When people think of cybersecurity, industries like banking, fintech, and government agencies often come to mind as prime targets for cyberattacks. But according to Hana Abriyansyah, CEO of Cisometric, one of the most vulnerable and overlooked sectors in Indonesia is healthcare.

“We’re talking about an industry that holds some of the most sensitive personal data. Yet the security measures? They’re nowhere near where they need to be.”

The Digital Push Without Security Readiness

Indonesia has been accelerating the digitization of healthcare services, with mandatory electronic medical records (Rekam Medis Elektronik/RME) enforced under Peraturan Menteri Kesehatan (PMK) No. 24 Tahun 2022 and hospital information management systems mandated by PMK No. 82 Tahun 2013. However, despite this push for digital healthcare, one critical aspect remains unclear: healthcare data security.

“Other industries, like finance, have specific cybersecurity mandates. But in healthcare? We’re just expected to refer back to the Personal Data Protection (PDP) Law, without any real guidelines on how hospitals and telemedicine providers should handle patient data,” Hana explains.

By contrast, countries like the United States have HIPAA (Health Insurance Portability and Accountability Act), which strictly dictates how medical data should be stored, processed, and protected. In Indonesia, there is no equivalent regulation that provides a structured security framework for handling healthcare data, leaving hospitals and telemedicine platforms exposed to cyber threats.

When Health Data Falls into the Wrong Hands

Unlike financial data, which can be changed if compromised, medical data is permanent. A stolen credit card number can be replaced, and a password can be reset, but a person’s medical history, DNA records, and prescriptions cannot be changed.

Attackers are aware of this, which is why health data is more valuable than financial data on the dark web. With enough stolen information, cybercriminals can:

• Commit medical identity fraud by using stolen patient records to file fake insurance claims

• Blackmail individuals or organizations, threatening to expose sensitive medical conditions

• Tamper with treatment records, which can be dangerous for patient care

Then there’s ransomware, which is a cyberattack where hackers lock healthcare providers out of their systems and demand payment before restoring access. Unlike attacks on other industries, ransomware in healthcare isn’t just about financial loss. It can even delay critical medical treatments and really put lives at risk.

Also read: Understanding Malware Threats ; Ransomware in the Transport Sector: Proactive Cybersecurity Needed

Two Key Aspects of Healthcare Cybersecurity

To build a secure healthcare system, Indonesia needs to focus on two major areas:

1. Regulation & Compliance

There must be clear and specific security standards for healthcare data. The Ministry of Health should issue a technical guideline under the PDP Law, outlining exactly what patient information needs to be protected and how (whether it’s medical history, prescriptions, genetic data, etc.)

2. Implementation & Readiness

Cyber threats evolve faster than policy-making, meaning healthcare providers cannot afford to wait for regulations before securing their systems. Proactive steps need to be taken now, including:

• Encrypting all sensitive medical records to prevent unauthorized access

• Enforcing Multi-Factor Authentication (MFA) for patient and doctor logins

• Conducting regular security assessments to identify vulnerabilities before attackers do

• Training employees to recognize phishing and social engineering attacks

Cybersecurity Equals Patient Safety

Indonesia’s healthcare industry is rapidly digitising, but without strong cybersecurity, it is exposed to significant risks. Many organizations only take cybersecurity seriously after they experience an attack. In healthcare, that mindset is unacceptable because the stakes are human lives.

“I’ve seen companies across industries wait until an attack happens before prioritizing cybersecurity,” says Hana. “We can’t afford that approach in healthcare because we’re not just protecting data, we’re protecting real people’s lives.”

At the end of the day, a healthcare system without cybersecurity is a healthcare system that can’t be trusted.

Want to gain more insights and have a discussion regarding this or cybersecurity matters in different sectors?

Follow our social media:

LinkedIn: Cisometric

Instagram: @cisometric

Youtube: @cisometric