24 Jul 2023

HealthTech Instruction Manual

Overview

Technology is transforming healthcare. Public healthcare providers have and will continue to leverage technology and data extensively to provide quality care for our patients. It is therefore crucial for public healthcare to be guided by clear and consistent policies to harness health technology (HealthTech) and data securely and effectively.

Issued by the Ministry of Health (MOH), the HealthTech Instruction Manual (HIM) is a set of common policies, standards, and guidelines that provides guidance on best-in-class and similar Government practices to uplift public healthcare’s HealthTech capabilities, including a mix of risk-based ‘what’ and ‘how’ requirements.

MOH works with public healthcare stakeholders to ensure continued alignment of the HIM policies, standards, and guidelines, with public healthcare’s operating context.

Objectives

The HIM supports public healthcare to:

  • Deliver safe and quality care,
  • Safeguard public healthcare's resources, systems and information,
  • Ensure good technology and data governance,
  • Provide guidance on the use of technology and best in-class practices, and
  • Enable the effective and secure use of data across public healthcare.

Target Audience and Adoption Criteria

All MOH Holdings Group Entities (or ‘MOHH Entities’ for short) comply with the HIM. For more information on MOH Holdings, please visit www.mohh.com.sg.

Scope

The HIM covers a wide range of policy areas. The five(5) main domain areas are as listed, with each domain area comprising a number of policy chapters dedicated to specific policy areas.

1. Governance

This area comprises policy chapters that provide guidance on proper management of technology and data, effective use of resources, and adequate oversight of risks, including risks associated with Third Parties. It also provides best practices to develop cost-effective, fit-for-purpose and robust systems from business and technology perspectives.

2. Design, Develop, Operate and Decommission

This area comprises policy chapters designed to uplift the use of technology and processes throughout the lifecycle of systems - design, development, operation, and decommissioning. It governs IT resilience, design and delivery of digital services and infrastructure to digitally enable public healthcare.

3. Security

This area comprises policy chapters that establish baseline security requirements, process controls and technology solutions to protect systems, applications and infrastructure against the rising cyber threat landscape, particularly threats from the Internet.

4. Data

This area is applicable to all data, electronic and non-electronic, and comprises policy chapters guide the management of data in all stages of its lifecycle. Policy guidance is provided to safely use and exploit data, and encourages effective data management practices.

5. Incident Management

This area aims to provide a framework for a coherent approach to managing IT and data incidents in public healthcare, ranging from preparedness to reporting, resolution, root cause analysis, and prevention of recurrence.


Examples of key policy areas

Some examples of key policy areas pertinent to public healthcare are provided below. These include use of cloud technology and medical devices and operational technology security (MDOTS) under the Security domain, and data management under the Data domain.

Cloud use

When using Commercial Cloud, MOHH Entities share technology and security responsibilities with Cloud Service Providers (CSPs). For the different layers of the technology stack, MOHH Entities are either:

  • Directly responsible. In which case MOHH Entities are to ensure that they have the tools and capabilities to take on the responsibility (e.g., to encrypt data, for identity and access management);
  • Indirectly responsible (outsourced to CSPs). In which case MOHH Entities are to ensure that their selected CSPs are capable of delivering on such responsibilities (via due diligence), and ensure that the CSPs do indeed deliver (through contractual obligations); and
  • In addition, cloud services are often standardised and MOHH Entities are able to configure but not significantly customise the services to meet their full business and security needs.

 The HIM Cloud Policies set out requirements for:-

  • Cloud Security, which defines the security requirements for MOHH Entities i) when designing and implementing Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) for hosting systems on the Healthcare Commercial Cloud (HCC); and ii) when using Software as a Service (SaaS) and selecting qualified SaaS Providers based on their independent audits and/or certifications;
  • Third Party Management, which encompasses the requirements for the evaluation and selection, contracting and onboarding, service management, and exit management of CSPs. This ensures that MOHH Entities have oversight over CSPs to make sure that associated security and data risks in engaging them are adequately managed; and
  • Risk Management, which provides guidance for MOHH Entities to assess and manage risks on a uniform or consistent basis.

Medical Devices and Operational Technology Security (MDOTS)

The MDOTS policy sets out cybersecurity requirements on medical devices and technology used across public healthcare to ensure protection from cyber-attacks and other security threats. The policy also provides guidance on how to keep these devices safe and secure, so that they can continue to function properly and not be used for malicious purposes.

The policy applies to anyone who works with these devices, including clinicians who use medical devices in patient care, as well as engineers and technicians who maintain and repair operational technology.

The policy covers a range of measures and is summarised below.

  • Asset management, which includes how the Entity maintains an asset inventory of their medical devices and operational technology and manages their risks over the product lifecycle.
  • Security, which includes guidance on how medical devices and operational technology are to be configured for secure use in patient care, as well as the establishment of network controls to protect the devices and its underlying networks infrastructure. Guidance is also provided to MOHH Entities on the need for implementation of regular security updates for their devices.

Ultimately, the goal is to ensure the safe and secure use of medical devices and operational technology to optimise patient care.

Data Management

MOHH Entities are to implement HIM Data policies and standards for the collection, use, and sharing of data within their organisation and/or with other parties for legitimate purposes. The HIM Data policies and standards cover the following aspects to ensure proper governance of data throughout the data lifecycle:

  1. Classification of data so as to ensure the MOHH Entities implement consistent and appropriate safeguards to protect data in their possession and when sharing within the public healthcare sector or with external parties.
  2. Quality data and data standards so that the MOHH Entities collect, manage, or use data that is accurate, consistent, timely, relevant, and complete.
  3. Data Security assessments and controls for MOHH Entities to identify and mitigate security risks in a timely and effective manner, and to safeguard data against security threats.
  4. Data sharing rules for clear distribution of accountabilities and responsibilities between MOHH Entities and their data sharing partners, and circumstances under which data can be shared, so that MOHH Entities can work better as One Public Healthcare that is effective, innovative, and digitalised.
  5. Personal data protection obligations when MOHH Entities collect, use, and disclose personal data in accordance with the Personal Data Protection Act (PDPA), as well as to inculcate “data protection by design” principles in the MOHH Entities.


For more information

Advisories on specific policy areas will be made available subsequently.


Contact Information

For enquiries, contact him_secretariat@moh.gov.sg.

Disclaimer: This page does not set out the full set of compliance requirements under the HIM. Please approach the Ministry for more information.

Last updated 24 July, 2023.