Health Information Act (HIA) Cybersecurity and Data Security Essentials
Cybersecurity and Data Protection Advisory for Healthcare Providers
Singapore
Quick Access:
A new era of mandatory health data sharing.
The Health Information Act (HIA) introduces a fundamental shift in how healthcare data is managed in Singapore.
- For the first time, all licensed healthcare providers are legally required to contribute patient health information to a national system, the National Electronic Health Record (NEHR).
- This means that patient data generated in your organisation will no longer remain solely within your internal systems.
- Instead, it becomes part of a nationwide healthcare data ecosystem, accessible by authorised clinicians across public and private institutions to support coordinated care.
- HIA is not just about digitisation. It represents a move towards interoperability, transparency, and real-time data sharing across the entire healthcare sector.
- To learn more about HIA, please visit https://www.healthinfo.gov.sg/
A national mandate for healthcare data governance.
What is HIA?
The HIA is a new legislative framework introduced by Singapore’s Ministry of Health (MOH) to support coordinated care across the national healthcare ecosystem. It governs how patient health information is collected, contributed, accessed and shared through the National Electronic Health Record (NEHR).
HIA applies to all licensed healthcare providers and mandates the contribution of patient health information to the NEHR. This enables clinicians across public and private sectors to access a consolidated view of a patient’s medical history from multiple healthcare providers, improving continuity and quality of care.
The HIA will establish cybersecurity and data protection standards for healthcare providers and Health Information Management Systems (HIMS).
Who does HIA apply to?
HIA applies to all licensed healthcare providers in Singapore, across both public and private sectors.
This includes, but is not limited to:
- Public and private hospitals
- Specialist centres and medical groups
- General Practitioner (GP) clinics
- Dental clinics and dental groups
- Clinical laboratories and pathology services
- Radiology and imaging centres
- Selected allied health and community care providers
In addition, HIA may also extend to MOH-approved healthcare service providers and system operators that process or manage health information on behalf of healthcare institutions.
Regardless of size or digital maturity, every provider must ensure their systems, processes and staff are ready to operate in a high-trust, high-risk data environment.
What does HIA require healthcare providers to do?
Under the HIA, healthcare providers are required to:
- Contribute patient health information to NEHR in a timely and accurate manner
- Ensure systems used to process health data are secure and reliable
- Implement appropriate cybersecurity and data protection safeguards
- Restrict access to health information to authorised personnel only
- Maintain proper audit trails, governance and access controls
- Report confirmed cybersecurity incidents and data breaches to MOH
These obligations apply not only to core clinical systems, but also to:
- Cloud platforms
- Third-party service providers
- Integrated patient management systems
- Any system that processes or stores NEHR-related data
From internal records to national critical systems.
What is NEHR?
The NEHR is Singapore’s national healthcare information system that consolidates a patient’s medical records from multiple healthcare providers into a single, longitudinal health profile.
It is designed to support:
- Continuity of care across different providers
- Safer clinical decisions through better information access
- Reduced duplication of tests and treatments
- More efficient healthcare delivery across the system
NEHR is operated as national critical digital infrastructure under the Ministry of Health and is a core pillar of Singapore’s Smart Nation and healthcare transformation agenda.
What information is stored in NEHR?
NEHR contains selected categories of clinically relevant patient data, including:
- Patient demographics and identifiers
- Diagnoses and medical conditions
- Medications and allergies
- Laboratory test results
- Radiology and imaging records
- Discharge summaries and care notes
- Other clinically relevant treatment information
Who can access NEHR?
NEHR is accessible only by authorised healthcare professionals and institutions, based on strict access controls and role-based permissions.
Access is:
- Limited to care-related purposes
- Logged and auditable
- Subject to regulatory oversight
- Governed by professional and legal accountability
Patients also retain rights over how their information is used, including safeguards against unauthorised or inappropriate access.
How will patient data be protected?
Under the HIA, healthcare providers and system operators must implement safeguards to protect patient data and promptly notify MOH of confirmed cybersecurity incidents and data breaches. Where gaps exist, MOH may issue directions requiring remedial action.
What does NEHR require from healthcare providers?
To participate in NEHR, healthcare providers must ensure that:
- Their clinical systems are securely integrated with NEHR
- Data submitted is accurate, complete and timely
- Access controls are properly implemented and enforced
- Staff are trained in appropriate data handling practices
- Cybersecurity controls protect against unauthorised access, leakage and system compromise
Why NEHR significantly changes the cybersecurity landscape
NEHR transforms healthcare data from isolated institutional records into shared national assets.
This creates a fundamentally different risk profile:
- A single breach can affect multiple providers and patients
- Third-party vendors become part of the security perimeter
- Clinical access misuse becomes a regulatory issue
- System downtime impacts national care delivery
As a result, NEHR participation requires healthcare providers to operate at a level of cybersecurity and governance comparable to financial services and critical infrastructure sectors.
With mandatory data sharing comes significantly higher responsibility.
Under HIA, healthcare organisations become custodians of nationally-significant health data, not just their own operational records. This dramatically raises the stakes in areas such as:
- Cybersecurity exposure
- Data governance and access controls
- System integration risks
- Breach response and regulatory accountability
In practical terms, a cyber incident or data leakage is no longer just an internal IT failure, it becomes a regulatory, reputational and potentially criminal matter.
What happens if healthcare providers do not comply?
HIA introduces significant penalties for non-compliance:
- Up to S$20,000 fine and/or 1 year imprisonment for failing to comply with directions
- Up to S$50,000 fine and/or 2 years imprisonment for unauthorised access or disclosure
- Systemic cybersecurity failures may attract fines of up to S$1 million
Prepare for HIA with confidence.
Not sure where to begin? We are ready to assist.
HIA will come into force soon, with training resources and funding support available. Healthcare providers are expected to strengthen cybersecurity and data protection capabilities ahead of enforcement.
Our multidisciplinary team helps healthcare providers navigate regulatory obligations while strengthening cybersecurity resilience:
HIA Readiness and Gap Assessment
Review of governance, policies and data handling practices
Cybersecurity Risk and Controls (CISOaaS for HIA)
Implement MOH’s Cyber and Data Security Guidelines (CSDS)
Data Protection and Governance
- Data classification and access controls
- Breach response procedures
- Regulatory compliance advisory
Data Protection Essentials (DPE) Consulting Services - Free*
Implementation of the DPE framework, which provides practical Personal Data Protection Act (PDPA)-aligned data protection measures, allowing your organisation to demonstrate accountability in handling personal data, reducing PDPA compliance risks, and strengthening stakeholder trust in your data practices
IT Managed Services - Free*
Receive IT support that complies with HIA on a continuous basis. This helps clinics reduce downtime, protect sensitive patient data, and stay compliant with evolving healthcare regulations
*Terms and conditions apply.
Pricing
CISOaaS for Health Information Act (HIA) Cyber Security and Data Security Essentials
Consultancy service pre-scoped to align to measures in HIA Cyber Security and Data Security Essentials.
| CISOaaS (Cyber Essentials for HIA Entity) | |||||
|---|---|---|---|---|---|
| Quantity of End-Points | Cybersecurity Consultant Services | Optional Retainer Services (no funding support) | |||
| Cyber Essentials for HIA entity | Funding available (based on up to 70% co-funding, if eligible) |
Out of pocket costs (What you need to pay) |
Retainer Fees (per man hour) |
Retainer Fees (per man month) |
|
| 1 – 5 | S$4,650 | S$3,255 | S$1,395 | S$150 | S$550 |
| 6 – 10 | S$4,800 | S$3,360 | S$1,440 | S$150 | S$550 |
| 11 – 20 | S$8,450 | S$5,862 | S$2,588 | S$150 | S$600 |
| 21 – 50 | S$12,950 | S$9,065 | S$3,885 | S$150 | S$800 |
| 51 – 100 | S$19,700 | S$13,790 | S$5,910 | S$150 | S$900 |
| 101 – 200 | S$28,125 | S$19,687 | S$8,438 | S$150 | S$950 |
|
201 – 500 (in increments of 100 end-points) |
S$7,350 | Funding support is available up to 1st 200 end-points only. | S$150 | S$800 | |
|
501 and above (in increments of 100 end-points) |
S$5,250 | S$150 | S$800 | ||
Please note: Funding support is subject to eligibility and approval by CSA. Actual co-funding (if any) depends on the organisation’s eligibility and the final validated scope and charges, and is capped at the levels shown above.
CISOaaS for Health Information Management System (HIMS)
Consultancy service pre-scoped to align to measures in HIA Cyber Security and Data Security Essentials.
| CISOaaS (Cyber Essentials for HIMS Vendor) | |||||
|---|---|---|---|---|---|
| Quantity of End-Points | Cybersecurity Consultancy Services | Optional Retainer Services (no funding support) | |||
| Cyber Essentials for HIMS Vendor | Funding available (based on up to 70% co-funding, if eligible) |
Out of pocket costs (What you need to pay) |
Retainer Fees (per man hour) |
Retainer Fees (per man month) |
|
| 1 – 5 | S$5,515 | S$3,860 | S$1,655 | S$175 | S$625 |
| 6 – 10 | S$5,650 | S$3,955 | S$1,695 | S$175 | S$625 |
| 11 – 20 | S$9,375 | S$6,373 | S$3,002 | S$175 | S$675 |
| 21 – 50 | S$14,375 | S$9,931 | S$4,444 | S$175 | S$875 |
| 51 – 100 | S$21,875 | S$15,312 | S$6,563 | S$175 | S$975 |
| 101 – 200 | S$31,250 | S$21,875 | S$9,375 | S$175 | S$1,025 |
|
201 – 500 (in increments of 100 end-points) |
S$7,875 | Funding support is available up to 1st 200 end-points only. | S$175 | S$800 | |
|
501 and above (in increments of 100 end-points) |
S$5,625 | S$175 | S$800 | ||
Please note: Funding support is subject to eligibility and approval by CSA. Actual co-funding (if any) depends on the organisation’s eligibility and the final validated scope and charges, and is capped at the levels shown above.
