In brief
Singapore’s Ministry of Health (MOH) has published the “Cybersecurity and Data Security Essentials” guidelines (“Guidelines”), which sets out cybersecurity and data security requirements for healthcare providers processing health information pursuant to the Health Information Act (HIA).
The Guidelines are part of the implementation resources for HIA’s progressive roll-out through early 2027. The Guidelines apply to HIA entities, i.e., persons the HIA apply to, including licensees under the Healthcare Services Act 2020 (“HCSA”), National Electronic Health Record (NEHR) contributors and users, and other prescribed entities enabled to share health information under the HIA.
Key takeaways
The Guidelines highlight various recommended practices for HIA entities to implement, covering cybersecurity (IT and software-related measures), data security (data‑related practices), and common cybersecurity and data security practices (personal training, vendor management, and organisation protocols).
- Cybersecurity: Ensure prompt installation of software updates, implement measures to secure / protect hardware and software, establish back up and storage protocols, as well as properly identify and protect hardware and software assets.
- Data Security: Establish policies/processes to identify and protect health information, set purpose-limited retention periods, ensure authorised disclosure on a need-to-know basis, and prevent improper transfers that may create unwanted data exposure.
- Common Practices: Equip personnel with training, understand responsibilities with vendors, as well as ensure regular internal audits and security reviews, proper disposal, emergency planning, and incident response.
- Plan for phased implementation: HIA entities should closely monitor implementation resources that MOH publishes.
In more detail
The Guidelines was developed by MOH in consultation with the Cyber Security Agency of Singapore (CSA), Infocomm Media Development Authority, and Personal Data Protection Commission.
1. Scope of Guidelines
The Guidelines support the implementation of the HIA, which governs safe and secure collection, access, use and sharing of health information. The Guidelines apply to HIA entities, including HCSA licensees, contributors and users of the NEHR, and other prescribed entities enabled to share health information under the HIA. They apply to administrative and clinical health information and cover both electronic data and non‑electronic data (i.e., hardcopy documents).
2. Cybersecurity (IT and software‑related measures)
The Guidelines set out baseline IT and software measures for computer systems that contain health information or are interconnected with NEHR. Examples include promptly installing software updates, using anti‑malware and anti‑virus protection, implementing access control measures, ensuring the secure configuration of hardware and software assets, backing up and maintaining separate storage of essential data, and developing protocols to authorize new hardware and software assets.
While certain controls may be implemented by Cyber Essentials‑certified Health Information Management Systems (HIMS) vendors, HIA entities remain responsible for ensuring that other systems and applications containing health information implement the same security measures.
3. Data security (data‑related practices)
The Guidelines also prescribe data‑related practices to secure health information throughout its lifecycle. These include measures to identify the type of data held and where it is stored, reproduce health information only where necessary for an official purpose, and transfer health information properly to avoid unwanted data exposure.
Examples include contractual safeguards against third-party disclosure, physical security measures, retention periods, and marking or differentiating health information to enable personnel to recognise and manage it appropriately.
4. Common cybersecurity and data security practices
These include the training and education of personnel, outsourcing and vendor management, and implementing security reviews and internal audit measures.
HIA entities are expected to equip personnel with cybersecurity and data security hygiene practices as the first line of defense, alongside regular checks on corporate policies and processes to ensure compliance and identify gaps. HIA entities must also ensure the proper disposal of health information to reduce the risk of unauthorized access.
The Guidelines also stress the importance of emergency planning for contingency, where HIA entities are advised to establish business continuity arrangements so that they can withstand service disruptions due to cybersecurity attacks and/or data breaches. Additionally, there should also be an incident response plan in place to guide HIA entities on how to respond, manage, and mitigate the impact of such incidents, in line with HIA incident reporting thresholds and timelines under the HIA.
HIA entities should proactively assess their cybersecurity and data governance practices against the Guidelines to begin the transition towards HIA-compliance.
* * * * *
© 2026 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.