Cybersecurity and Data Protection
Goal and Performance Highlights
Supporting the SDGs
Stakeholders Directly Impacted
Commitment and Targets
Sikarin Public Company Limited recognizes that information security and personal data protection are essential foundations of quality, safe, and reliable medical services, particularly patient data, medical records, treatment information, and personal data of service users, employees, business partners, and relevant stakeholders, all of which are sensitive information and must be carefully protected under relevant laws, standards, and practices.
The Company is therefore committed to managing data and information systems in a systematic, transparent, and verifiable manner, with emphasis on preventing unauthorized access to information, preventing data leakage, maintaining the confidentiality of patient information, controlling access rights to information on a need-to-know basis, backing up and protecting critical information, as well as preparing to respond to cybersecurity incidents that may affect the continuity of medical services.
In 2025, the Company continued to set targets for maintaining data security and preventing personal data leakage on an ongoing basis, with the aim of having no significant complaints related to data security or personal data leakage, while also maintaining the standards of relevant information systems within the scope defined by the Company. In this regard, the Company recorded no complaints related to data security and personal data leakage in 2025, totaling 0 cases, and 100% of relevant information systems were certified within the scope defined by the Company.
These results reflect the Company’s continued efforts to strengthen data governance, comply with the Personal Data Protection Act B.E. 2562, develop cybersecurity measures, and build employee awareness, in order to ensure that the use of technology and data in medical service delivery is secure, responsible, and supports the long-term trust of service users and stakeholders.
Challenges and Opportunities
In the digital era, where technology plays a crucial role in healthcare services, Sikarin Public Company Limited recognizes the critical importance of cybersecurity and patient data protection as key elements in maintaining medical service standards and building trust with patients.
Operating in today’s healthcare sector presents increasingly complex cyber challenges, including threats from cyberattacks, unauthorized data access, and data leaks—factors that can affect the Company’s reputation and undermine patient confidence. The Company therefore prioritizes maintaining a balance between leveraging digital technologies to enhance service efficiency and strengthening cybersecurity systems to adapt to evolving technologies and regulations. The Company strictly adheres to relevant laws and international standards on data security, such as Thailand’s Personal Data Protection Act (PDPA) and ISO 27001, thereby minimizing legal risks while developing best practices to manage data effectively. Beyond risk mitigation, the Company also views this as an opportunity to raise cybersecurity standards through strategic investments in data protection technologies, cybersecurity infrastructure, and employee cybersecurity awareness. These efforts not only safeguard patient data but also support Sikarin’s competitive edge and long-term goal of becoming a trusted healthcare provider committed to the highest standards of data security.
Management Approach and Value Creation
Sikarin Public Company Limited manages data security by linking it with the corporate governance structure, risk management, internal control system, compliance with personal data protection laws, and relevant information security standards, to ensure that the collection, use, processing, transfer, and management of data are carried out securely, appropriately, and verifiably.
The Company places importance on establishing data security policies and practices, controlling access rights to information on a need-to-know basis, maintaining the confidentiality of patient information, data backup, data encryption, monitoring system anomalies, and continuously testing system vulnerabilities, taking into account the sensitivity level of the data and the importance of the systems to the provision of medical services.
In operational terms, the Company develops control measures across technology, processes, and personnel to help reduce the likelihood of data security incidents and to ensure that it can detect, respond to, and recover systems appropriately in the event of unexpected incidents. These actions support the provision of secure and continuous digital medical services, while strengthening the long-term trust of service users and stakeholders.
Establishment of Security Policies and Standards
The Company establishes data security policies and practices as a framework for managing organizational data and information systems, covering personal data protection, confidentiality of information, access control, information technology risk management, and compliance with relevant laws and requirements.
These operations are aligned with the Personal Data Protection Act B.E. 2562, as well as international practices and standards on information security that the Company applies as appropriate to the context of the hospital business. The Company also continuously develops systems and control measures, taking into account quality requirements, patient safety, and medical services that must be delivered continuously and reliably.
The Company places importance on data governance in digital healthcare service systems to prevent unauthorized access, use, disclosure, alteration, destruction, or loss of data, while promoting the use of data within the organization for appropriate purposes and in alignment with the rights of data subjects.
Investment in Cyber Threat Protection Systems
To respond to increasingly complex and rapidly evolving threats, the Company continuously invests in and develops cybersecurity infrastructure, with the aim of ensuring that prevention, detection, and response are effective and aligned with the risk level of systems and data.
The Company implements strict access control and authentication measures for sensitive information, as well as data loss prevention measures, such as data backup in accordance with established practices and data encryption in internal data storage systems, to help reduce the risk of data leakage or cyberattacks.
For monitoring, the Company uses a Security Information and Event Management system, or SIEM, to collect, analyze, and alert abnormalities in network systems and critical systems. This helps the Company detect abnormal signals and respond to incidents more quickly. In addition, the Company conducts Vulnerability Assessment and Penetration Testing, or VAPT, on network systems and critical systems on an annual basis through collaboration between internal experts and external consultants, in order to identify vulnerabilities, remediate them, and systematically follow up on improvements.
Building an Organizational Cybersecurity Culture
The Company recognizes that cybersecurity cannot rely solely on technology, but also requires awareness, understanding, and behaviors of employees at all levels. The Company therefore places importance on continuous communication and training on data security, so that personnel understand risks related to the use of digital systems, patient data management, password usage, phishing prevention, and the secure use of the internet or information systems.
Building a cybersecurity culture also covers raising awareness of threats arising from human factors, such as clicking unsafe links, unintentionally disclosing information, or using more data than necessary in daily work. The Company therefore aims to ensure that personnel can appropriately participate in preventing data-related risks and understand that data security is a shared responsibility of everyone in the organization.
The Company also places importance on developing the capabilities of information technology personnel and relevant departments, so that they can manage security systems, detect anomalies, coordinate during incidents, and support improvements to control measures effectively.
Development of Incident Response Plans
The Company places importance on preparedness for data security incidents and information system disruptions that may affect the provision of medical services. It has therefore developed an Incident Response Plan, or IRP, and a Business Continuity Plan, or BCP, to define approaches for responding, coordinating, recovering, and reducing impacts from potential incidents.
These plans cover management approaches in the event of incidents affecting data or critical systems, such as network system disruptions, cyberattacks, incidents that prevent data from being used normally, or external events that may affect the continuity of medical services. The Company places importance on data backup, system recovery, and maintaining the readiness of critical systems within an appropriate scope.
The Company also provides systems and approaches for data recovery and system restoration in the event of unexpected incidents, to support the protection of critical information and enable appropriate service recovery. In this regard, the Company exercises caution in disclosing technical details of such plans and systems, to ensure that the disclosed information does not create additional risks to system security.
Towards a Secure and Sustainable Future
With comprehensive measures across technology, policy, and people, Sikarin Public Company Limited is committed to elevating its cybersecurity standards to stay ahead of evolving threats.
The Company aims to protect patient data, strengthen service user confidence, and drive stable, sustainable growth in the digital era.
Our Projects
Sikarin's sustainability program focuses on ESG issues, financial performance, community health, environmental impact reduction, and employee welfare promotion.
