Safeguarding Confidentiality of Patient Information with National Electronic Health Record
Ministry of HealthSpeakers
Summary
This question concerns Dr Lim Wee Kiak's inquiry on safeguarding patient confidentiality and preventing data breaches within the National Electronic Health Record (NEHR) system. Senior Minister of State Chee Hong Tat stated that access is governed by the Ministry of Health for direct patient care, excluding insurers and employers. Security measures include two-factor authentication, suspicious usage detection, and patient-accessible audit logs to track and report any unauthorized access to medical records. Senior Minister of State Chee Hong Tat highlighted that misuse will be penalized under the Cybersecurity and Computer Misuse Act and the Healthcare Services Act. Additionally, the system employs multi-layered cybersecurity defenses and undergoes regular security penetration tests and independent audits to ensure robust data protection.
Transcript
The following question stood in the name of Dr Lim Wee Kiak –
20 To ask the Minister for Health with the introduction of the National Electronic Health Record (NEHR) (a) how will the Ministry safeguard the confidentiality of the records as data leaks can affect a patient's employability and career prospects; (b) what security measures will be put in place to ensure that not every employee in a clinic has access to the records; and (c) what measures are put in place to prevent data breaches.
Mr Lim Biow Chuan (Mountbatten): Question No 20.
The Senior Minister of State for Health (Mr Chee Hong Tat) (for the Minister for Health): Mr Speaker, data security and protection are key considerations in the design and operation of the National Electronic Health Record (NEHR) system. This is achieved through a combination of legislative measures, data management policies, system features and public education.
All access to the NEHR system will be governed and authorised by the Ministry of Health (MOH). For example, when a general practitioner (GP) applies for an account to the NEHR, the application will be subjected to MOH’s review and approval before access is granted. Access to individual health records through the NEHR is meant for purposes of direct patient care. Beyond that, any access to individual health records, such as for purposes of coroner’s investigation, will only be granted if it is enabled by the relevant legislation. NEHR information will not be revealed to third parties like insurers and employers.
To deter unauthorised access, a two-factor authentication system has been incorporated, together with features to detect suspicious access and usage. In addition, all access to the NEHR is captured in audit logs and patients will be able to view a record of accesses made to their NEHR records so that they can report unauthorised access.
When suspicious access is detected or reported, we will carry out investigations and those found to have misused the system will be dealt with under the law, in accordance with the penalties under the Cybersecurity and Computer Misuse Act and the proposed Healthcare Services Act.
Mr Speaker, to protect against cyberattacks, the NEHR system has a multi-layered cybersecurity defence. Security penetration tests and independent cybersecurity audits are conducted regularly. While measures have been put in place, we need to continue to remain vigilant.