Welcome to the very first issue of The Practice Letter.

My name is Tan Chin Beng. I'm not a doctor — but for years I've worked in Singapore's ICT industry serving healthcare clients across the island.

Every week I sit across the table from clinic owners who are brilliant practitioners but feel completely lost the moment someone mentions HIB compliance, cybersecurity or IT infrastructure. That gap bothered me deeply.

You didn't go through medical school to become an IT expert. But in today's world, running a safe and compliant clinic demands basic technology literacy whether you like it or not.

That's why I started The Practice Letter — to translate the complex world of healthcare IT and MOH regulations into plain English. No jargon. No vendor agenda. Just honest, independent intelligence you can use immediately.

Every issue is written with one goal — to make you a more informed, better protected and more efficient clinic owner.

Welcome aboard. Let's build safer, smarter and stronger clinics together.

— Tan Chin Beng, Founder & Editor The Practice Letter

The Health Information Bill Is Now Law — Is Your Clinic Ready?

You have until early 2027 to comply. Here is exactly what you need to do.

If you have heard the term "HIB" recently and quietly hoped it would go away — it will not.

The Health Information Bill is no longer a proposal or a consultation exercise. It was passed in Parliament on 12 January 2026. It is the law of Singapore. And with MOH setting early 2027 as the compliance deadline, private clinic owners across the island have roughly 12 to 18 months to get their house in order.

The clock is already ticking.

So What Exactly Is HIB?

The Health Information Bill governs how patient health information is collected, shared and protected across Singapore's entire healthcare ecosystem. At its heart, HIB requires all licensed healthcare providers to contribute key patient information — allergies, vaccinations, diagnoses, medications, lab results, radiological images and discharge summaries — to Singapore's National Electronic Health Record system, known as NEHR.

The goal is straightforward: one patient, one health summary, one care journey — regardless of which clinic or hospital they visit.

But here is the part most clinic owners are not paying enough attention to.

Contributing to and accessing NEHR comes with significant cybersecurity and data security obligations. These are not optional add-ons. They are legal requirements — and non-compliance carries regulatory consequences.

The 8 Things HIB Requires Your Clinic To Have

The official MOH HIB Cyber and Data Security Guidebook — developed by MOH and the Agency for Integrated Care — sets out the specific requirements every clinic must meet. Here they are in plain English:

1. Software Updates Critical security patches must be applied promptly — within three working days for critical vulnerabilities. Your clinic management system, computers and even your printers fall under this requirement.

2. Anti-malware Protection Every device in your clinic needs proper endpoint protection — not just the basic antivirus that came pre-installed. This includes laptops, desktops, servers and increasingly, medical devices with network connectivity.

3. Access Control Every staff member must have their own unique login credentials. Shared passwords are explicitly prohibited under HIB. When a staff member leaves your clinic, their access must be revoked immediately — not eventually.

4. Secure Configuration Every device must have its default password changed before going live in your clinic. That router your IT vendor installed two years ago with the password still set to "admin"? That is a compliance violation waiting to become a breach.

5. Data Backup — And This One Surprises Most Clinic Owners The guidebook is explicit: backups must be stored offline, separately from your main operating network. More on this in a moment — because this is where the most dangerous myth in Singapore's clinic community lives.

6. Staff Cybersecurity Training All staff — including part-timers, locum doctors and contractors — must receive periodic cybersecurity awareness training. A one-time briefing three years ago does not meet this requirement.

7. Vendor Management This is the requirement that shocks clinic owners most when they hear it. Under HIB, you are legally responsible for your IT vendors' compliance. If your clinic management software provider or IT support company does not meet HIB's cybersecurity standards — that accountability falls on you. Choose your vendors carefully.

8. Incident Response Plan You need a documented, written plan for responding to a cybersecurity incident. Not a mental note. Not "we will call our IT guy." A proper plan covering roles, responsibilities, response procedures and — critically — how and when to notify MOH of a confirmed breach.

The Most Dangerous Myth In Singapore's Clinic Community

Let me address something directly.

In conversations with clinic owners across Singapore, the most common response I hear when cybersecurity comes up is some version of this:

"I back up my data to my NAS. I should be fine."

I understand why this feels reassuring. You have invested in a network-attached storage device — a Synology or QNAP sitting in your storeroom — and your data backs up to it nightly. It feels like a responsible decision.

Here is the truth.

A NAS device connected to your clinic's main network does not meet HIB's backup requirements. The official guidebook is unambiguous — backups must be stored offline and separated from your operating environment. A networked NAS is not offline storage.

More critically — ransomware does not just encrypt your live data. It actively hunts for connected backup devices. A NAS on your network is not a safety net. In a ransomware attack, it becomes part of the problem.

True HIB-compliant backup requires offline or offsite storage, completely separated from your day-to-day network. This could mean encrypted cloud backup with a reputable provider, offline external drives stored securely offsite, or a combination of both.

Why Singapore's Private Clinics Are Already Being Targeted

This is not a hypothetical future risk.

Ransomware attacks on private healthcare providers in Singapore are happening right now. Patient data is extraordinarily valuable — worth significantly more than credit card data on criminal networks. Small private clinics represent an attractive target precisely because they hold sensitive data but typically lack dedicated IT security resources.

The reality is stark. Many clinic owners do not even know when they have had a near miss — because without the right monitoring tools in place, these intrusion attempts go completely undetected.

HIB's cybersecurity requirements are not bureaucratic box-ticking. They exist because the threat is real, present and growing.

Three Things You Can Do This Week

You do not need to solve everything overnight. Start here:

1. Ask your IT vendor one direct question "Where exactly are our backups stored, and are they completely separated from our clinic network?" If they hesitate, give a vague answer or say the NAS in your storeroom counts — you have identified your first compliance gap.

2. Audit your staff accounts Log into your clinic management system and look at your user accounts. Are there former staff members who still have active access? Are multiple staff sharing a single login? Both are HIB violations that take minutes to fix.

3. Download the official guidebook The MOH HIB Cyber and Data Security Guidebook is free, publicly available and written as a practical reference for healthcare providers. It is your compliance roadmap. Start with Section 1 on Cybersecurity — it covers requirements 1 through 8 in detail.

You can find it at: healthinfo.gov.sg

Next issue: We break down HIB's vendor management requirements in detail — including the questions you must ask any IT vendor before signing a contract, and a simple checklist to assess whether your current IT provider meets MOH's standards.

THREAT OF THE WEEK: Phishing Emails Disguised As MOH Notifications

🔍 WHAT'S ACTUALLY HAPPENING

With HIB now law and clinic owners anxious about compliance, cybercriminals are doing what they always do — exploiting that anxiety.

A wave of phishing emails impersonating MOH, HealthHub and healthcare IT vendors is circulating across Singapore. These emails typically carry subject lines like "Action Required: HIB Compliance Verification" or "Your Clinic's NEHR Registration Is Incomplete."

They look legitimate. They carry official-looking logos. They create urgency. And they contain either a malicious link that harvests your login credentials or an attachment that installs malware the moment it is opened.

😰 WHAT THIS MEANS FOR YOUR CLINIC

Your clinic staff — your receptionist, your nurse, your locum doctor covering Tuesday afternoons — are your first line of defence against these attacks.

And right now, most of them have received zero training on how to identify a phishing email.

Under HIB's requirements, that is not just a security gap. It is a compliance gap. Staff cybersecurity awareness training is a mandatory requirement — not a recommendation.

One wrong click by one staff member is all it takes to hand criminals full access to every patient record in your system.

🛡️ YOUR DEFENCE

Step 1 — Brief your staff today. Show them this section. Tell them: if any email claims to be from MOH, HealthHub or your IT vendor and asks you to click a link or open an attachment — stop, and verify directly by phone before doing anything.

Step 2 — Check the sender's email address carefully. Legitimate MOH communications come from official gov.sg addresses only. Anything else — regardless of how official it looks — should be treated with suspicion.

Step 3 — Report suspicious emails immediately. Do not delete them. Forward to your IT support contact and report to SingCERT at www.csa.gov.sg/singcert. Early reporting helps protect other clinics in Singapore too.

💡 BENG'S TAKE

Cybercriminals are smart. They read the news. They know HIB just passed. They know clinic owners are anxious and looking for compliance guidance. That anxiety is exactly what they are exploiting right now.

The most dangerous email in your inbox today will not look dangerous at all. It will look helpful.

Brief your staff. Verify before you click. Always.

— Chin Beng

💼 PRACTICE MANAGEMENT Running a smarter, stronger clinic

🔍 THE CHALLENGE: Keeping Good Clinic Staff In A Tight Labour Market

Ask any private clinic owner in Singapore what keeps them up at night and staff retention features in almost every answer.

The numbers tell the story. Singapore's healthcare sector is facing acute manpower pressure. Private clinics — competing against restructured hospitals, polyclinics and a growing network of community care providers — are losing experienced nurses, medical assistants and clinic executives to employers offering structured career paths, better benefits and more predictable hours.

For a solo GP or small group practice, losing one key staff member does not just hurt morale. It disrupts patient care, burdens remaining staff and triggers a costly, time-consuming recruitment cycle.

💡 THE INSIGHT

Most clinic owners approach retention reactively — they only think about it when someone hands in their resignation letter.

By then it is almost always too late.

The clinics that consistently retain good staff share one common trait — they treat retention as an ongoing operational discipline, not an emergency response. Small, consistent investments in staff experience consistently outperform last-minute counter-offers.

And critically — in a small clinic environment, staff retention and patient experience are directly linked. Your patients know your staff. They trust your staff. High turnover does not just cost you money. It costs you patient loyalty.

⚡ THREE THINGS TO TRY

1. Schedule a monthly five-minute individual check-in. Not a performance review. Not a formal meeting. Just five minutes per staff member — "How are you finding things lately? Anything making your job harder than it needs to be?" Staff who feel heard stay longer. It costs nothing but your attention.

2. Create a simple career path — even in a small clinic. "Senior Medical Assistant." "Lead Clinic Executive." Titles and small incremental responsibilities cost very little but signal investment in someone's future. Staff without a visible path forward will find one elsewhere.

3. Audit your rostering for hidden stress points. Many clinic staff do not resign over salary. They resign over unpredictability — last-minute shift changes, chronic understaffing on busy days, no clarity on off days. A simple, consistently communicated roster removes a significant source of daily friction.

📌 QUICK STAT

According to the Ministry of Manpower, healthcare and social services consistently ranks among Singapore's highest staff turnover sectors. Replacing a trained clinic assistant typically costs between $3,000 and $8,000 when recruitment, onboarding and productivity loss are factored in.

Retention is not a people problem. It is a financial strategy.

⚡ QUICK BITES 4 things worth knowing this week

🔵 MOH Publishes New Cybersecurity Essentials For Healthcare Providers

MOH has published updated Cybersecurity and Data Security Essentials guidelines setting out cybersecurity and data security requirements for healthcare providers processing health information under the Health Information Act. The guidelines cover IT security measures, data protection practices, staff training and vendor management — and apply to all licensed healthcare providers. Download them free at healthinfo.gov.sg. Baker McKenzie

🔵 Government Funding Available To Help Clinics Meet HIA Requirements

Here is news most clinic owners have not heard yet. MOH is rolling out a National Cybersecurity Grant from July 2026, providing funding to cover approximately two years of subscription costs for HIA-compliant systems for smaller practices using subscription-based healthcare IT systems. Healthcare providers can also tap on funding support from Enterprise Singapore's Productivity Solutions Grant for IT and cybersecurity solutions such as firewalls and anti-malware solutions. Free money is available — and most clinic owners don't know it exists. Visit healthinfo.gov.sg for details.

🔵 MOH Actively Consulting IT Vendors On Cybersecurity Standards

MOH has been actively consulting healthcare providers and the industry and has committed to issuing revised Cyber Security and Data Security Essentials aligned with cyberhygiene standards from the Cyber Security Agency of Singapore, designed to be suitable for small healthcare providers such as solo practitioners. Importantly — MOH is also engaging cyber and data security consultants to develop standardised basic security packages for healthcare providers with transparent pricing, and healthcare providers that encounter unethical practices by such consultancies can report them to MOH and CSA. Ministry of HealthMinistry of Health

🔵 Singapore Clinic Ransomware Attack: 73,000 Patient Records Compromised

A sobering reminder of what is at stake. In one of Singapore's largest healthcare data breaches, attackers harvested the medical records of approximately 73,000 patients at specialist ophthalmology clinic Eye and Retina Surgeons — including personal medical records, serious illnesses and treatments. Healthcare data is a high-value trade item on the dark web, yet many healthcare providers do not pay enough attention to cybersecurity compared to other heavily data-protected industries. This can happen to any clinic. Including yours. Cyber Security HubCyber Security Hub

✉️ BEFORE YOU GO

Thank you for reading the very first issue of The Practice Letter.

If anything in today's issue made you think "my colleague needs to read this" — please trust that instinct. Forward this email to them right now. Every clinic owner in Singapore deserves access to clear, honest intelligence on HIB compliance, cybersecurity and practice management — in plain English, without the jargon.

That is exactly what The Practice Letter exists to deliver. Every single week.

See you next issue. Stay safe and stay compliant. 🙏

— Tan Chin Beng, Founder & Editor The Practice Letter