Protection of Patient Information by Private Healthcare Providers

27 Ms Joan Pereira asked the Minister for Health with regard to private healthcare providers, whether the Ministry will consider requiring them to adhere to the Ministry’s data maintenance and protection protocol and only utilise IT hardware, software and services approved by the Ministry to protect patient information.

Mr Ong Ye Kung: Under the Private Hospitals and Medical Clinics Act (PHMCA), licensed healthcare institutions in both the public and private sectors are required to have in place adequate safeguards to maintain and protect their medical records against loss, or unauthorised modification, destruction, access, disclosure, copying or use. In addition, they are subject to requirements under the Personal Data Protection Act, which imposes obligations to protect personal data.

MOH regularly inspects and audits healthcare institutions to ensure that licensees have taken reasonable actions to implement appropriate and adequate safeguards for the integrity and confidentiality of patients’ medical records.

Maintaining a good cybersecurity posture depends not just on technical measures. It is equally important that licensees have in place process measures and the capability to detect, respond to and recover from cyber threats. Hence, MOH had issued a set of Healthcare Cybersecurity Essentials in August 2021 to guide licensees in establishing and reviewing their cybersecurity safeguards. These guidelines cover IT asset management, technical, process and people aspects. Licensees are strongly encouraged to implement measures recommended in the Cybersecurity Essentials.

MOH will continue to review and update the regulatory framework to equip licensees in securing their data and IT systems, so as to deliver appropriate and safe care, whilst upholding patient safety.