Security & Compliance
Security controls, compliance frameworks, and operational procedures protecting Malaysia’s national health data infrastructure.
Identity (OIDC/Scopes)
OAuth 2.0 with OpenID Connect. SMART on FHIR scopes for user and system context.
Network (MTLS/Throttling)
Mutual TLS for production endpoints.
Rate limiting and DDoS protection at gateway.
Operations (Audit/Incident)
ISO 27799 audit logs. 24/7 SOC monitoring. Incident response within 1 hour (P1).
Identity & Access Management
OAuth 2.0 Scopes
- system/Patient.read
- user/Observation.cruds
- patient/*.read
Token Lifecycle
- Access tokens: 1 hour expiry
- Refresh tokens: 30 days (rotated)
- Client credentials: No refresh
- Revocation endpoint available
Network Security
Transport Layer
- TLS 1.3 required (1.2 minimum)
- mTLS for production endpoints
- Certificate pinning recommended
- Certificate pinning recommended
Rate limiting
- 1000 requests/minute per client
- 429 response with Retry-After
- Burst allowance: 50 requests
- WAF with geo-blocking (non-MY)
Audit Logging & Monitoring
All API access is logged according to ISO 27799 healthcare information security standards. Logs retained for 7 years.
Logged Events
- Authentication attempts
- Resource access (R/W)
- Failed authorisation
- Data export operations
Alert Triggers
- Failed auth > 5/min
- Bulk data export
- Anomalous IP patterns
- API error rate spike
SOC Response
- 24/7 monitoring
- P1: < 1 hour response
- Automated blocking
- Forensic analysis
Security Runbooks & Policies
Security Runbooks & Policies
Operations (Audit/Incident)
Technical
Encryption Standards (Data at Rest/Transit)
Technical
Incident Response Playbook
Operational
Vulnerability Disclosure Policy
Policy
PDPA Compliance Checklist
Compliance
Penetration Testing Requirements
Security