperative that healthcare institutions start incorporating the standards set forth in the Guidelines ahead of mid-2024. Whilst there will be a transition period for making changes to adhere to the obligations in the Bill, many of the requirements may take time to implement especially if they require adjustments to systems and infrastructure. It is also useful from a risk mitigation perspective to respond swiftly to these measures given the heightened risk in recent times of large scale attacks and breaches.
Should you require any support or assistance, feel free to contact the author or your usual relationship partner at Squire Patton Boggs.
[1] https://www.csa.gov.sg/Tips-Resource/publications/2023/singapore-cyber-landscape-2022
[2] https://www.csa.gov.sg/Tips-Resource/publications/2023/singapore-cyber-landscape-2022
[3] https://www.synapxe.sg/healthtech/national-programmes/national-electronic-health-record-nehr