Overview
Technology is transforming healthcare. Public healthcare providers have and
will continue to leverage technology and data extensively to provide quality
care for our patients. It is therefore crucial for public healthcare to be
guided by clear and consistent policies to harness health technology
(HealthTech) and data securely and effectively.
Issued by the Ministry of Health (MOH), the HealthTech Instruction Manual
(HIM) is a set of common policies, standards, and guidelines that provides
guidance on best-in-class and similar Government practices to uplift public
healthcare’s HealthTech capabilities, including a mix of risk-based ‘what’
and ‘how’ requirements.
MOH works with public healthcare stakeholders to ensure continued alignment
of the HIM policies, standards, and guidelines, with public healthcare’s
operating context.
Objectives
The HIM supports public healthcare to:
- Deliver safe and quality care,
- Safeguard public healthcare's resources, systems and information,
- Ensure good technology and data governance,
-
Provide guidance on the use of technology and best in-class practices,
and
-
Enable the effective and secure use of data across public healthcare.
Target Audience and Adoption Criteria
All MOH Holdings Group Entities (or ‘MOHH Entities’ for short) comply with
the HIM. For more information on MOH Holdings, please visit www.mohh.com.sg.
Scope
The HIM covers a wide range of policy areas. The five(5) main domain areas
are as listed, with each domain area comprising a number of policy chapters
dedicated to specific policy areas.
1. Governance
This area comprises policy chapters that provide guidance on proper
management of technology and data, effective use of resources, and adequate
oversight of risks, including risks associated with Third Parties. It also
provides best practices to develop cost-effective, fit-for-purpose and
robust systems from business and technology perspectives.
2. Design, Develop, Operate and Decommission
This area comprises policy chapters designed to uplift the use of technology
and processes throughout the lifecycle of systems - design, development,
operation, and decommissioning. It governs IT resilience, design and
delivery of digital services and infrastructure to digitally enable public
healthcare.
3. Security
This area comprises policy chapters that establish baseline security
requirements, process controls and technology solutions to protect systems,
applications and infrastructure against the rising cyber threat landscape,
particularly threats from the Internet.
4. Data
This area is applicable to all data, electronic and non-electronic, and
comprises policy chapters guide the management of data in all stages of its
lifecycle. Policy guidance is provided to safely use and exploit data, and
encourages effective data management practices.
5. Incident Management
This area aims to provide a framework for a coherent approach to managing IT
and data incidents in public healthcare, ranging from preparedness to
reporting, resolution, root cause analysis, and prevention of recurrence.
Examples of key policy areas
Some examples of key policy areas pertinent to public healthcare are
provided below. These include use of cloud technology and medical devices
and operational technology security (MDOTS) under the Security domain, and
data management under the Data domain.
Cloud use
When using Commercial Cloud, MOHH Entities share technology and security
responsibilities with Cloud Service Providers (CSPs). For the different
layers of the technology stack, MOHH Entities are either:
-
Directly responsible. In which case MOHH Entities are
to ensure that they have the tools and capabilities to take on the
responsibility (e.g., to encrypt data, for identity and access
management);
-
Indirectly responsible (outsourced to CSPs). In which
case MOHH Entities are to ensure that their selected CSPs are capable of
delivering on such responsibilities (via due diligence), and ensure that
the CSPs do indeed deliver (through contractual obligations); and
-
In addition, cloud services are often standardised and MOHH Entities are
able to configure but not significantly customise the services to meet
their full business and security needs.
The HIM Cloud Policies set out requirements for:-
-
Cloud Security, which defines the security requirements
for MOHH Entities i) when designing and implementing Infrastructure as a
Service (IaaS) or Platform as a Service (PaaS) for hosting systems on
the Healthcare Commercial Cloud (HCC); and ii) when using Software as a
Service (SaaS) and selecting qualified SaaS Providers based on their
independent audits and/or certifications;
-
Third Party Management, which encompasses the
requirements for the evaluation and selection, contracting and
onboarding, service management, and exit management of CSPs. This
ensures that MOHH Entities have oversight over CSPs to make sure that
associated security and data risks in engaging them are adequately
managed; and
-
Risk Management, which provides guidance for MOHH
Entities to assess and manage risks on a uniform or consistent basis.
Medical Devices and Operational Technology Security (MDOTS)
The MDOTS policy sets out cybersecurity requirements on medical devices and
technology used across public healthcare to ensure protection from
cyber-attacks and other security threats. The policy also provides guidance
on how to keep these devices safe and secure, so that they can continue to
function properly and not be used for malicious purposes.
The policy applies to anyone who works with these devices, including
clinicians who use medical devices in patient care, as well as engineers and
technicians who maintain and repair operational technology.
The policy covers a range of measures and is summarised below.
-
Asset management, which includes how the Entity
maintains an asset inventory of their medical devices and operational
technology and manages their risks over the product lifecycle.
-
Security, which includes guidance on how medical
devices and operational technology are to be configured for secure use
in patient care, as well as the establishment of network controls to
protect the devices and its underlying networks infrastructure. Guidance
is also provided to MOHH Entities on the need for implementation of
regular security updates for their devices.
Ultimately, the goal is to ensure the safe and secure use of medical devices
and operational technology to optimise patient care.
Data Management
MOHH Entities are to implement HIM Data policies and standards for the
collection, use, and sharing of data within their organisation and/or with
other parties for legitimate purposes. The HIM Data policies and standards
cover the following aspects to ensure proper governance of data throughout
the data lifecycle:
-
Classification of data so as to ensure the MOHH
Entities implement consistent and appropriate safeguards to protect data
in their possession and when sharing within the public healthcare sector
or with external parties.
-
Quality data and data standards so that the MOHH
Entities collect, manage, or use data that is accurate, consistent,
timely, relevant, and complete.
-
Data Security assessments and controls for MOHH
Entities to identify and mitigate security risks in a timely and
effective manner, and to safeguard data against security threats.
-
Data sharing rules for clear distribution of
accountabilities and responsibilities between MOHH Entities and their
data sharing partners, and circumstances under which data can be shared,
so that MOHH Entities can work better as One Public Healthcare that is
effective, innovative, and digitalised.
-
Personal data protection obligations when MOHH Entities
collect, use, and disclose personal data in accordance with the Personal
Data Protection Act (PDPA), as well as to inculcate “data protection by
design” principles in the MOHH Entities.
For more information
Advisories on specific policy areas will be made available subsequently.
Contact Information
For enquiries, contact him_secretariat@moh.gov.sg.
Disclaimer: This page does not set out the full set of compliance
requirements under the HIM. Please approach the Ministry for more
information.
Last updated 24 July, 2023.