All industries
Healthtech · Telemedicine · EHR · Lab-Tech · Pharmacy-Tech · Mental Health · Fitness

Patient data,
private healthtech, multiple regulators.

DPDP Act 2023 across the Indian customer base, ABDM voluntary alignment for ABHA / HFR / HPR / Consent Manager integrators, SOC 2 Type 2 and HIPAA-equivalent overlay for the foreign-customer arm, and App Store / Play Store health-data policy review for consumer-facing apps. Built for Indian healthtech operating in the private, non-hospital tier — telemedicine SaaS, EHR, lab-tech, pharmacy-tech, mental-health and fitness platforms with health data.

₹250 cr
maximum DPDP Act penalty per breach for a Data Fiduciary
4
overlapping audiences — DPDP, ABDM, foreign-customer SOC 2 / HIPAA, App Store / Play Store
70–80%
control overlap between Indian DPDP and AICPA SOC 2 — one evidence base, two submissions
OTP
phone-as-identity is the dominant Indian healthtech auth model — and a recurring failure mode

Why Indian healthtech needs a different playbook

Indian healthtech sits in a place no other sector quite occupies. The Indian regulator presence is light by global standards — the DPDP Act 2023 is the primary statutory obligation, with the National Health Authority's ABDM technical guidelines as a voluntary architecture for any product that wants to interoperate across the public-health ecosystem. The Clinical Establishments Act and the IT (Reasonable Security Practices and Procedures) Rules 2011 still apply where relevant, but the heavy regulator-mandated audit cadence that defines BFSI in India is largely absent. What replaces it is a stack of buyer-driven and platform-driven security expectations: enterprise hospital chains running their own vendor security reviews, US payers asking for SOC 2 Type 2 and HIPAA-equivalent attestation, foreign investors running diligence with SIG / CAIQ-shaped questionnaires, App Store and Play Store review policies on health data, and the underlying threat model of a customer base that does not forgive a public breach involving medical records.

The bug class also differs. Healthtech platforms hold dense personal data (name, age, contact, sometimes Aadhaar, often photographs of test reports and prescriptions, sometimes full electronic health records) plus financial and consent metadata. Multi-tenant boundary breaks (one hospital's data accessible to another via BOLA / BFLA), document-store URL guessability (S3 or GCS bucket leakage of test reports), telephony-and-OTP enumeration (phone-number-as-identity is the dominant model in Indian healthtech), and consent-flow misalignment with DPDP Rules 2025 are the recurring failure modes. AxVeil's healthtech-India engagement is built around those failure modes and the four overlapping audiences — DPDP, ABDM, foreign-customer SOC 2 / HIPAA overlay, and the App Store / Play Store policy reviewer.

Attack scenarios exercised

The recurring failure modes for dense-PII Indian healthtech — tested as real flows, not a scanner sweep.

THREAT
Cross-hospital BOLA on the multi-tenant API
Authenticated as one hospital / provider tenant, tamper object and organisation identifiers to reach another tenant's patient records, test reports and prescriptions. The dominant breach class for Indian healthtech holding dense PII across many institutional customers. OWASP API #1 / #5; DPDP data-sharing and consent implications.
THREAT
Document-store URL guessability leaking test reports
Sweep the S3 / GCS / Azure Blob object namespace behind the patient app for guessable or sequential keys to prescriptions, lab reports and ID photographs served without per-object authorisation. A recurring Indian-healthtech leak pattern — and a DPDP-reportable personal-data breach the moment it is exploitable.
THREAT
Phone / OTP enumeration and account-takeover via re-bind
Phone-number-as-identity invites OTP brute-force, enumeration of registered patients, and account takeover through phone-rebind or password-reset flows. Tested against the actual auth journeys, with rate-limit and risk-engine remediation guidance rather than a blanket CAPTCHA recommendation.

The four drivers behind a healthtech-India engagement

1. DPDP Act 2023 (every Indian patient record)

Data Fiduciary obligations on lawful processing, consent capture, purpose limitation, retention timelines, breach notification to the Data Protection Board, published grievance officer. Most healthtech platforms quickly cross the Significant Data Fiduciary thresholds — DPIA, DPO appointment, independent data audit. Penalties up to INR 250 crore per breach.

2. ABDM voluntary alignment (where integration applies)

ABHA health ID, Healthcare Professionals Registry, Health Facility Registry, Personal Health Records, Health Information Exchange / Consent Manager. NHA security guidelines on authentication, encryption, consent capture via Consent Manager, audit logging and breach notification — required for ABDM Sandbox certification, voluntary otherwise.

3. SOC 2 Type 2 and HIPAA-equivalent overlay (US-facing platforms)

AICPA Trust Services Criteria — Security mandatory, often Availability and Confidentiality. HIPAA Security Rule (45 CFR Part 164 Subpart C) applies as a Business Associate when the platform processes PHI of US residents on behalf of a covered entity. Security Risk Analysis under §164.308(a)(1)(ii)(A), administrative / physical / technical safeguards, BAA support.

4. App Store / Play Store health-data policy

Apple HealthKit policy and App Store Review Guidelines section 5.1.3, Google Play Health Apps policy and Health Connect API requirements. End-to-end encryption of health data, prohibition on third-party advertising of health data, explicit consent for any data sale, mandatory privacy nutrition label disclosures. FTC scrutiny of mental-health and consumer-health-data sharing as a separate enforcement vector.

Standards & reference material

DPDP Act 2023 (India) and DPDP Rules 2025

link ↗

Digital Personal Data Protection Act 2023 with operative DPDP Rules following in 2025. Data Fiduciary obligations across lawful processing, consent, purpose limitation, retention, breach notification and grievance officer. Significant Data Fiduciary tier triggers DPIA, DPO appointment and independent data audit obligations. Enforced by the Data Protection Board of India. Penalties up to INR 250 crore per breach.

Ayushman Bharat Digital Mission (ABDM) — National Health Authority

link ↗

ABHA health ID, Healthcare Professionals Registry, Health Facility Registry, Personal Health Records, Health Information Exchange / Consent Manager and the Unified Health Interface. NHA Sandbox security guidelines prescribe authentication, encryption, consent capture, audit logging and breach notification for integrating products.

HIPAA Security Rule — US Department of Health and Human Services

link ↗

45 CFR Part 164 Subpart C. Administrative, physical and technical safeguards for electronic Protected Health Information. Applies to Indian healthtech platforms acting as Business Associates of US covered entities. Security Risk Analysis under §164.308(a)(1)(ii)(A) is the artefact OCR consistently cites in settlement actions.

AICPA SOC 2 Trust Services Criteria

link ↗

2017 TSC with 2022 points of focus. Common Criteria CC1–CC9 mandatory for the Security category, supplemented by Availability, Processing Integrity, Confidentiality and Privacy criteria where in scope. The default trust pack Indian healthtech ships to US payers, employer health plans and provider networks.

Apple HealthKit and Google Play Health Apps policy

link ↗

App Store Review Guidelines section 5.1.3, HealthKit framework data-handling requirements; Google Play Health Apps policy and Health Connect API requirements. End-to-end encryption of health data, prohibition on third-party advertising of health data, explicit consent for any sale of health data, mandatory privacy disclosure labels.

AxVeil healthtech-India engagement model

A typical Series A+ healthtech engagement runs as a 4-6 week cycle (patient app + clinician portal + admin + API + cloud + mobile) followed by an annual repeat and quarterly retests. AxVeil contracts directly for DPDP advisory, SOC 2 readiness, HIPAA-equivalent overlay and App Store / Play Store policy review. ABDM Sandbox certification security audits — where the NHA requires an empanelled signature on the certification submission — are delivered under sub-contract to an empanelled partner.

Week 0 — Scoping & contracting path
Confirm asset inventory, audience overlay (DPDP only / DPDP + SOC 2 / DPDP + SOC 2 + HIPAA / DPDP + ABDM), test-account provisioning at every role (patient, clinician, admin), in-scope cloud accounts, mobile platforms. Where ABDM Sandbox certification is in scope, the empanelled partner is named up front and joins the kick-off.
Week 1 — Recon & data-flow modelling
Subdomain and JavaScript route mining, API schema extraction (OpenAPI / GraphQL SDL where available), document-store URL guessability sweep (S3 / GCS / Azure Blob), patient-data flow diagram, lawful-basis-per-purpose matrix, Significant-Data-Fiduciary classification check.
Week 2-3 — Manual application testing
OWASP ASVS L2 across patient app, clinician portal, admin console. OWASP API Top 10 across REST / GraphQL APIs. Multi-tenant boundary testing — BOLA, BFLA, mass assignment, IDOR — particularly across hospital and provider accounts. Phone-and-OTP authentication testing (the dominant identity model in Indian healthtech). Document-store ACL testing.
Week 3-4 — Mobile, cloud & ABDM
iOS and Android app review against OWASP MASVS, plus the Apple HealthKit / Google Play Health Apps policy compliance review. AWS / GCP / Azure control-plane review against CIS Benchmarks. Where ABDM endpoints are in scope: ABHA authentication flow, Consent Manager integration, HIE callback handling, NHA Sandbox security guideline mapping.
Week 4-6 — Reporting & evidence pack
Single PDF (60–150 pages) plus the audience-specific evidence packs — DPDP personal-data inventory and breach-notification runbook, SOC 2 Type 2 control-mapping appendix where applicable, HIPAA Security Risk Analysis where applicable, App Store / Play Store pre-submission compliance memo where applicable. JSON export for Jira / Linear / GitHub Security.
Week 6-10 — Remediation & retest
Remediation owned by your engineering team. One free retest of every Critical, High and Medium finding marked remediated. Retest report appended to the original PDF; updated Letter of Attestation on full PASS issued for the buyer-side reviewer (US payer, hospital chain, App Store reviewer).

Sample artefacts handed back

Pentest PDF (60–150 pages)
Executive summary, technical findings with CVSS v3.1 + v4.0, ASVS / API Top 10 / MASVS / CWE mapping, reproduction steps, remediation guidance with code samples, retest section.
DPDP Act 2023 evidence pack
Personal-data inventory, lawful-basis matrix per processing purpose, consent-architecture diagram, retention-timeline policy, breach-notification runbook (Data Protection Board timeline plus affected Data Principal communication), grievance-officer mandate. Significant Data Fiduciary classification memo and DPIA template where applicable.
SOC 2 Type 2 control-mapping appendix
Per-finding mapping to AICPA TSC CC1–CC9, plus Availability A1 and Confidentiality C1 where in scope. Drops directly into the auditor's evidence request list during fieldwork. Letter of Attestation on PASS.
HIPAA Security Risk Analysis (US-facing platforms)
Documented assessment satisfying §164.308(a)(1)(ii)(A). Asset inventory, threat enumeration, vulnerability findings, risk scoring, remediation plan with named owners. Administrative / physical / technical safeguards mapping under §164.308 / §164.310 / §164.312. Business Associate Agreement templates and reviewer notes.
ABDM integration security memo (where applicable)
ABHA authentication flow review, Consent Manager integration review, HIE callback handling review, NHA Sandbox security guideline mapping. For ABDM Sandbox certification submissions the empanelled partner co-reviews and signs.
App Store / Play Store pre-submission compliance memo
HealthKit framework requirements, App Store Review Guidelines section 5.1.3 review, Google Play Health Apps policy and Health Connect API review. Privacy nutrition label / data-safety form fields prepared for submission. Mental-health and consumer-health-data review against FTC enforcement precedent (BetterHelp / GoodRx settlement matter).

Related work

Services
Reading
Sibling industries

Frequently asked questions

Is health data treated differently under the DPDP Act 2023?+

The DPDP Act 2023 does not formally categorise "sensitive personal data" the way the older draft Personal Data Protection Bill did — every category of personal data is treated under the same Data Fiduciary regime. In practice though, health data carries operational consequences any reasonable Data Fiduciary will treat as elevated risk: the consequences of breach are higher (medical-record exposure, stigma, insurance impact), most healthtech platforms cross the Significant Data Fiduciary thresholds quickly (volume, sensitivity, risk to Data Principal rights), and the DPDP Rules 2025 introduce additional procedural requirements for high-volume or high-impact Fiduciaries. We scope around that elevated risk: tighter consent capture, stricter retention timelines, dedicated breach-notification runbook, and (where the platform is likely classified Significant Data Fiduciary) the DPIA, DPO appointment and independent data audit obligations.

Do we need to integrate with ABDM?+

Integration with the Ayushman Bharat Digital Mission — ABHA health ID, Healthcare Professionals Registry, Health Facility Registry, Personal Health Records and the Health Information Exchange / Consent Manager — is voluntary in 2026 for most private healthtech in India. It is not voluntary if you are competing for government tenders, integrating with public-health programmes, or building a product whose value depends on cross-platform record portability. ABDM operates under the National Health Authority's technical and security guidelines, which prescribe authentication (FIDO2 / OAuth2 / OIDC patterns), encryption, consent capture via the Consent Manager, audit logging and breach-notification obligations beyond those in the DPDP Act. AxVeil scopes the NHA guidelines explicitly when an ABDM endpoint is in scope; otherwise we focus on DPDP, the buyer-side overlay (SOC 2 / HIPAA equivalent for US-facing platforms) and the foundational application security work.

We sell into US payers and providers. What does HIPAA-equivalent overlay actually mean?+

The HIPAA Security Rule (45 CFR Part 164 Subpart C) does not have territorial limits — if your platform processes Protected Health Information of US residents on behalf of a covered entity (a hospital, payer, clinical lab, employer health plan), you become a Business Associate and the Security Rule applies regardless of where you are headquartered. The Office for Civil Rights at HHS settles enforcement actions with non-US entities periodically. AxVeil's healthtech-India engagements include an optional HIPAA-equivalent overlay: Security Risk Analysis under §164.308(a)(1)(ii)(A), administrative / physical / technical safeguards mapping under §164.308 / §164.310 / §164.312, Business Associate Agreement support, and where applicable a SOC 2 Type 2 evidence pack tuned for the Trust Services Criteria most US payers ask about (Security CC1–CC9, Availability A1, Confidentiality C1).

What does App Store and Play Store policy add to a fitness or mental-health app?+

Both stores publish health-data policies that apply on top of the platform's general developer terms. Apple's HealthKit and HealthKit-adjacent policy (App Store Review Guidelines section 5.1.3 and HealthKit framework requirements) covers end-to-end encryption of health data, prohibition on third-party advertising of health data, prohibition on selling health data without explicit user consent, and disclosure obligations in the privacy nutrition label. Google Play's Health Apps policy and Health Connect API requirements track similarly. Mental-health apps additionally face the FTC's ongoing scrutiny of consumer-facing health-data sharing — BetterHelp and GoodRx settlements set the bar. AxVeil reviews the data flow against both store policies and the relevant regulator expectations during the engagement and produces a pre-submission compliance memo when the next store review cycle is imminent.

How do you handle the foreign-customer SOC 2 driver alongside Indian DPDP?+

The two regimes overlap on the technical control set roughly 70-80%. Encryption, access control, audit logging, vulnerability management, change management, incident response — all common. The structural differences are governance (Indian DPDP requires a published grievance officer; SOC 2 expects a documented vendor-management programme) and the cross-border transfer regime. We map every test case to both source standards — DPDP Act 2023 section reference and AICPA Trust Services Criteria reference — so a single evidence pack drops cleanly into both submissions. For platforms that also process US PHI, the HIPAA Security Rule overlay slots into the same evidence base (HIPAA §164.308 maps onto DPDP retention / governance, §164.310 onto DPDP physical safeguards, §164.312 onto DPDP technical safeguards). One engagement, three audiences.

Is AxVeil empanelled with the National Health Authority for ABDM?+

AxVeil is not on the NHA's ABDM Sandbox security-auditor list, and AxVeil is not on the CERT-In Information Security Auditor empanelment list either. For ABDM Sandbox certification security audits — where the NHA requires an empanelled auditor on the report — AxVeil delivers the technical engagement under sub-contract to an empanelled partner who signs the certification submission. For everything else — DPDP advisory, foundational application security, SOC 2 readiness, HIPAA-equivalent overlay, platform-buyer security questionnaire response — AxVeil contracts directly. The buyer is told up front which contracting path the engagement takes.

Scope a healthtech-India engagement

Send the platform type (telemedicine, EHR, lab-tech, pharmacy-tech, mental-health, fitness), the audience overlay (DPDP / DPDP + SOC 2 / DPDP + SOC 2 + HIPAA / DPDP + ABDM), the mobile platforms in scope and the cloud (AWS / GCP / Azure). We respond with a fixed-fee proposal, the contracting path (direct or sub-contracted via empanelled partner for ABDM certification) and a redacted sample report from a comparable engagement under NDA.

Request a scoping call