Healthcare Cybersecurity in Southeast Asia: Why Patient Data Systems Are the New Frontline

Introduction

What does it take for an attacker to compromise the personal health records of 1.5 million patients, including a sitting prime minister? At SingHealth in 2018, the answer turned out to be a single unpatched vulnerability, a phishing email, and nearly a year of undetected access before anyone noticed something was wrong. The investigation that followed found no penetration tests had been conducted, no two-factor authentication had been enabled on critical systems, and cybersecurity had been treated as an IT management issue rather than an organizational risk. The Committee of Inquiry described the failures as a catalogue of missed opportunities that a far less skilled attacker could have exploited just as easily.

That was 2018. Since then, the threat to healthcare systems across Southeast Asia has not diminished. It has industrialized. Cyberattacks in the region doubled in 2024 compared to the previous year, with healthcare consistently listed alongside finance and government as a primary target. Globally, healthcare accounted for 23% of all data breaches in 2024, overtaking finance for the first time, and the average cost of a healthcare breach has reached $7.42 million per incident, the highest of any industry. In Indonesia alone, BSSN recorded more than 3 billion cyberattacks or traffic anomalies in the first seven months of 2025 alone, and health data remains among the most exposed categories in the country's recurring breach landscape. ITSEC Asia, Indonesia's leading cybersecurity company, works directly with healthcare organizations across the region navigating this environment and sees firsthand how unprepared many institutions still are for the scale and sophistication of what is now targeting them.

Source: SingHealth COI Report: A Catalogue of Cybersecurity Failures · Cyberattacks in Southeast Asia Doubled in 2024 · Healthcare Tops Data Breach Incidents 2024 · BSSN Cyber Attacks H1 2025

Why Healthcare Is the Highest-Value Target in the Region

Patient data is not just sensitive, it is permanently sensitive. A compromised credit card can be cancelled and a stolen password can be reset, but a medical record containing diagnoses, prescriptions, insurance information, and biometric identifiers cannot be changed, and it retains its value for years. That permanence is exactly why ransomware groups and state-sponsored actors have increasingly shifted their focus toward healthcare systems, where the combination of rich data and critical operational dependency creates maximum leverage.

Key figures that illustrate the scale of this threat include:

• Healthcare now accounts for 17% of all ransomware attacks across industries globally, with 458 ransomware events tracked in the sector in 2024 alone.

• The average ransom demand against a healthcare provider has reached $7 million, with the highest documented demand against a single institution reaching $100 million.

• In Vietnam, hackers advertised the sale of 112,000 patient and medical staff records from a single hospital breach in June 2024.

• In Indonesia, a 2021 breach of the national health insurance database compromised the data of 279 million individuals, including deceased citizens, one of the largest government health data exposures ever recorded.

The attack surface in healthcare is also broader and more complex than in most other industries. A modern hospital connects electronic health record systems, medical imaging platforms, laboratory information systems, pharmacy networks, billing infrastructure, and increasingly, internet-connected medical devices, all within a single environment. For Southeast Asian healthcare systems, many of which are mid-sized public institutions with limited cybersecurity budgets and aging infrastructure, these numbers represent an existential operational risk that extends beyond regulatory exposure to directly threatening patient safety.

Source: Cobalt: Healthcare Data Breach Statistics 2025 · Cyberattacks in Southeast Asia Doubled in 2024 · Indonesia BPJS 279M Records Breach

The Regulatory Landscape Is Tightening, and Healthcare Is Not Exempt

For healthcare organizations operating in Indonesia, the regulatory environment governing patient data protection has changed fundamentally in the past two years, and the obligations it imposes go well beyond posting a privacy policy on a website. The core obligations healthcare organizations now face include:

• UU PDP (Indonesia's Personal Data Protection Law), fully enforceable since October 2024, classifies health data as a specific category of personal data with heightened protection requirements.

• In the event of a breach, data controllers must notify both affected individuals and the regulatory authority within 72 hours, identical to the EU's GDPR standard.

• Administrative sanctions under Article 57 can reach 2% of annual revenue, with criminal penalties of up to IDR 5 billion and five years' imprisonment for serious violations.

• Under BSSN Regulation No. 1 of 2024, organizations operating vital information infrastructure, including public health systems, must report cyber incidents to the National Cyber Incident Response Team within 24 hours.

• The Lembaga PDP, Indonesia's dedicated data protection agency, is targeted for full operation in 2026, after which enforcement frequency and depth is expected to increase substantially.

The pattern from SingHealth is instructive here. The COI investigation found that penetration tests had not been conducted, vulnerability assessments were not performed with sufficient regularity, and the organization's security posture had never been actively validated against real-world attack scenarios. The Personal Data Protection Commission fined SingHealth and its IT vendor a combined S$1 million, the largest fine in Singapore's data protection history at the time, not because the breach happened, but because the organization had not done enough to prevent it. That logic, that a breach without prior evidence of due diligence constitutes a compliance failure, is exactly the standard that UU PDP now codifies in Indonesia.

Source: Chambers and Partners Data Protection Indonesia 2026 · BSSN Regulation No. 1 of 2024 · Singapore Data Breach History and PDPC Fines

Continuous Security Validation: The Standard Healthcare Systems Actually Need

The SingHealth COI made one recommendation that applies to every healthcare organization in Southeast Asia regardless of size, budget, or country: adopt an "assume breach" mindset. Do not design your security program around the hope that attackers will not find a way in. Design it around the certainty that they are trying, right now, and build the validation infrastructure to know whether your defenses are holding.

That is the operational case for continuous security validation in healthcare. Annual penetration tests were never designed for environments that change as rapidly as a modern hospital's digital infrastructure. Electronic health record platforms receive updates. Medical devices are added to networks. Telehealth integrations connect to external APIs. A new billing vendor gets access to patient data. Each of those changes can introduce a vulnerability that was not present during the last assessment, and none of them are visible to an organization that tests once a year and waits. Globally, the average time to identify and contain a healthcare breach is 241 days, meaning an attacker can be inside a system for eight months before anyone knows. That dwell time is not inevitable. It is the direct product of infrequent testing and insufficient visibility.

Bronyx, ITSEC Asia's AI-powered autonomous penetration testing platform, is built specifically to close this gap. By combining intelligent automation with human expert oversight through a Human and AI approach, Bronyx enables healthcare organizations to run continuous security assessments across their full attack surface, clinical systems, patient portals, API integrations, and connected devices, and generate the kind of timestamped, audit-ready reports that demonstrate active security due diligence to regulators, hospital boards, and international accreditation bodies. Every assessment cycle produces documentation of what was tested, what was found, what was remediated, and when. Over time, that record is the difference between an organization that can demonstrate its security posture was actively managed and one that cannot explain why it had no record of ever testing its systems before the breach occurred.

ITSEC Asia has spent over a decade working with organizations across financial services, healthcare, telecommunications, and other heavily regulated sectors throughout Indonesia, Singapore, Australia, and the UAE, helping security and compliance teams build the kind of continuous evidence trail that regulators increasingly expect and that the pace of modern healthcare operations demands.

Source: Cobalt: Healthcare Data Breach Statistics 2025 · ITSEC Asia: Why Annual Penetration Testing Is No Longer Enough · Bronyx.AI Continuous Penetration Testing Platform

Start Protecting Patient Data Before the Next Incident

The question for healthcare organizations in Southeast Asia is not whether a cyberattack is coming. Nearly half of healthcare organizations globally have experienced at least one cybersecurity incident in the past year, and the region's rapid digital health transformation  from national EHR rollouts to telemedicine platforms to connected diagnostic devices  is expanding the attack surface faster than most institutions' security programs can keep pace. The question is whether an organization will be able to demonstrate, in the aftermath of a breach, that it took reasonable and documented steps to protect its patients' data before the incident occurred.

UU PDP gives regulators the authority to answer that question with sanctions. BSSN gives investigators the mandate to examine what technical controls were in place. And the operational reality of a ransomware attack that shuts down clinical systems gives every hospital board a reason to take the answer seriously before it becomes a liability.

ITSEC Asia's team understands the intersection of healthcare operations, regulatory obligations, and cybersecurity requirements in the Indonesian and broader Southeast Asian market. The guidance and deliverables it provides are built not just for security teams but for the clinical leadership, legal, and compliance stakeholders who need to demonstrate accountability to regulators, accreditation bodies, and the patients who trust these institutions with their most sensitive information.

Visit bronyx.ai or contact the ITSEC Asia team at itsec.asia/contact to arrange a consultation and see how continuous security validation can be tailored to your healthcare environment.