WORRIES ABOUT PATIENT PRIVACY
While welcoming the privacy safeguards, MPs stressed the need to ensure patient trust and sought clarity on how more sensitive information, like mental health records, will be treated.
Dr Wan Rizal (PAP-Jalan Besar) said that the mere perception that health records could be used in employment decisions can discourage workers from seeking the care they need.
“Workers must feel safe engaging with the healthcare system, without fear of downstream consequences at work,” said the labour MP.
He said workers worry about “backdoor” use of their information, and sought assurance that the exception to share patient data for specific statutory medical examinations will not expand to general pre-employment screenings.
Mr Kenneth Tiong (WP-Aljunied) raised concerns about possible insurance loopholes, noting that integrated plan insurers increasingly require doctors to sign contracts with inspection and right to audit clauses, which grant them the right to inspect full medical records to verify claims.
He asked if the government would review the inspection and right to audit clauses in integrated plan contracts to ensure that insurers do not circumvent the excluded purposes provision.
Some MPs asked for more patient control or differentiation around access to medical records.
Ms Mariam Jaafar (PAP-Sembawang) sought higher-level authorisation and additional justification to access sensitive information like mental health and reproductive health records.
Noting how key health information will continue to be shared with the NEHR even if there are access restrictions, Mr Louis Chua (WP-Sengkang) urged MOH to move away from the “collect first, tell later” approach.
He also said some patients might wish to block access to only certain records and have more flexibility in protecting their information, rather than a blanket approval or restriction.
SUPPORT FOR SMALLER CLINICS
MPs on both sides of the House called for more support for smaller clinics, which they said could face challenges implementing the necessary cybersecurity requirements.
“This Bill changes the rules of the game. It mandates that every private clinic, from the specialist in Orchard Road to the void deck GP in the heartlands, must contribute their data. They have no choice if they wish to stay open,” said Mr Dennis Tan (WP-Hougang).
Mr Dennis Tan, Ms Joan Pereira (PAP-Tanjong Pagar), Mr David Hoe (PAP-Jurong East-Bukit Batok) and Nominated MP Haresh Singaraju suggested providing shared IT services or staffing arrangements to support smaller clinics, which do not have the dedicated IT departments of large healthcare operators.
Dr Haresh, a family physician, said there remains a “grey zone” around what is considered “reasonable care” by doctors, who may not consult patient records available in the NEHR if they consider their clinical assessment sufficient.
Echoing this, Dr Hamid Razak (PAP-West Coast-Jurong West) asked for confirmation that the NEHR is “a supplementary clinical tool and not a mandatory step”.
The surgeon said this would help to address concerns that clinicians could be held liable for not checking the NEHR in every patient consultation.
LESSONS FROM 2018 SINGHEALTH BREACH
Workers’ Party’s (WP) Mr Tiong noted that Synapxe, the agency that operates the NEHR, was rebranded from Integrated Health Information Systems (IHiS), the entity found responsible for the 2018 SingHealth data breach.
That was when the records of 1.5 million patients were stolen in the most serious breach of personal data in Singapore’s history.
Mr Tiong pointed to the findings that the breach was a result of human lapses, including lack of cybersecurity awareness among IHiS staff, who did not respond appropriately when they detected suspicious activity.
“Given the history here, I believe our health authorities also need to take steps towards rebuilding that trust,” he said.
He sought details and assurance from MOH on NEHR’s technical architecture and how the ministry will police unauthorised access to the database.
Fellow WP MP Mr Dennis Tan noted that SingHealth and IHiS were collectively fined S$1 million for the 2018 data breach.
He said this effectively worked out to a 66-cent fine for each stolen patient record, and that the fine could be considered “a trivial operating expense” for such a large healthcare operator, given its revenues.
He suggested that a fine on a per-person basis would signal the value the government places on citizens’ privacy and make organisations take cybersecurity more seriously.
Responding to Mr Tiong, Mr Tan encouraged the WP MP to file a separate parliamentary question as the topic was not related to the debate on the Health Information Bill.
He added: “Synapxe is not a commercial entity. Its fundamental role is to support MOH in delivering digital health and IT services to benefit the healthcare clusters, to deliver better healthcare services to our Singaporeans.”
Mr Tan later also said that MOH and the NEHR had taken in the recommendations of the 2019 committee of inquiry into the cyberattack.
“NEHR is subject to security and resilience audits, with vulnerability scans, penetration tests and exercises carried out regularly to ensure that systems are secure and back-up systems are operational in the event of downtime,” he said.
He said the NEHR database had “several lines of defence” to detect and block suspicious traffic.
He added that the lesson from the data breach was that “we are open and transparent about the issue, convene the committee of inquiry, learn the lessons, apply them, and make sure we work very hard to prevent such breaches from reoccurring”.
On the S$1 million fine for SingHealth and IHiS, Mr Tan pointed out that Singapore also provides for criminal prosecution for data breaches, which can include prison time.
“But more basically, we take an approach that is more supportive, working together with our healthcare providers and healthcare professionals,” he said.
“We want to take a supportive role and approach to uplift data security and cyber security postures, not the punitive approach.”