Penetration Testing
Penetration testing for Indonesian hospitals and healthcare providers
In short
How Indonesian hospitals test EMR systems, SATUSEHAT integrations, and connected medical devices for exploitable weaknesses before patient data is compromised.
A hospital cannot wait for a breach to find out whether its SIMRS or its SATUSEHAT connection is exploitable, and patient safety raises the stakes on getting that answer without causing harm along the way. This page covers what has to be in scope for a hospital or clinic specifically, how testing needs to adapt around connected medical devices, and what happens once the report lands. For how a penetration test works in general, see our penetration testing service page.
Why testing looks different in a hospital
Security testing in a hospital has to account for two things that are less pronounced elsewhere: how much sits behind a single patient record system, and how little tolerance clinical operations have for downtime or fragile devices breaking.
EMR and SIMRS platforms
The hospital information system and electronic medical record platform hold the concentrated version of what an attacker wants: diagnoses, treatment histories, identity data, and insurance details. Authentication flaws and access-control gaps here are the highest-value findings a test can turn up.
SATUSEHAT integration endpoints
Permenkes 24/2022 requires every hospital's EMR system to exchange data with the national SATUSEHAT platform. Each integration point is an API in scope, and weak authorisation or missing validation on that connection is a route straight to patient data.
Connected medical devices
Infusion pumps, patient monitors, and imaging equipment often carry outdated firmware and were never designed with network exposure in mind. Testing has to identify what a compromised device can reach, without treating the device itself as a normal test target.
Segmentation between clinical and administrative networks
The real question is whether a compromised front-desk workstation or guest network can reach the SIMRS or a networked medical device. Segmentation testing checks that boundary rather than assuming it holds.
There is no single testing mandate written for hospitals the way SEOJK 29/2022 sets one for banks, but the obligation still exists in substance. Permenkes 24/2022 requires access controls, audit trails, and encryption on electronic medical records, and UU PDP requires controllers to apply appropriate technical measures to protect specific personal data, which includes health records. A penetration test is one of the clearest ways to show those measures actually hold rather than exist only on paper.
How we test it and adapt around patient care
The constraint that shapes a hospital engagement most is what cannot be tested the way a normal enterprise system can.
Every engagement includes a free retest once fixes are in, and findings are scheduled around maintenance windows the hospital's own biomedical engineering and IT teams agree to, so a test does not become the reason a clinical system goes down.
What the numbers say about the sector
279M
Records tied to the BPJS Kesehatan database leak reported in 2021 (The Jakarta Post)
US$3.33M
Average data breach cost in ASEAN in 2024 (IBM, Cost of a Data Breach 2024)
Untested systems are how a single exploitable gap in an EMR platform or a SATUSEHAT connection turns into a breach on the scale of the BPJS Kesehatan case. With the average ASEAN breach already running into the millions of dollars, a test that gets acted on before an attacker finds the gap is one of the more direct ways a hospital group can move off that baseline.
If your hospital or clinic group needs a test scoped to what actually matters, patient data systems, SATUSEHAT integration, and connected devices, our team can set out a concrete next step.
References
Reviewed by Naren Krishnan, Cybersecurity Manager
Frequently asked questions
There is no single hospital-specific testing mandate the way OJK sets one for banks, but the obligation exists in substance. Permenkes 24/2022 requires hospitals to secure electronic medical records with access controls, audit trails, and encryption, and UU PDP requires controllers to apply appropriate technical measures to protect specific personal data such as health records. A penetration test is one of the more direct ways to demonstrate those measures actually hold, rather than assuming the access controls work as designed.
Related
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.