Singapore has taken a major step towards its strategic vision of “One Patient, One Health Record”, with the tabling of the Health Information Bill (HIB) in Parliament in November 2025. If passed, the Bill would mandate the sharing of selected health data from all licensed providers – including general practitioners (GP) – to the National Electronic Health Record (NEHR) central repository.

Examples of such data include medication history, admission and visit history, allergies, adverse drug reactions, and lab test results. These data points, the Ministry of Health (MOH) noted, are essential for clinicians to make informed decisions and deliver safer, more coordinated care. Having such data centrally stored and accessible is expected to reduce duplicated tests, medical errors and adverse events, it added.

Cybersecurity and data governance requirements under Health Information Bill

HIB will introduce cybersecurity and data security requirements for healthcare providers, ranging from patching and monitoring to multifactor-authentication and incident reporting.

These requirements are to be applied equally to all providers regardless of size – raising concerns that they may present challenges for smaller practices.

Many technical requirements fall beyond the expertise of GPs, especially for pen-and-paper clinics who have yet to adopt a Clinic Management System. Implementing the necessary digital systems would likely be costly, with the risk that these costs are in turn passed on to patients.

So far, MOH has pledged to offer support for clinics to onboard and meet HIB requirements, through workshops and guides. A curated list of qualified service providers is also available for licensees who needs help to meet the compliance requirements. MOH stressed that it is entirely optional to engage any service provider, including those which are not included in the list, which has only been provided for reference.

Practical cybersecurity takeaways for private clinics

Clinics often have the common misconception that clinic management systems (CMS) handle all cybersecurity requirements, when they typically do not cover system patching, workstation backups, or incident reporting.

First is acknowledging the very real threat of cyberattacks on any healthcare facility, given the value of personal medical data. Advances in AI have only accelerated the growth of cyberthreats. Cybercrime losses are projected to reach US$10.5 trillion by the end of 2025, and to grow by 15% over the next five years.

To strengthen security, clinics can work with IT providers on implementing MOH’s security guidelines, while taking ‘DIY’ measures such as multi-factor authentication (MFA), access limits, installing firewalls and anti-virus software, and keeping data back-ups.

This infographic on the HIB website provides an overview of the cyber and data security requirements.

(The HIB Cyber and Data Security Guidelines (Dec 2023) for Service Providers are being revised. The revised requirements will align with CSA’s Cyber Essentials (15 Apr 2025), with guidance on the handling of physical copies of health information, and will be published in the first quarter of 2026.)

Why the Health Information Bill matters

While there may be challenges along the way, HIB is a foundation step in enabling seamless continuity of care, and in turn improved patient safety and experience for Singaporeans.

Cybersecurity should not be viewed as just as a compliance exercise, but as essential to safeguarding patient trust and ensuring business continuity.