Introduction
The Health Information Bill (HIB) isn't just about sharing data—it's fundamentally about protecting it. At the heart of HIB compliance lies a comprehensive cybersecurity and data security framework that every healthcare provider must implement.
This guide walks you through the technical requirements, security controls, and practical implementation steps.
The Security Framework Overview
MOH's Cyber & Data Security Guidelines establish 39 parent controls across four key domains:
╔═════════════════════════════════════════════════════════════════╗
║ HIB Security Framework - 39 Controls ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ ┌───────────────────────────────────────────────────────────┐ ║
║ │ ACCESS CONTROLS (8 Controls) │ ║
║ │ User authentication, authorization, session management │ ║
║ └───────────────────────────────────────────────────────────┘ ║
║ │ ║
║ ▼ ║
║ ┌───────────────────────────────────────────────────────────┐ ║
║ │ DATA PROTECTION (10 Controls) │ ║
║ │ Encryption, classification, retention, disposal │ ║
║ └───────────────────────────────────────────────────────────┘ ║
║ │ ║
║ ▼ ║
║ ┌───────────────────────────────────────────────────────────┐ ║
║ │ SYSTEM SECURITY (12 Controls) │ ║
║ │ Patch management, anti-malware, network security │ ║
║ └───────────────────────────────────────────────────────────┘ ║
║ │ ║
║ ▼ ║
║ ┌───────────────────────────────────────────────────────────┐ ║
║ │ OPERATIONS (9 Controls) │ ║
║ │ Logging, monitoring, incident response, training │ ║
║ └───────────────────────────────────────────────────────────┘ ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Domain 1: Access Controls
Control 1.1: User Authentication
Requirement: Implement strong authentication for all system access.
Multi-Factor Authentication (MFA) is mandatory for:
- •NEHR access
- •CMS/EMR systems containing patient data
- •Remote access to clinic networks
- •Administrative accounts
╔═════════════════════════════════════════════════════════════════╗
║ MFA Implementation Options ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ SOMETHING YOU KNOW + SOMETHING YOU HAVE ║
║ ────────────────── ───────────────── ║
║ ║
║ ┌─────────────┐ ┌─────────────┐ ║
║ │ Password │ + │ Mobile App │ ← Recommended ║
║ │ │ │ (TOTP) │ ║
║ └─────────────┘ └─────────────┘ ║
║ ║
║ ┌─────────────┐ ┌─────────────┐ ║
║ │ Password │ + │ Hardware │ ← High Security ║
║ │ │ │ Token │ ║
║ └─────────────┘ └─────────────┘ ║
║ ║
║ ┌─────────────┐ ┌─────────────┐ ║
║ │ Password │ + │ SMS OTP │ ← Acceptable ║
║ │ │ │ │ (Less secure) ║
║ └─────────────┘ └─────────────┘ ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Control 1.2: Password Policies
| Policy | Requirement |
|---|---|
| Minimum length | 12 characters |
| Complexity | Upper, lower, numbers, special characters |
| Expiry | 90 days maximum |
| History | Cannot reuse last 12 passwords |
| Lockout | After 5 failed attempts |
Control 1.3: Role-Based Access Control (RBAC)
╔═════════════════════════════════════════════════════════════════╗
║ Role-Based Access Matrix Example ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ Role │ View │ Edit │ Delete │ Export │ Admin ║
║ ────────────────┼──────┼──────┼────────┼────────┼────── ║
║ Receptionist │ ✓* │ ✗ │ ✗ │ ✗ │ ✗ ║
║ Nurse │ ✓ │ ✓* │ ✗ │ ✗ │ ✗ ║
║ Doctor │ ✓ │ ✓ │ ✗ │ ✓* │ ✗ ║
║ Clinic Manager │ ✓ │ ✓ │ ✓* │ ✓ │ ✗ ║
║ System Admin │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ ║
║ ║
║ * = Limited scope (own patients/appointments only) ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Control 1.4: Session Management
- •Auto-logout after 15 minutes of inactivity
- •Concurrent session limits (typically 1-2 per user)
- •Secure session tokens (randomly generated, HTTPS only)
- •Session termination on password change
Domain 2: Data Protection
Control 2.1: Encryption at Rest
All stored health information must be encrypted:
| Data Type | Encryption Standard |
|---|---|
| Database | AES-256-GCM |
| File storage | AES-256 |
| Backups | AES-256 |
| Mobile devices | Full disk encryption |
Control 2.2: Encryption in Transit
╔═════════════════════════════════════════════════════════════════╗
║ Data in Transit Protection ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ CLINIC INTERNET NEHR ║
║ ║
║ ┌────────┐ ┌────────────┐ ┌────────┐ ║
║ │ CMS │──── TLS ────►│ Firewall │── VPN ──│ NEHR │ ║
║ │ Server │ 1.2+ │ │ │ Gateway│ ║
║ └────────┘ └────────────┘ └────────┘ ║
║ ║
║ Requirements: ║
║ • TLS 1.2 minimum (TLS 1.3 preferred) ║
║ • Strong cipher suites only ║
║ • Certificate validation ║
║ • No self-signed certs in production ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Control 2.3: Data Classification
Classify all data by sensitivity:
| Classification | Examples | Handling Requirements |
|---|---|---|
| Critical | HIV status, mental health, genetic data | Highest encryption, restricted access, audit every access |
| Sensitive | Diagnoses, medications, lab results | Standard encryption, role-based access, regular audits |
| Internal | Appointment schedules, billing | Basic encryption, staff access |
| Public | Clinic hours, doctor profiles | No restrictions |
Control 2.4: Data Retention & Disposal
╔═════════════════════════════════════════════════════════════════╗
║ Data Lifecycle Management ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ CREATION ACTIVE USE ARCHIVE DISPOSAL ║
║ │ │ │ │ ║
║ ▼ ▼ ▼ ▼ ║
║ ┌──────┐ ┌──────┐ ┌──────┐ ┌──────────┐ ║
║ │Encrypt│ │Monitor│ │Secure │ │Secure │ ║
║ │Classify│ │Audit │ │Storage│ │Wipe/ │ ║
║ │ │ │Access │ │ │ │Destroy │ ║
║ └──────┘ └──────┘ └──────┘ └──────────┘ ║
║ ║
║ Patient records: Retain 6 years after last visit (HCSA) ║
║ NEHR records: Follow MOH retention guidelines ║
║ Disposal: Cryptographic erasure or physical destruction ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Domain 3: System Security
Control 3.1: Patch Management
Timeline Requirements:
| Patch Type | Maximum Deployment Time |
|---|---|
| Critical security patches | 14 days |
| High severity patches | 30 days |
| Medium/Low patches | 90 days |
| Zero-day vulnerabilities | ASAP (24-48 hours) |
Control 3.2: Anti-Malware Protection
Required on all endpoints:
- •Real-time scanning enabled
- •Signature updates at least daily
- •Scheduled full scans weekly
- •Behavioral analysis/heuristics enabled
Control 3.3: Network Security
╔═════════════════════════════════════════════════════════════════╗
║ Network Architecture Best Practice ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ INTERNET ║
║ │ ║
║ ┌──────▼──────┐ ║
║ │ Firewall │ ║
║ │ (UTM) │ ║
║ └──────┬──────┘ ║
║ │ ║
║ ┌────────────────┼────────────────┐ ║
║ │ │ │ ║
║ ┌─────▼─────┐ ┌─────▼─────┐ ┌─────▼─────┐ ║
║ │ DMZ │ │ Clinical │ │ Admin │ ║
║ │ Network │ │ Network │ │ Network │ ║
║ │ │ │ │ │ │ ║
║ │ • Web │ │ • CMS │ │ • Staff │ ║
║ │ • Email │ │ • NEHR │ │ PCs │ ║
║ │ │ │ • Imaging │ │ • Printers│ ║
║ └───────────┘ └───────────┘ └───────────┘ ║
║ ║
║ SEGREGATED NETWORKS with controlled inter-VLAN routing ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Control 3.4: Endpoint Security
| Control | Requirement |
|---|---|
| USB ports | Disabled or controlled |
| Software installation | Admin rights required |
| Screen lock | Auto-lock after 5 minutes |
| Full disk encryption | Required for laptops |
| Bluetooth | Disabled unless needed |
Domain 4: Operations
Control 4.1: Audit Logging
What must be logged:
╔═════════════════════════════════════════════════════════════════╗
║ Audit Log Requirements ║
╠═════════════════════════════════════════════════════════════════╣
║ ║
║ ACCESS EVENTS SYSTEM EVENTS DATA EVENTS ║
║ ───────────── ───────────── ─────────── ║
║ • Login success • System startup • Create ║
║ • Login failure • System shutdown • Read ║
║ • Logout • Config changes • Update ║
║ • Password change • Patch install • Delete ║
║ • MFA events • Backup events • Export ║
║ • Privilege escalation • Restore events • Print ║
║ ║
║ Each log entry MUST include: ║
║ ───────────────────────────── ║
║ • Timestamp (synchronized) ║
║ • User ID ║
║ • Action performed ║
║ • Affected resource (patient ID, record type) ║
║ • Source IP address ║
║ • Success/failure status ║
║ ║
╚═════════════════════════════════════════════════════════════════╝
Log retention: Minimum 2 years, tamper-proof storage
Control 4.2: Security Monitoring
Implement continuous monitoring for:
- •Unusual login patterns (after hours, unusual locations)
- •Bulk data access or export
- •Multiple failed authentication attempts
- •Configuration changes
- •Malware alerts
Control 4.3: Staff Training
| Training Type | Frequency | Audience |
|---|---|---|
| Security awareness | Annual + new hire | All staff |
| Phishing simulation | Quarterly | All staff |
| NEHR-specific | Initial + annual | NEHR users |
| Incident response | Annual + updates | Response team |
| Technical security | As needed | IT staff |
Implementation Checklist
Immediate Actions (Do Today)
- • Enable MFA on all accounts
- • Review and disable unused accounts
- • Verify encryption is enabled on all databases
- • Check antivirus is current on all endpoints
- • Verify firewall rules are documented
Short-Term (30 Days)
- • Implement role-based access controls
- • Set up audit logging
- • Deploy endpoint protection
- • Document security policies
- • Train staff on security basics
Medium-Term (90 Days)
- • Complete security assessment
- • Remediate identified vulnerabilities
- • Establish monitoring capabilities
- • Test incident response plan
- • Conduct first phishing simulation
Ongoing
- • Monthly vulnerability scans
- • Quarterly access reviews
- • Annual penetration testing
- • Continuous security awareness
- • Regular policy updates
Common Compliance Gaps
| Gap | Impact | Quick Fix |
|---|---|---|
| No MFA | Critical | Enable on all accounts |
| Shared accounts | High | Create individual accounts |
| No encryption | Critical | Enable database/disk encryption |
| Outdated software | High | Implement patch management |
| No audit logs | High | Enable logging on all systems |
| Weak passwords | Medium | Enforce strong password policy |
| No USB control | Medium | Disable or implement DLP |
Key Takeaways
- •
Security is foundational - You cannot achieve HIB compliance without proper cybersecurity.
- •
39 controls matter - Each control addresses a specific risk. Don't skip any.
- •
Defense in depth - Multiple layers of security are better than one strong control.
- •
People are key - Technical controls fail without trained, security-aware staff.
- •
Continuous improvement - Security is a journey, not a destination.
For the complete MOH Cyber & Data Security Guidelines, visit healthinfo.gov.sg