Biomarker MappingLab ExtractionUnified Health DataCMS IntegrationsAI Longevity InsightsPatient Experience
Why LocalComplianceWhat's NewBlogFAQ
Compliance Is Local

MOH Cybersecurity Guidelines: What Your Clinic Software Must Actually Do

'Our software is encrypted' is not the same as meeting MOH's Cybersecurity and Data Security Guidelines. Here is what Circular 85/2023 actually requires of the software running your Singapore longevity clinic.

7 min read

"Our software is encrypted, so patient data is covered." It is the most common reassurance clinic owners give themselves, and it is not enough.

MOH's Cybersecurity and Data Security Guidelines, issued via Circular No. 85/2023, set specific technical requirements for healthcare providers, and most of them are not about encryption at all. They are about who can see patient data, whether you can prove who saw it, and how long you keep it. An imported platform can encrypt everything and still miss most of this.

Here is what the guidelines actually ask of the software running your clinic, and how to tell if yours measures up. For the full three-layer picture (PDPA, MOH, and HCSA together), see our guide to Singapore clinic compliance.

These apply to your software, not just your office

It is easy to treat cybersecurity as an IT-policy problem - staff passwords, a locked server room. The MOH guidelines reach further: they govern how the systems you use handle patient data day to day. If your clinic software cannot do these things, no office policy makes up for it.

What MOH actually requires

Four requirements matter most for clinic software:

  • Role-based access controls. Patient data must be restricted to authorised personnel by role. A receptionist should not see biomarker results. A locum should not see patients they have not treated. Access is granted by what a person needs, not all-or-nothing.
  • Audit logs. The system must record who accessed it, what data they viewed, and what operations they performed. If MOH audits your clinic, "we do not keep logs" is not an answer.
  • Encryption. Health information must be encrypted. This is mandatory when you handle Sensitive High data for even one individual, or Sensitive Normal data for 500 or more individuals.
  • Medical record retention. Records must be retained per MOH guidelines (typically 6 years for adult records) and then securely disposed of.

Why "we encrypt your data" misses most of it

Encryption is one line item on that list. The bulk of the guidelines is about access governance and auditability - controlling who can see what, and being able to prove it after the fact.

This is exactly where an imported platform tends to fall short. It may encrypt data to a high standard, because that is universal, while lacking MOH-shaped role hierarchies, or producing audit logs in a format that does not match what an MOH audit expects. The encryption is real; the governance around it is built for another market.

The data classification that pulls longevity clinics in

The encryption requirement hinges on data classification - Sensitive High and Sensitive Normal. The thresholds are deliberately low: Sensitive High data for a single individual is enough to make encryption mandatory.

Longevity clinics sit squarely inside this. Longitudinal biomarker panels, blood work, genomic and lifestyle data - this is sensitive health information by any reading, held for large numbers of patients over years. If you were wondering whether the encryption rule applies to you, it does.

A quick check on your software

  • Does it enforce role-based access (practitioner vs admin vs reception), not just one shared login?
  • Can it produce an audit log of who accessed what, when, and what they did?
  • Is health data encrypted at rest and in transit?
  • Does it support the 6-year retention requirement and secure disposal after?
  • Are access rights reviewed and updated as staff and roles change?

A "no" on any of these is a gap you are carrying today, not a feature you can simply request later.

Why this matters

Under the Healthcare Services Act, your software's data practices are tied to your licensing conditions, so an MOH cybersecurity gap is not only a security problem - it can become a licensing one. And MOH enforcement in this area is active, not theoretical.

The clinics that check their software against these requirements now, and close the gaps quietly, are in a far stronger position than the ones that discover them mid-audit.

Frequently Asked Questions

What are the MOH cybersecurity guidelines for clinics? They are MOH's Cybersecurity and Data Security Guidelines, issued via Circular No. 85/2023, which set technical requirements for healthcare providers: role-based access controls, audit logs, encryption of health data, and medical record retention.

Is encryption enough to meet the MOH guidelines? No. Encryption is required, but it is only part of it. The guidelines also require role-based access controls, audit logs, and proper retention - the access-governance and auditability pieces that encryption alone does not cover.

Does my clinic's data need to be encrypted? Yes, in almost all cases. Encryption is mandatory for Sensitive High data for even one individual, or Sensitive Normal data for 500 or more. Longitudinal biomarker data from a longevity clinic qualifies.

How long must a Singapore clinic keep medical records? Typically 6 years for adult records, per MOH guidelines, after which they should be securely disposed of.

Compliance that is built in, not bolted on.

LongevityLens treats PDPA, MOH, and HCSA as a foundational layer - role-based access, audit logging, and encryption built for Singapore's requirements, with native Innoquest integration. See how it holds up against your current setup. [Book a demo →]

Built for Singapore

Stop patching compliance gaps.
Start with a platform that was built for them.

LongevityLens handles PDPA, MOH, and HCSA compliance as a foundational layer, not a bolt-on. Native Innoquest biomarker matching. Native Plato integration. Built for Southeast Asian longevity clinics.

Book a Demo