What does the PDPA 2024 amendment change for Malaysian hospitals?

The amended Personal Data Protection Act introduces mandatory data-breach notification, raises maximum penalties materially and imposes accountability obligations on data controllers. Hospitals process special-category personal data and therefore sit at the higher end of the regulator's expectations on technical and organisational measures.

Does an EMR pentest disrupt clinical operations?

No. nCrypt scopes EMR testing against a mirrored environment for exploit-class activity, and limits production-side work to read-only configuration review during agreed clinical-low windows. We have run engagements during active hospital operations without a single ticketed clinical disruption.

How much does a multi-site hospital security assessment cost in Malaysia?

Engagements covering five to fifteen sites with EMR, network and patient-portal scope typically range from RM 80,000 to RM 250,000 depending on site complexity and modality coverage. Indicative ranges are explained in our guide on penetration-testing cost in Malaysia.

Can nCrypt assess medical devices and modality workstations?

Yes. nCrypt's OT and medical-device practice covers radiology modalities, laboratory analysers, infusion-pump networks and building-management systems. Testing is conducted under tight rules of engagement agreed with the clinical engineering team.

How long does PDPA readiness typically take for a hospital group?

From kick-off to a defensible readiness posture, plan on three to six months for a multi-site group. The technical assessment is typically eight weeks; the remainder covers policy, training, supplier review and breach-response rehearsals.

Back to Case Studies

HealthcarePDPA 2024EMR Security

Private Hospital Group Reached PDPA 2024 Readiness Across 12 Sites

How nCrypt delivered a multi-site network and EMR pentest, a patient-portal application review and a clinical-staff awareness programme ahead of the Malaysian Personal Data Protection Act enforcement deadline. Client identifying details have been anonymised under the engagement non-disclosure agreement.

Hospital Sites Assessed

850K+

Patient Records in Scope

8 weeks

Field Window

Critical Findings on Retest

PDPA

Readiness Achieved Pre-Deadline

1,200

Clinical Staff Trained

The Client

A Malaysian Private Hospital Group With Twelve Sites

The client is a Malaysian private hospital group operating twelve facilities across Peninsular Malaysia, with combined annual outpatient throughput in the high hundreds of thousands and a growing medical-tourism segment. The group runs a unified electronic medical record platform federated across all sites, alongside a public patient portal that supports appointment booking, lab-result delivery and tele-consultation.

Each hospital operates a mix of modern clinical applications and a long tail of legacy modality workstations attached to radiology, laboratory and cardiology equipment. Medical-device estate management sits with a small clinical-engineering team that historically had limited overlap with the corporate information-security function.

The engagement was triggered by the impending enforcement of the amended Personal Data Protection Act 2024, which introduced mandatory breach notification, materially higher penalties and explicit accountability obligations for data controllers handling special-category personal data such as patient health records.

Engagement Summary

Sector: Private Healthcare
Regulators: PDPC Malaysia, MOH guidance
Sites in Scope: 12 hospitals
Records in Scope: ~850,000 patient records
Methodology: PTES, OWASP ASVS L2, ISO 27799 mapping

The Challenge

A Diverse Estate, a Hard Deadline and Active Clinical Operations

The group's historical security posture had been built around perimeter controls and a small central team. The amended PDPA introduced explicit expectations around technical and organisational measures, breach notification timelines and accountability evidence — none of which had been rehearsed at scale across all twelve sites.

The technical estate added complexity. Each hospital had been onboarded into the central EMR platform at a different pace over a decade, leaving uneven network segmentation, inconsistent privileged-access hygiene and a long tail of modality workstations on unsupported operating systems that could not be patched without coordinating with the equipment vendor.

Clinical operations were the binding constraint. Testing could not introduce risk to a live clinical workflow, and any change had to be reversible inside a single nursing shift. The patient portal had a peak load profile around morning appointment booking that limited the available windows for production-side work.

Finally, the group's board had set an explicit expectation that the readiness posture would be defensible to the regulator without recourse to extended grace arrangements. Every finding had to be either remediated or covered by a documented compensating control before the enforcement deadline.

Our Approach

A Site-by-Site Field Programme With a Central Evidence Spine

nCrypt structured the engagement as four parallel workstreams across an eight-week field window. The network workstream ran an internal penetration test at each of the twelve sites, with two consultants on the ground for two days per site, focused on segmentation, privileged-access hygiene and lateral-movement exposure between corporate, clinical and modality networks.

The application workstream targeted the central EMR web and API surface and the patient portal, with an OWASP ASVS Level 2 baseline and a focused review of high-sensitivity flows including lab-result delivery, prescription generation and tele-consultation video. Authorisation logic and tenant isolation between sites were given particular attention.

The PDPA readiness workstream ran in parallel and was the deliberate mechanism for translating technical findings into accountability evidence. Every finding was mapped to a specific PDPA standard and to ISO 27799 control areas, so that the resulting evidence pack was directly defensible to the Personal Data Protection Commissioner if queried.

The awareness workstream rolled out an in-person and digital training programme to roughly 1,200 clinical and administrative staff, with content tailored to the realistic phishing and social-engineering scenarios that the network and application work had already validated as exploitable. This closed the human-factor gap that the PDPA explicitly calls out as a controller obligation.

Findings

Five Categories That Drove the Programme

Critical

Patient Portal Authorisation Bypass on Lab Results

An authenticated patient could enumerate other patients' lab result identifiers and retrieve full diagnostic reports through a single misconfigured API endpoint. The flaw was reproducible across roughly 110,000 historical results.

Critical

EMR Database Replicas Reachable from Guest Wi-Fi

Three of twelve sites had VLAN segmentation gaps that allowed network reachability from the guest Wi-Fi range to read replicas of the electronic medical record database. Authentication was still required, but the exposure violated the hospital group's own data-classification policy and PDPA Standard 2 expectations.

High

Legacy Modality Workstations Running Unsupported Operating Systems

Several radiology and laboratory modality workstations were operating end-of-support Windows builds with no compensating segmentation. Two were directly exposed to a flat clinical VLAN that also housed nurse-station workstations.

High

Third-Party Specialist Access via Shared Credentials

Visiting consultants accessed EMR records through shared service accounts with no individual attribution. The same accounts retained access weeks after a consultant's engagement had ended.

Medium

Outbound Email Lacked DMARC Enforcement

Patient-facing transactional email was sent from a domain without enforced DMARC, creating phishing exposure for appointment-confirmation flows that already carried sensitive metadata.

Outcomes

A Defensible Posture Ahead of the Deadline

All critical and high-severity findings were remediated within six weeks of identification and validated on retest with zero residual critical findings. The patient portal authorisation flaw and the EMR replica exposure — the two issues with the largest potential impact on patient privacy — were closed inside the first ten days of the remediation phase.

The PDPA readiness pack was delivered three weeks ahead of the enforcement deadline and covered every standard with explicit evidence, supplier-review status and a documented breach-notification runbook rehearsed against three realistic scenarios. The board sub- committee accepted the posture without conditions.

Beyond the regulator outcome, the engagement produced lasting operational change. The clinical-engineering team was integrated into the central change-advisory process, third-party specialist access moved to individually attributed accounts with quarterly review, and the patient portal now ships under a continuous-assurance retainer with monthly external scanning and quarterly application retests.

Related Work