Debate on ministries’ budgets: Health

Parliament: Feature to let patients report suspicious access to their medical data

Integrated Health Information Systems (IHiS), the IT vendor for Singapore's healthcare sector, is working to roll out a feature that lets patients view the access logs of their own National Electronic Health Record (NEHR) data, Health Minister Gan Kim Yong said yesterday in Parliament.

This will allow patients to report any suspicious access themselves, he said.

The feature is among the enhancements under way to strengthen the security of electronic health records and systems.

Responding to MPs' questions in the debate on his ministry's budget, Mr Gan said there are three broad levels of safeguards protecting the NEHR: hardening protection against cyber attacks and unauthorised access; putting in place effective measures to detect and respond to security breaches; and, deterring breaches from happening.

These measures follow last year's cyber attack on SingHealth that resulted in the theft of 1.5 million patients' personal particulars.

Mr Gan also said regular security audits are conducted on the NEHR database, with the most recent penetration test carried out last October.

"In addition, there are ongoing robustness tests conducted by the Cyber Security Agency, GovTech and an independent third party, PwC," he said.

PwC is professional services provider PricewaterhouseCoopers.

"At the user level, the NEHR should only be used for direct patient care. Other uses, including for research, are not allowed," he said.

"There are strict controls to protect against unauthorised access. The system also does not allow users to download records onto workstations," Mr Gan added.


The new feature planned by IHiS will help to detect and respond to breaches.

In addition, all access to the NEHR is logged and subjected to monthly audits using analytics to detect unusual usage patterns, he said.

In terms of deterrence, he said stern action would be taken against anyone responsible for breaches, including staff who have failed in their duties. He added that other enhancements have been made to Singapore's cyber-security safeguards since the attack.

A version of this article appeared in the print edition of The Straits Times on March 07, 2019, with the headline 'On the way: Feature to let patients report suspicious access to their medical data'. Print Edition | Subscribe