Cybersecurity and Data Protection
Goals and Performance Highlights
Goals
Performance in 2025
Challenges and Opportunities
As an organization advancing toward becoming an AI-Driven Hospital, the Company places strong emphasis on leveraging data and artificial intelligence to enhance healthcare services.
This is undertaken in parallel with robust risk management measures addressing cybersecurity threats and the protection of sensitive personal data, particularly health information, which is subject to stringent legal requirements. Effective governance in this area remains a critical priority in maintaining the trust and confidence of patients and all stakeholder groups.
Management Approach and Value Creation
Compliance with Laws and Internationally Recognized Standards
Personal Data Protection Act B.E. 2562 (2019) (PDPA)
The Company has established a Personal Data Protection Policy in strict compliance with the PDPA, particularly in relation to the management of sensitive personal data, including health information, which requires data subject consent and enhanced security measures.
Information Technology and Cybersecurity Policy
The Company has established an Information Technology and Cybersecurity Policy.
International and Healthcare Standards
The Company complies with internationally recognized information security standards and healthcare accreditation frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework, Information Security Management System (ISMS) standards, Joint Commission International (JCI) standards, and relevant public health regulatory guidelines.
Governance Structure
The Company has appointed an Information Management Committee to oversee compliance with applicable laws and to conduct Data Protection Impact Assessments (DPIA) for new systems and innovations, such as the 9 SMART Platform, prior to implementation.
Security Practices and Measures
Cybersecurity Defense
- Cyber Security Operations Center (CSOC): The Company operates a Cyber Security Operations Center (CSOC) to continuously monitor, detect, and manage cybersecurity incidents on a 24-hour basis.
- Awareness and Personnel Development: Mandatory training on PDPA compliance and cybersecurity is provided to new employees during orientation and designated as an annual training course for all employees. Post-training assessments are conducted, and phishing email simulations are performed.
- Technical Safeguards: The Company implements advanced technical measures to prevent cyberattacks and unauthorized access to data, including Advanced Threat Protection systems, data encryption, and Multi-Factor Authentication (MFA).
- Access Control Management: Access to patient data is granted based on the “Need-to-Know” principle and restricted to personnel directly involved in patient care.
- Vulnerability Assessment and Penetration Testing: Vulnerability Assessments and Penetration Tests are conducted at least twice per year.
- Cybersecurity Risk Assessment: Cybersecurity risk assessments are conducted regularly.
Risk Management and Incident Response
- Vendor Risk Management: Vendors involved in data processing are required to undergo a rigorous information security risk assessment prior to contract execution.
- Incident Response: The Company has established a Cybersecurity and Personal Data Breach Response Plan. Regular drills are conducted to ensure timely system recovery and effective damage control in the event of an incident.
- Security Culture Development: Regular training is provided to all personnel on PDPA compliance, data ethics, and emerging cybersecurity threats to strengthen awareness and enhance their role as the first line of defense in data protection.
Stakeholders Directly Impacted
Customers
Employees
