Measures to Ensure Security of Medical Records of SAF Personnel
Ministry of DefenceSpeakers
Summary
This question concerns the security measures for SAF medical records during their integration with the National Electronic Health Record system, as raised by Mr Pritam Singh. Minister for Defence Dr Ng Eng Hen stated that confidentiality is maintained through tiered, need-to-know access for medical and authorized human resource personnel, supplemented by regular audits. To prevent unauthorized access, the system is restricted to designated Ministry of Defence terminals and utilizes encrypted, dedicated point-to-point connections for data transmission. Minister for Defence Dr Ng Eng Hen further noted that the system is subject to frequent vulnerability testing and continuous monitoring for cyber intrusions. These protocols align with international standards and Ministry of Health practices to ensure the robust protection of servicemen's medical information.
Transcript
14 Mr Pritam Singh asked the Minister for Defence what measures have been undertaken to ensure the security of the medical records of SAF personnel in view of the integration via the Internet of the SAF's electronic medical records system (the Patient Care Enhancement System (PACES)) with the National Electronic Health Record system.
Dr Ng Eng Hen: Two main aspects to ensure security of medical records of Servicemen were taken into account in the design and implementation of the Singapore Armed Forces' (SAF's) electronic medical records system. They relate primarily to (a) the confidentiality of records, and (b) measures to guard against unauthorised access and cyber intrusions. Stringent processes for these two aspects have been put in place, which are aligned with international standards.
First, to ensure confidentiality of records, access to the SAF's electronic medical records system is limited only to medical personnel and selected human resource (HR) practitioners on a need-to basis and the list of authorised users is regularly reviewed. Even then, the level of access is also tiered-based, that is, medical officers as primary caregivers need to and can access detailed medical information, but medics and HR practitioners can access less information that is relevant to fulfil their functions. Regular audits are conducted to ensure that access and the confidentiality of the medical information have complied with existing policies and regulations and benchmarked to the Ministry of Health's practices and standards.
Second, to guard against unauthorised access and cyber intrusions, PACES is only accessible to authorised users from designated terminals at specific Ministry of Defence (MINDEF)/SAF premises. The entire PACES system is also protected by a suite of tools to enhance cybersecurity. When medical information of SAF personnel is required for continuity of care to be shared with other medical institutions using the National Electronic Health Records (NEHR) system, it is first encrypted and transmitted via a dedicated point-to-point connection with system authentication.
The SAF's electronic medical records system is regularly tested for vulnerabilities to update the system's software. In addition, the system is constantly being monitored for any attempted cyber intrusions.