SustainabilityEN | TH
Information Security and Privacy
Currently, the application of technology is a key mechanism for driving the organization toward sustainability, particularly due to digital transformation and the adoption of artificial intelligence to enhance business operations. Vital factors influencing technology application efficiency are data management and cybersecurity measures. Nevertheless, today's statistics indicate a significant increase in digital crimes and cyber threats, causing direct and indirect impacts on organizations. Recognizing the importance of technology management and information technology, BDMS ensures the system is agile and flexible while assessing and mitigating cybersecurity risks to provide an efficient digital transformation that enhances business capabilities while coping with the rapidly shifting technology and artificial intelligence trends.
Management Approach
BDMS determines the IT security structure, including policies, guidelines and operation standards for its subsidiaries to ensure appropriate use of IT system while preventing potential risks.
Patient safety and high service standards are the Company’s paradigm. To achieve such purpose, many factors and components are involved and one of the key components is effective information security systems adopted by BDMS and subsidiaries; namely, ISO 27001 Information Security System Management and ISO 27799 Information Security System in Health Data since 2020 with three main principles as follows:
BDMS cybersecurity and data protection management guidelines are as follows:
Implementing international principles and standards such as ISO 27001 and ISO 27799 as framework in health data security management, cybersecurity and data protection management. Governing cybersecurity operations through the Information Security Management Policy Committee. Organizing regular training on cybersecurity, IT and data protection for personnel of all levels.
Key Performance
8 cases of complaints regarding information security.
0 confirmed cases of information leaks, theft, or loss.
0 cases of customer data used for other purposes.
BDMS monitors the percentage of users whose customer data is used for secondary purposes.
Information Security Governance
Understanding the importance of effective information system management, BDMS regards cybersecurity risk assessment as one of the key factors influencing corporate business sustainability. As a result, BDMS sets the governance structure for information security as well as enforces policies, guidelines, and operational standards for the subsidiaries to ensure the appropriate use of information technology and systems as well as prevent potential risks.
Board Level
BDMS has established a dedicated information security committee ‘BDMS IT Governance Committee’, which operates at the board level to oversee information security issues. Its main roles and responsibilities include devising information technology strategies and ensuring their implementation within hospital networks and other businesses that support the hospitals. Additionally, the committee is responsible for data collection and regularly reporting IT management performance to the Risk Management Committee to ensure the highest efficiency and security in data management.
The Committee also manages information systems, safeguards data security, and creates communication networks to ensure data protection following global standards and legal requirements in Thailand and abroad.
Aiming to assess the IT management capabilities of the organization,
Executive level
The Information Security Management Committee (ISMC), chaired by Mr. Chairat Panthuraamphorn, M.D., equivalent to the Chief Operations Officer (COO), is responsible for overseeing and monitoring the functioning of the ISMC Group. The roles and duties of the ISMC Group are as follows:
- Approve and promulgate policies in relation to Information Security Management system
- Consider and approve risk criteria in risk assessment of Information Security Management system with risk appetite level
- Evaluate risk and prepare mitigation plan and improvement
- Consider for penalty criteria for those who violate policies in relation to Information Security Management system
- Supporting resource in operation of Information Security Management system
- Approve and promulgate on policies in relation to Personal Data Protection
BDMS Computer Emergency Response Team (BDMS CERT) with major roles and duties as follows:
- Respond and handle cyber security incident (Incident Response)
- Provide advice and resolve threats concerning cyber security (Cyber Security Advisor)
- Follow up and publicize news and incidents relating to cyber security to all relevant persons in the Company
- Study, improve and update tools and operation guidelines to enhance cyber security of the Company
For more information regarding Information security Governance Policy and structures, please see the attachment ‘Information Security Governance Policy’.
Information Security Management Programs
BDMS implements a comprehensive mechanism to evaluate and assess the effectiveness of its information security management, ensuring that the system is robustly secured and capable of enhancing service quality while safeguarding sensitive data. This includes conducting thorough vulnerability analyses, performing both external and internal audits of IT systems, and establishing a clear escalation process for employees to report incidents, vulnerabilities or suspicious activities.
Information security vulnerability analysis
BDMS has conducted Information security vulnerability analysis, including a simulated hacker attack using a phishing test on a regular basis to ensure effectiveness in cybersecurity risk management and cyber threat mitigation.
Internal audits of the IT infrastructure and/or information security management systems
BDMS has set an internal audit plan to assess the information security management system. There will be a review of any significant updates to the IT audit plan, and it will be revised if necessary. In 2024, the internal audit team conducted an assessment of the effectiveness of the control environment in several areas of BDMS’s operational modules. For IT-related modules, internal audits were conducted to ensure compliance with BDMS's Information Security Basic Requirements for the 17 actions taken covering information security management and data privacy management, as announced by the Information Security Management Committee (ISMC).
Independent external audit of the IT infrastructure and/or information security management systems
BDMS obtained an independent external audit of its IT infrastructure based on international standards certifications, including ISO 27001 for Information Security Management Systems and ISO 27799 for Health Information Security Management Systems. BDMS will ensure that all outsourced entities responsible for information security management systems have received the necessary international standards certifications, including ISO 27001 and ISO 27799.
Escalation process for employees to report incidents, vulnerabilities or suspicious activities
BDMS has established a clear escalation process for employees to report any information security-related incidents, vulnerabilities, or suspicious activities through the document titled 'Security Incident Management Procedure.' The procedures are clearly outlined for the assigned responsible teams, such as the Information Security Services Department and the BDMS CERT team, to manage and serve as a communication channel for receiving any reported information security incidents from employees.
Employees are required to respond to information security incidents by coordinating and reporting to the Information Security Services Department for immediate notification to the BDMS CERT in the event of encountering any unusual security events or notices of security weaknesses.
BDMS PDPA Policy
Following the Personal Data Protection Act B.E. 2019, BDMS enforces the policy on Personal Data Protection Act B.E. 2019 compliance to set the principles and practices on information management, covering the Board of Directors, top executives, employees, contractors and other parties working with BDMS. The objectives are to illustrate the Company’s responsibility for data and IT system protection while protecting the organization from personal data breaches. BDMS determines all business units to be responsible for information management and compliance with new laws or changing regulations. The Information Security Management Committee (ISMC), appointed by BDMS’ Board of Directors, is directly in charge of supervising such policy and assigning responsibilities to all BDMS business units for strict compliance.
BDMS Privacy and Security Working Group
BDMS has established the Privacy and Security Working Group (PSWG) which performs the following duties:
1. Set guidelines about personal data protection and IT security to submit to ISMC Committee for approval.
2. Provide opinions for development and improvement of personal data protection and IT security of BDMS and BDMS network to meet the international standards.
3. Follow up operations of personal data protection and IT security of each company to comply with BDMS policies and relevant laws.
4. Act as a representative for communication about personal data protection and IT security of BDMS to senior executives of each Company for acknowledgement.
5. Give suggestions about breach of personal data and IT security incidents.
6. Assess the impact and report incidents of personal data and IT security breaches of each company to the ISMC Committee for immediate acknowledgement.
7. Take action in accordance with the resolution of the working group as appropriate to suppress the incidents or support the smooth operation and maximize the Company’s benefits, including reporting the matter to the ISMC Committee for acknowledgement.
Patient Privacy Notice
BDMS processes personal data according to the Personal Data Protection Act B.E. 2019 by adhering to lawful basis of processing or after receiving consent from all customers in disclosing personal data to the doctors, nurses and/or other personnel within the medical facilities. Persona data shall be kept according to relevant specifications not exceeding 10 years after the last treatment date. Both paper and electronic documents will be destroyed unless any conflicts arise or extension of the retention period is required by the government agency.
Objectives of Patient Privacy Notice | |||||
To enable medical diagnosis, treatment and health services within the network hospitals and other medical facilities. | To study and analyze the quality improvement of medical facilities using confidential data. | To proceed claims to the insurance companies or reimbursement of medical expenses. | |||
To disclose information to the person assigned for health checkup or paying the medical fees (consent required). | To connect database of electronic medical record between medical facilities through applications (consent required). | To establish marketing objectives for healthcare or publication of medical newsletter as well as offer products and services (consent required). | To comply with contracts as customers and Company or as being requested for contract signing. | ||
BDMS Data Subject Rights According to PDPA
Data subjects have the right to manage personal data following BDMS Data Subject Rights in compliance with the Personal Data Protection Act B.E. 2019 by submitting request in writing, by phone or email which shall be completed within 30 days. BDMS Data Subject Rights consist of
Right to Withdraw Consent | Right of Access | Right to Rectification | Right to Erasure | ||
Right to Restriction of Processing | Right to Data Portability | Right to Object | |||
Data Protection Officer - DPO
The Personal Data Protection Act B.E. 2019 set forth roles and duties of all related parties to personal data. One of these individuals includes the data protection officer or DPO. The DPO is a person assigned to supervise, provide suggestions or inspect personal data protection in the organization to ensure its compliance with the established law.
BDMS appoints the DPO in accordance with Section 42 of the stipulated law and the DPO can gain access and report directly to the executive in case of data leakage or loophole which may be risky or inconsistent with the legal specifications can be directly reported to the authorized executive.
The data protection officer has the duties as follows:
(1) Provide suggestions to the data controller or data processor, including employee or contractor of the data controller or data processor concerning the compliance according to such atc.
(2) Supervise the performance of the data controller or data processor, including the employees or contractors of the data controller or data processor concerning the collection, use or disclosure of personal data to ensure strict compliance with such act.
(3) Coordinate with the agency in case of any problems regarding the collection, use or disclosure of personal data of the data controller or data processor, including employees or contractors of the data controller or data processor concerning the compliance according to such act.
(4) Maintain confidentiality of personal data of the person the DPO acknowledges or acquired from his/her performance of duty in accordance with such act
Corporate Information Disclosure Policy
This Corporate Information Disclosure Policy is part of the good corporate governance policy of Bangkok Dusit Medical Services PCL that is intended to provide access to corporate information equally for shareholders, investors, financial institutions, as well as those who need to use the financial information and the general public. It is therefore utmost important that the communication be transparent, accurate, complete, punctual, and consistent for both information in the past and value creation in the future, without any discrimination regarding the positive or negative aspects of the information. However, the Company is fully aware of the necessity to protect corporate secrets, confidential information as well as its operating strategies.
Meanwhile, this Policy must be in compliance with the rules and regulations on corporate information disclosure of the Stock Exchange of Thailand, the Office of the Securities and Exchange Commission as well as all other relevant rules and regulations. The Company has announced the BDMS Corporate Information Disclosure Policy as follows:
Control of the Data Processor for Data Safety
BDMS employs other business partners to achieve the Company’s business objectives; therefore, as a data controller, BDMS realizes the significance of personal data control with business partners acting as the data processor. This is to ensure the utmost safety of personal data and must be in strict compliance with the established law.
BDMS determines the data processing agreement with the data processor. The data processing agreement specifies the duties of the data processor as follows:
Data Security Compliance Assessment
BDMS manage data security compliance assessment in 5 domains (Security Configuration Risk, Access Control Risk, Retention and Disposal Risk, Best Practices for Data Collection and Transfer Risk and Data Security Risk) and perform the assessment annually.
The assessment result meet 100% Data Security Assessment Measures, all of the company BDMS data security compliance.
| BDMS monitors the percentage of users whose customer data is used for secondary purposes. | In 2024, 0% of customers data is used for secondary purposes. |