Skip to main content

Penetration Testing

Penetration testing for Indonesian hospitals and healthcare providers

In short

How Indonesian hospitals test EMR systems, SATUSEHAT integrations, and connected medical devices for exploitable weaknesses before patient data is compromised.

Penetration testing

A hospital cannot wait for a breach to find out whether its SIMRS or its SATUSEHAT connection is exploitable, and patient safety raises the stakes on getting that answer without causing harm along the way. This page covers what has to be in scope for a hospital or clinic specifically, how testing needs to adapt around connected medical devices, and what happens once the report lands. For how a penetration test works in general, see our penetration testing service page.

Why testing looks different in a hospital

Security testing in a hospital has to account for two things that are less pronounced elsewhere: how much sits behind a single patient record system, and how little tolerance clinical operations have for downtime or fragile devices breaking.

EMR and SIMRS platforms

The hospital information system and electronic medical record platform hold the concentrated version of what an attacker wants: diagnoses, treatment histories, identity data, and insurance details. Authentication flaws and access-control gaps here are the highest-value findings a test can turn up.

SATUSEHAT integration endpoints

Permenkes 24/2022 requires every hospital's EMR system to exchange data with the national SATUSEHAT platform. Each integration point is an API in scope, and weak authorisation or missing validation on that connection is a route straight to patient data.

Connected medical devices

Infusion pumps, patient monitors, and imaging equipment often carry outdated firmware and were never designed with network exposure in mind. Testing has to identify what a compromised device can reach, without treating the device itself as a normal test target.

Segmentation between clinical and administrative networks

The real question is whether a compromised front-desk workstation or guest network can reach the SIMRS or a networked medical device. Segmentation testing checks that boundary rather than assuming it holds.

There is no single testing mandate written for hospitals the way SEOJK 29/2022 sets one for banks, but the obligation still exists in substance. Permenkes 24/2022 requires access controls, audit trails, and encryption on electronic medical records, and UU PDP requires controllers to apply appropriate technical measures to protect specific personal data, which includes health records. A penetration test is one of the clearest ways to show those measures actually hold rather than exist only on paper.

How we test it and adapt around patient care

The constraint that shapes a hospital engagement most is what cannot be tested the way a normal enterprise system can.

SIMRS and EMR platformsSATUSEHAT integration endpointsPACS and imaging systemsConnected medical device network segmentationExternal network perimeter and patient portalsCloud-hosted hospital workloads
Scope against clinical operations and patient-safety constraintsTest EMR, SIMRS, SATUSEHAT integration, and network segmentationAssess medical devices through passive and segmentation testing rather than active exploitation on live unitsDeliver a report with remediation priorities and a free retest

Every engagement includes a free retest once fixes are in, and findings are scheduled around maintenance windows the hospital's own biomedical engineering and IT teams agree to, so a test does not become the reason a clinical system goes down.

What the numbers say about the sector

279M

Records tied to the BPJS Kesehatan database leak reported in 2021 (The Jakarta Post)

US$3.33M

Average data breach cost in ASEAN in 2024 (IBM, Cost of a Data Breach 2024)

Untested systems are how a single exploitable gap in an EMR platform or a SATUSEHAT connection turns into a breach on the scale of the BPJS Kesehatan case. With the average ASEAN breach already running into the millions of dollars, a test that gets acted on before an attacker finds the gap is one of the more direct ways a hospital group can move off that baseline.

If your hospital or clinic group needs a test scoped to what actually matters, patient data systems, SATUSEHAT integration, and connected devices, our team can set out a concrete next step.

References

  1. 1.Republic of Indonesia, UU No. 27 Tahun 2022 (UU PDP)
  2. 2.Ministry of Health, Permenkes No. 24 Tahun 2022 on Medical Records
  3. 3.The Jakarta Post, reporting on the alleged 2021 BPJS Kesehatan data breach
  4. 4.IBM Security, Cost of a Data Breach Report 2024 (ASEAN figure)

Reviewed by Naren Krishnan, Cybersecurity Manager

Frequently asked questions

There is no single hospital-specific testing mandate the way OJK sets one for banks, but the obligation exists in substance. Permenkes 24/2022 requires hospitals to secure electronic medical records with access controls, audit trails, and encryption, and UU PDP requires controllers to apply appropriate technical measures to protect specific personal data such as health records. A penetration test is one of the more direct ways to demonstrate those measures actually hold, rather than assuming the access controls work as designed.

Related

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Jakarta-based team. We reply within one business day.