Knowledge Center / ABDM Health Data
National Health Authority · India

ABDM / Health Data Security Audit

Security and privacy audit for the Ayushman Bharat Digital Mission ecosystem.

1. Introduction: The ABDM Health Data Security Audit

The Ayushman Bharat Digital Mission (ABDM), formerly the National Digital Health Mission (NDHM), is India's flagship programme to create a seamless, interoperable digital health ecosystem. Governed by the National Health Authority (NHA) under the Ministry of Health and Family Welfare, ABDM establishes the digital public infrastructure (DPI) that connects patients, doctors, hospitals, diagnostic labs, pharmacies, insurers and public-health authorities through federated, consent-driven exchange of health records. Because this ecosystem processes some of the most sensitive personal data that exists, ABDM enforces a rigorous set of technical, procedural and legal security controls that every participating entity must satisfy before and during integration.

The ABDM Health Data Security Audit is the assurance activity through which a Health Information Provider (HIP), Health Information User (HIU), Health Repository Provider (HRP), Health Locker, Consent Manager or other integrator demonstrates that it meets the security, privacy and interoperability obligations of the ABDM Sandbox and Milestone framework. In practice this maps to the NHA's Health Data Management (HDM) Policy, the ABDM Data Privacy Policy, the milestone-based go-live gates (M1, M2, M3), and the underlying Indian legal instruments: the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000 (including the SPDI Rules, 2011 and CERT-In directions of 28 April 2022), and, where applicable, ISO/IEC 27001 and NABH digital-health standards.

This guide is written for two audiences at once. For the auditor or assessor, it enumerates every control family, the specific evidence to demand, the milestone-based certification lifecycle and the scoring rationale. For the implementer or product team, it translates each requirement into concrete engineering, DevSecOps and governance deliverables so that a health-tech product can pass its ABDM milestone gate and sustain compliance thereafter.

Copyright and source note
The ABDM Health Data Management Policy, ABDM Data Privacy Policy, Sandbox documentation and milestone criteria are published by the National Health Authority, Government of India. This guide is CyberSigma's original interpretation and auditor commentary; it paraphrases requirements for practitioner use and does not reproduce NHA copyrighted text. Always verify against the authoritative documents on the official ABDM Sandbox portal and the current NHA circulars, as milestone criteria and API specifications are versioned and evolve. Where this guide references the DPDP Act, 2023 and CERT-In directions, those are Government of India statutory instruments.

2. What is ABDM Health Data Security

ABDM is built on a federated architecture: health records are not centralised in a single national database. Instead, records remain with the originating provider (the HIP) and are exchanged on demand, with the patient's explicit, purpose-bound, time-bound consent, to a requesting user (the HIU) through the Health Information Exchange and Consent Manager (HIE-CM). Security in ABDM is therefore not merely perimeter defence; it is the assurance that identity, consent, encryption, interoperability and auditability hold across independent organisations that have never met, over public networks, at population scale.

The ABDM Health Data Security scope spans five interlocking layers. The identity layer covers ABHA (Ayushman Bharat Health Account, formerly Health ID) creation and authentication, and Healthcare Professionals Registry (HPR) and Health Facility Registry (HFR) enrolment. The consent layer covers the consent artefact lifecycle managed by the Consent Manager, including grant, fetch, notify, revoke and expiry. The exchange layer covers the FHIR R4 based data-transfer flows over the HIE-CM gateway, secured with mutual TLS, request signing and payload encryption. The data-protection layer covers encryption at rest and in transit, key management, data minimisation, retention and de-identification. The governance layer covers policies, DPO accountability, grievance redressal, breach reporting and third-party assurance.

An ABDM Health Data Security Audit evaluates all five layers against the applicable milestone criteria and the HDM Policy principles: notice, choice and consent, purpose limitation, collection and use limitation, data quality, security safeguards, accountability, and the rights of the data principal (access, correction, portability, erasure, nomination and grievance).

3. Who must comply

Any entity that integrates with ABDM building blocks, or that processes ABHA-linked health data, falls within scope. The specific obligations vary by the role the entity plays in the ecosystem. An organisation may hold more than one role simultaneously (for example, a hospital chain is typically both an HIP and an HIU).

ABDM role / entityDescriptionPrimary security obligations
Health Information Provider (HIP)Hospitals, clinics, labs, pharmacies, radiology centres that create and hold patient recordsLink care contexts to ABHA, respond to consent-based data requests, encrypt and sign FHIR bundles, maintain audit trails
Health Information User (HIU)Providers, insurers, researchers, apps that request and consume health recordsRaise valid consent requests, honour purpose and expiry, secure received data, delete on expiry
Health Repository Provider (HRP) / Health LockerPHR apps and lockers storing patient-controlled recordsStrong encryption at rest, patient-controlled access, secure key custody, no secondary use without consent
Consent Manager (HIE-CM)Manages consent artefacts and mediates exchange (e.g., ABDM's own CM)Consent artefact integrity, non-repudiation, notification, revocation propagation
Interoperable PHR / third-party appPatient-facing applications integrating ABHA loginSecure ABHA authentication, session security, least-privilege data access
Insurers and TPAs (via ABDM/NHCX)Claims processing using health dataPurpose-limited access, consent verification, PII/PHI protection in claims pipeline
Technology Service Providers (TSP) / integratorsVendors building ABDM integration for providersSecure SDLC, secrets management, contractual data-processing controls under DPDP
Government health programmes and state agenciesPublic-health analytics and programme deliveryDe-identification, aggregate use, lawful basis, data-sharing agreements
  • Milestone-gated entities: Any applicant progressing through the ABDM Sandbox from M1 to M3 must demonstrate security controls appropriate to their milestone before production credentials are issued.
  • DPDP-regulated Data Fiduciaries: All the above are Data Fiduciaries (or Data Processors) under the DPDP Act, 2023, and large-volume processors may be notified as Significant Data Fiduciaries with enhanced duties (DPO, DPIA, independent audit).
  • CERT-In reporting entities: All service providers, intermediaries and data centres must comply with the CERT-In directions of 28 April 2022 (6-hour incident reporting, log retention, clock synchronisation).

4. Structure of the ABDM Health Data Security framework

The audit is organised into control domains that map to the HDM Policy principles, the milestone criteria and the underlying statutory obligations. Each domain decomposes into control families and individual, testable controls. The table below sets out the domain architecture used throughout this guide; the master checklist in section 5 then enumerates each family in detail.

Domain IDDomainRepresentative control familiesPrimary source
D1Governance, Policy and AccountabilityHDM policy adoption, DPO, roles, third-party governanceHDM Policy; DPDP s.8-10
D2Consent ManagementConsent artefact lifecycle, purpose/expiry, revocation, notificationHDM Policy; HIE-CM spec
D3Identity and Access ManagementABHA/HPR/HFR verification, authN/authZ, session, privileged accessABDM IAM; DPDP; ISO 27001 A.5.15-A.5.18
D4Data Protection and CryptographyEncryption in transit/at rest, key management, signing, tokenisationSPDI Rules; ISO 27001 A.8.24; NIST
D5Interoperability and Secure ExchangeFHIR R4 conformance, mTLS gateway, request signing, schema validationABDM FHIR/HIE-CM spec
D6Data Lifecycle and MinimisationCollection limitation, retention, de-identification, deletion, portabilityHDM Policy; DPDP s.6-8
D7Application and Product SecuritySecure SDLC, VAPT, API security, mobile/PHR app hardeningOWASP ASVS/MASVS; CERT-In
D8Infrastructure and Cloud SecurityNetwork segmentation, hardening, MEITY-empanelled cloud, backupsCERT-In; ISO 27001 A.8
D9Logging, Monitoring and Audit TrailImmutable audit logs, NTP sync, 180-day retention, SIEMCERT-In directions; ISO 27001 A.8.15-A.8.16
D10Incident Management and Breach Reporting6-hour CERT-In reporting, DPDP breach notice, IR plan, BCP/DRCERT-In; DPDP s.8(6)
D11Data Principal Rights and GrievanceAccess, correction, erasure, nomination, grievance redressalHDM Policy; DPDP s.11-14
D12Third-Party and Supply-Chain AssuranceProcessor contracts, sub-processor control, SBOM, due diligenceDPDP s.8(2); ISO 27001 A.5.19-A.5.23

5. Master assessment checklist

This is the core of the audit. Each h3 below corresponds to a control domain from section 4. For every family the tables state precisely what the assessor must verify and the typical evidence that satisfies each control. Implementers should treat the 'What to verify' column as an acceptance criterion and the 'Typical evidence' column as a deliverables list. No control area is omitted.

D1 — Governance, Policy and Accountability

What to verifyTypical evidence
The entity has formally adopted an internal policy aligned to the ABDM HDM Policy and Data Privacy PolicySigned, board-approved information security and health-data policy with version history and ABDM mapping
A Data Protection Officer / Grievance Officer is appointed with published contact detailsAppointment letter, org chart, published DPO/Grievance Officer contact on website and app
Security and privacy roles and responsibilities (RACI) are documentedRACI matrix; job descriptions referencing ABDM controls
Management review of the ABDM security programme occurs on a defined cadenceMinutes of management/security steering committee meetings
A privacy notice consistent with HDM Policy is presented at point of collectionScreenshots of in-app notice; notice text; consent capture flow
A Data Protection Impact Assessment (DPIA) has been performed for ABDM data flowsCompleted DPIA report with risk treatment plan
Risk register covering health-data risks is maintained and reviewedRisk register with owners, ratings and treatment status

D2 — Consent Management

Consent is the legal and technical spine of ABDM. Every data exchange must be traceable to a valid, unexpired, purpose-matched consent artefact. This family is scrutinised more heavily than any other during a milestone assessment.

What to verifyTypical evidence
Consent artefacts capture purpose, HI types, date range, data-eraser expiry and requester/receiverSample consent artefact JSON; HIE-CM consent init/grant logs
The system enforces purpose limitation — data is used only for the granted purpose codeAccess-control test showing purpose mismatch is rejected; code review of authorisation guard
Consent expiry and data-eraser dates are enforced; expired data is deletedAutomated deletion job logs; test evidence of post-expiry denial and record erasure
Consent revocation is honoured immediately and propagatedRevocation event logs; test showing access blocked after revoke
Consent notifications are sent to the data principal on grant, fetch and revokeNotification logs; sample notification payloads to CM
Consent artefacts are signed and tamper-evident (non-repudiation)Signature verification records; digital signature validation logs
Auto-approval or standing consent (if used) is bounded and lawfulConfiguration of auto-approval policies; scope limits; audit of triggered grants
Consent for minors and nominees follows HDM Policy (guardian/nominee handling)Guardian-consent flow evidence; nominee configuration; age-gating logic

D3 — Identity and Access Management

What to verifyTypical evidence
ABHA number/address is verified through the official ABDM authentication flow (Aadhaar OTP, mobile OTP, or biometric as configured)Auth flow diagrams; API logs showing verification; no local Aadhaar storage without lawful basis
Healthcare professionals are validated against HPR before privileged clinical actionsHPR verification API logs; provider onboarding records
Health facilities are registered and validated against HFRHFR facility ID mapping; registration certificates
Multi-factor authentication is enforced for administrative and clinical usersMFA policy and enforcement configuration; sample login audit
Role-based access control implements least privilege for health dataRBAC matrix; access-review reports; segregation-of-duties evidence
Session management is secure (timeout, re-authentication, token expiry, no fixation)Session config; token TTL settings; VAPT session tests
Privileged access is logged, time-bound and reviewed (PAM)Privileged access logs; break-glass procedure; quarterly access recertification
Service-to-service credentials (client ID/secret, API keys) are rotated and vaultedSecrets-vault inventory; rotation policy; no secrets in code (SAST/secret-scan report)

D4 — Data Protection and Cryptography

What to verifyTypical evidence
All data in transit uses TLS 1.2+ (preferably 1.3) with strong cipher suites; mTLS on ABDM gateway callsTLS scan (SSL Labs/testssl); cipher configuration; mTLS certificate inventory
Health data at rest is encrypted with AES-256 or equivalentStorage encryption configuration; DB/TDE settings; disk encryption evidence
Cryptographic keys are managed in an HSM or MEITY-recognised KMS with defined lifecycleKMS/HSM inventory; key rotation policy; access controls to key material
Payloads exchanged over HIE-CM are encrypted and signed per ABDM crypto spec (e.g., ECDH key exchange, hybrid encryption)Encryption implementation review; interop test logs; key-exchange handshake capture
Sensitive fields are tokenised/masked in non-production and in logsData-masking config; log samples showing no PHI leakage; non-prod data policy
Certificate lifecycle is managed (issuance, renewal, revocation, no expiry gaps)Certificate inventory with expiry monitoring; renewal runbook
No hardcoded keys, weak algorithms (MD5, SHA-1, DES) or deprecated protocols in useSAST/crypto-scan report; algorithm inventory

D5 — Interoperability and Secure Exchange

What to verifyTypical evidence
Data is exchanged as valid FHIR R4 bundles conforming to ABDM profiles (DiagnosticReport, Prescription, OPConsultation, DischargeSummary, etc.)FHIR validator output; sample bundles; ABDM profile conformance report
All ABDM gateway calls (/care-contexts, /consents, /health-information) succeed against the sandbox test suiteSandbox milestone test results; API call/response logs
Requests to the gateway are signed and carry correct HIP/HIU identifiersRequest signing implementation; header inspection; signature verification
Input validation and schema validation reject malformed or oversized payloadsNegative test cases; WAF/validation logs; fuzzing results
Idempotency and correlation IDs (X-CM-ID, transaction IDs) are handled correctlyTransaction trace logs; idempotency test evidence
Data-push callbacks (/on-*) are authenticated and processed securelyCallback authentication config; replay-protection evidence
Interoperability does not leak more data than the consent scope permitsField-level scope test; bundle content vs consent HI types comparison

D6 — Data Lifecycle and Minimisation

What to verifyTypical evidence
Only data necessary for the stated purpose is collected (collection limitation)Data-flow inventory; field-level justification; data map
A documented retention schedule exists and is enforced for health recordsRetention policy; automated retention/deletion jobs; deletion logs
Data received by an HIU is deleted on consent expiry / data-eraser datePost-expiry deletion evidence; scheduled purge logs
De-identification/anonymisation is applied for analytics and secondary useDe-identification method (k-anonymity/pseudonymisation); re-identification risk assessment
Data portability is supported (patient can export/transfer records)Export feature evidence; FHIR export sample
Secure deletion and media sanitisation procedures exist for decommissioningSanitisation policy; certificates of destruction; crypto-shredding evidence
Backups containing health data are encrypted and access-controlledBackup encryption config; restore test logs; backup access controls

D7 — Application and Product Security

What to verifyTypical evidence
A secure SDLC with threat modelling and security gates is followedSDLC policy; threat models; security sign-off in release pipeline
Application VAPT (web/API) has been performed by a CERT-In empanelled auditor with no open critical/high findingsCERT-In empanelled VAPT report; remediation evidence; re-test/closure certificate
Mobile/PHR apps are hardened per OWASP MASVS (root/jailbreak detection, secure storage, cert pinning, no PHI in logs)MASVS test report; mobile pentest; secure-storage review
APIs follow OWASP API Top 10 controls (authZ per object, rate limiting, no excessive data exposure)API pentest; rate-limit config; BOLA/IDOR test evidence
SAST, DAST and SCA run in CI with policy-based blockingPipeline config; scan reports; dependency-vulnerability (SCA) results
Secrets scanning prevents credentials in source controlSecret-scan reports; pre-commit hooks; vault usage
Security headers, CSRF/XSS protections and input sanitisation are implementedHeader scan; XSS/CSRF test results; security header config

D8 — Infrastructure and Cloud Security

What to verifyTypical evidence
Hosting uses a MEITY-empanelled cloud service provider with data localised in IndiaMEITY empanelment evidence; region configuration; data-residency attestation
Network segmentation isolates health-data workloads (DMZ, private subnets, no direct DB exposure)Network architecture diagram; security-group/firewall rules; segmentation test
Systems are hardened to CIS benchmarks and patched on a defined SLACIS benchmark scan; patch management records; vulnerability SLA report
WAF and DDoS protection front public endpointsWAF policy; DDoS protection config; blocked-attack logs
Configuration management and IaC scanning prevent drift and misconfigurationIaC scan reports (Checkov/tfsec); CMDB; drift-detection logs
Backups follow 3-2-1 and are tested via periodic restoresBackup policy; restore test evidence; RTO/RPO records
Anti-malware/EDR is deployed on servers and endpoints handling health dataEDR coverage report; alerting configuration

D9 — Logging, Monitoring and Audit Trail

What to verifyTypical evidence
Every access to and exchange of health data is logged (who, what, when, on whose consent)Audit-log samples; access-trail export; consent-linked access records
Logs are retained for at least 180 days as required by CERT-In directionsLog-retention configuration; storage evidence; retention policy
System clocks are synchronised to NIC/NPL NTP as required by CERT-InNTP configuration pointing to NIC/NPL; time-sync monitoring
Audit logs are immutable/tamper-evident and access to them is restrictedWORM storage or log-integrity hashing; log-access controls
A SIEM correlates security events and generates alertsSIEM dashboards; use-case/rule catalogue; sample alerts
Security monitoring covers consent misuse and anomalous data accessAnomaly-detection rules; alert on abnormal fetch volumes
Log content excludes plaintext PHI/credentialsLog-scrubbing config; sample logs reviewed for PHI leakage

D10 — Incident Management and Breach Reporting

What to verifyTypical evidence
A documented incident response plan with roles, severities and playbooks existsIR plan; playbooks; contact tree
Cyber incidents are reportable to CERT-In within 6 hours of detectionCERT-In reporting procedure; template; evidence of any prior report/drill
Personal-data breaches are notified to the Data Protection Board and affected principals per DPDPBreach-notification procedure; DPDP-aligned notice template
A defined process notifies ABDM/NHA of security incidents affecting the ecosystemABDM incident notification procedure; escalation matrix
IR is exercised through tabletop or simulation at least annuallyTabletop exercise report; lessons-learned actions
Business continuity and disaster recovery plans exist with tested RTO/RPOBCP/DR plan; DR test results; RTO/RPO metrics
Post-incident root-cause analysis and corrective actions are trackedSample RCA; CAPA tracker

D11 — Data Principal Rights and Grievance

What to verifyTypical evidence
Data principals can access and obtain a copy of their health dataAccess-request workflow; fulfilment evidence
Correction and updating of inaccurate data is supportedCorrection workflow; audit trail of changes
Erasure/withdrawal of consent leads to deletion where lawfulErasure workflow; deletion confirmation to principal
Nomination (nominee to exercise rights) is supported per DPDPNominee configuration; guardian handling for minors
A grievance redressal mechanism with defined SLAs is published and functionalGrievance workflow; SLA policy; sample resolved grievances; escalation to Grievance Officer
Rights requests are authenticated to prevent impersonationIdentity-verification step in rights workflow
Response timelines meet HDM/DPDP expectationsGrievance/rights SLA metrics and adherence report

D12 — Third-Party and Supply-Chain Assurance

What to verifyTypical evidence
Data-processing agreements bind all processors and TSPs to DPDP/HDM obligationsSigned DPAs; data-processing clauses; ABDM flow-down terms
Sub-processors are inventoried, approved and contractually controlledSub-processor register; approval workflow
Third-party security is assessed before onboarding and periodicallyVendor risk assessments; security questionnaires; audit reports (SOC 2/ISO 27001)
A software bill of materials (SBOM) and dependency governance existSBOM; SCA reports; open-source policy
Cloud and infrastructure providers meet ABDM/MEITY residency requirementsProvider attestations; region configuration
Right-to-audit and breach-notification clauses are present in vendor contractsContract clauses; audit-rights evidence
Offboarding ensures data return/destruction by third partiesOffboarding checklist; destruction certificates

6. Scoping the ABDM Health Data Security Audit

Accurate scoping prevents both under-assessment (missing a data flow) and over-assessment (auditing systems that never touch ABDM data). Scope is defined by the ABDM role(s) the entity plays, the milestone being pursued, and the systems, environments and third parties in the health-data path.

  • Roles in scope: Identify every ABDM role the entity performs (HIP, HIU, HRP, PHR app, CM integration). Each role adds control families — an HIU adds strong obligations around received-data deletion; an HIP adds care-context linking and bundle-signing.
  • Milestone in scope: M1 (identity and registry integration), M2 (consent and data exchange in sandbox), M3 (production readiness). The depth of security evidence increases with each milestone.
  • Data flows in scope: Map every path where ABHA-linked data is created, transmitted, stored, processed or deleted, including callbacks and analytics pipelines.
  • Environments in scope: Sandbox and production must both be assessed; non-production environments are in scope where they hold real or realistic health data.
  • Interfaces in scope: HIE-CM gateway, ABHA/HPR/HFR APIs, FHIR endpoints, PHR/patient apps, insurer/NHCX interfaces if applicable.
  • Third parties in scope: Cloud providers, TSPs/integrators, SMS/notification gateways, analytics processors — any party in the data path.
  • Out of scope (justify explicitly): Corporate systems with no health-data path, provided they are network-segregated; document the segregation as evidence.
Scoping tip for assessors
Insist on a current, signed data-flow diagram before fieldwork. If the entity cannot produce one, that is itself a finding under D6 (data lifecycle) and D1 (governance) — you cannot protect data whose path you have not mapped.

7. Implementation approach (phased)

Implementers should treat ABDM readiness as a programme aligned to the milestone gates, not a one-off pentest. The following phases take a health-tech product from zero to sustained compliance.

Phase 1 — Discovery and gap assessment

  • Activities: Confirm ABDM roles and target milestone; map all health-data flows; run a gap assessment against domains D1-D12; perform an initial DPIA; establish the risk register.
  • Deliverables: Role and scope statement, data-flow diagrams, gap-assessment report with prioritised remediation backlog, DPIA v1, risk register.

Phase 2 — Governance and policy foundation

  • Activities: Adopt HDM-aligned policies; appoint DPO/Grievance Officer; define RACI; put DPAs in place with processors; stand up the incident-response and breach-notification procedures (CERT-In 6-hour, DPDP).
  • Deliverables: Approved policy suite, appointment records, DPA templates and signed agreements, IR/BCP/DR plans, grievance mechanism.

Phase 3 — Technical build and hardening

  • Activities: Implement ABHA/HPR/HFR verification, consent lifecycle, FHIR R4 bundles, mTLS and payload encryption/signing; enforce RBAC/MFA, secrets vaulting, encryption at rest, logging with NTP sync and 180-day retention; harden infrastructure on MEITY-empanelled cloud.
  • Deliverables: Working sandbox integration, crypto and key-management implementation, RBAC matrix, centralised logging/SIEM, hardened infrastructure baseline.

Phase 4 — Verification and testing

  • Activities: Run ABDM sandbox milestone test suites; conduct CERT-In empanelled VAPT (web/API/mobile); execute SAST/DAST/SCA; perform interoperability and negative testing; validate consent enforcement and post-expiry deletion.
  • Deliverables: Sandbox milestone pass evidence, VAPT report with closure certificate, scan reports, interoperability conformance evidence, consent-enforcement test pack.

Phase 5 — Milestone certification and go-live

  • Activities: Compile the evidence pack; submit for the target ABDM milestone; obtain production credentials; deploy to production with change control; conduct a production readiness review.
  • Deliverables: Milestone approval, production ABDM credentials, go-live checklist sign-off, production runbooks.

Phase 6 — Sustained compliance and continuous assurance

  • Activities: Continuous monitoring; periodic access recertification; annual VAPT and DPIA refresh; vendor reassessment; incident drills; track KPIs; re-audit on major changes.
  • Deliverables: Continuous-assurance calendar, annual audit reports, updated DPIA, KPI dashboards, drill reports.

8. Maturity / capability model

While ABDM milestones are pass/fail gates, CyberSigma applies a five-level capability model to help entities benchmark and improve beyond the minimum. This model lets an assessor express findings as a maturity score per domain rather than a bare pass/fail, and helps product teams prioritise investment.

LevelNameCharacteristicsIndicative readiness
L1Initial / Ad hocControls absent or informal; no data-flow map; consent handling manual or partialNot milestone-ready
L2DevelopingBasic policies exist; sandbox integration begun; some encryption and logging but gaps in consent enforcement and audit trailsApproaching M1
L3DefinedDocumented, repeatable controls across most domains; consent lifecycle enforced; VAPT performed; logging with retention and NTPM2 capable
L4ManagedControls measured with KPIs; SIEM monitoring; continuous scanning; access recertification; incident drillsM3 / production-ready
L5OptimisingContinuous improvement; automated compliance evidence; threat-led testing; proactive de-identification and privacy engineeringBest-practice, audit-resilient

Scoring guidance: an entity should reach at least L3 across all domains and L4 in D2 (consent), D4 (cryptography) and D9 (logging) before seeking M3 production credentials. Any domain at L1 is a blocking finding.

9. Assessment and audit approach

The audit follows a structured, evidence-led lifecycle. The steps below define how a CyberSigma assessor conducts an ABDM Health Data Security Audit end to end.

  1. Engagement scoping and planning: agree roles, milestone, systems, environments and third parties; issue the evidence request list; agree timelines and access.
  2. Documentation review: examine policies, DPIA, data-flow diagrams, DPAs, IR/BCP plans and prior audit reports against domains D1-D12.
  3. Technical control testing: verify encryption, mTLS, signing, RBAC/MFA, secrets management, logging, NTP sync and retention through configuration inspection and live tests.
  4. Consent and interoperability testing: execute end-to-end flows in the sandbox — consent init/grant/fetch/revoke and FHIR bundle exchange — confirming purpose limitation and expiry deletion.
  5. Security testing review: review or witness CERT-In empanelled VAPT, SAST/DAST/SCA and mobile testing; validate closure of critical/high findings.
  6. Interviews and walkthroughs: interview DPO, engineering, operations and support to corroborate documented controls and grievance handling.
  7. Gap analysis and risk rating: consolidate findings, assign severities and map each to the relevant domain and statutory obligation.
  8. Reporting: issue a findings report with maturity scores, milestone-readiness verdict and a prioritised remediation plan.
  9. Remediation and re-test: verify closure of blocking findings; issue closure/attestation supporting the ABDM milestone submission.
  10. Surveillance and re-audit: schedule periodic re-assessment and trigger-based re-audit on significant change.

10. Evidence request list

The following categorised list is issued at engagement start. Implementers should assemble these artefacts in an evidence pack indexed to the domain IDs in section 4.

  • Governance: HDM-aligned policies, privacy policy, DPO/Grievance Officer appointment, RACI, management-review minutes, DPIA, risk register.
  • Consent: sample consent artefacts, HIE-CM logs, purpose/expiry enforcement test results, revocation and notification logs, minor/nominee handling evidence.
  • Identity and access: ABHA/HPR/HFR verification logs, RBAC matrix, MFA config, access-recertification reports, PAM/break-glass procedures, secrets-vault inventory.
  • Cryptography: TLS/mTLS scans, at-rest encryption config, KMS/HSM inventory, key-rotation policy, ABDM payload encryption/signing implementation notes.
  • Interoperability: FHIR validator output, sandbox milestone test results, gateway API logs, request-signing evidence, negative/schema-validation tests.
  • Data lifecycle: data-flow diagrams, data map, retention schedule, deletion/purge logs, de-identification method, backup encryption and restore evidence.
  • Application security: secure SDLC policy, threat models, CERT-In empanelled VAPT report and closure certificate, SAST/DAST/SCA reports, mobile MASVS report.
  • Infrastructure and cloud: MEITY empanelment evidence, network diagrams, firewall/security-group rules, CIS benchmark scans, patch records, WAF/DDoS config, EDR coverage.
  • Logging and monitoring: audit-log samples, retention config (180-day), NTP config (NIC/NPL), SIEM dashboards and rules, log-integrity evidence.
  • Incident and continuity: IR plan, CERT-In and DPDP breach-notification procedures, tabletop/drill reports, BCP/DR plan and DR test results, sample RCAs.
  • Data principal rights: access/correction/erasure workflows, nomination config, grievance mechanism and SLA metrics, sample resolved grievances.
  • Third party: signed DPAs, sub-processor register, vendor risk assessments, SBOM/SCA, right-to-audit clauses, offboarding/destruction certificates.

11. Roles and responsibilities

RoleResponsibilities in ABDM security programme
Board / Senior ManagementApprove policies and budget; own residual risk; sponsor the ABDM programme; review posture periodically
Data Protection Officer (DPO)Own HDM/DPDP compliance; oversee DPIA, consent governance and breach notification; liaise with NHA and CERT-In
Grievance OfficerHandle data-principal grievances within SLA; maintain grievance register; escalate as required
Chief Information Security OfficerOwn the security control environment (D3-D10); drive VAPT, SIEM, hardening and incident response
Product / Engineering leadImplement ABDM integration, consent lifecycle, FHIR, cryptography and secure SDLC controls
DevSecOps / Platform teamMaintain CI security gates, secrets vaulting, IaC scanning, logging, NTP and cloud hardening
Compliance / Privacy teamMaintain evidence pack, DPAs, retention schedule, rights workflows and audit readiness
SOC / Monitoring teamOperate SIEM, detect consent misuse and anomalies, run incident response and drills
Third-party / Vendor managerManage DPAs, sub-processor register, vendor assessments and offboarding
Independent auditor (CyberSigma)Conduct the ABDM Health Data Security Audit, issue findings, validate remediation and milestone readiness

12. KPIs to track

  • Percentage of data exchanges backed by a valid, unexpired, purpose-matched consent artefact (target 100%).
  • Mean time to enforce consent revocation across systems (target near real-time).
  • Percentage of expired/withdrawn-consent data deleted within SLA (target 100%).
  • Number of open critical/high VAPT findings on ABDM-facing systems (target zero before go-live).
  • Percentage of ABDM endpoints on TLS 1.2+ with mTLS where required (target 100%).
  • Audit-log coverage: percentage of health-data accesses logged with actor, purpose and consent reference (target 100%).
  • Log retention adherence and NTP-sync uptime (target meeting CERT-In 180-day and time-sync requirements).
  • Mean time to detect and mean time to respond to security incidents.
  • CERT-In 6-hour reporting adherence for reportable incidents (target 100%).
  • Grievance resolution within SLA (target 100%) and average resolution time.
  • Percentage of processors under signed DPAs with current risk assessments (target 100%).
  • Access-recertification completion rate and privileged-access review coverage.

13. Readiness checklist

  • ABDM roles and target milestone confirmed and documented
  • Signed data-flow diagrams covering all ABHA-linked data paths
  • HDM/DPDP-aligned policy suite approved; DPO and Grievance Officer appointed
  • DPIA completed and risk register maintained
  • Consent lifecycle (grant, fetch, revoke, expiry, notify) implemented and tested
  • Purpose limitation and post-expiry deletion enforced and evidenced
  • ABHA/HPR/HFR verification integrated; RBAC and MFA enforced
  • TLS 1.2+/mTLS in transit; AES-256 at rest; keys in HSM/KMS with rotation
  • ABDM payload encryption and request signing implemented per spec
  • FHIR R4 bundles conform to ABDM profiles; sandbox milestone tests passed
  • Audit logging with actor/purpose/consent reference; 180-day retention; NIC/NPL NTP sync
  • SIEM monitoring with consent-misuse and anomaly detection
  • CERT-In empanelled VAPT completed with critical/high findings closed
  • SAST/DAST/SCA and secrets scanning in CI; mobile MASVS testing done
  • MEITY-empanelled cloud with India data residency and network segmentation
  • IR plan with CERT-In 6-hour and DPDP breach notification; BCP/DR tested
  • Data-principal rights (access, correction, erasure, nomination) and grievance SLA operational
  • DPAs signed with all processors; sub-processor register and SBOM maintained
  • Evidence pack assembled and indexed to domains D1-D12

14. Common gaps

  • Consent treated as a checkbox rather than enforced: data accessible after expiry or beyond the granted purpose, with no automated deletion on the data-eraser date.
  • Missing or stale data-flow maps, so analytics or logging pipelines quietly carry PHI outside the assessed scope.
  • Plaintext PHI or credentials appearing in application logs and error traces.
  • Weak or default TLS configuration and absent mTLS on gateway calls; deprecated ciphers still enabled.
  • Secrets (client secrets, API keys) hardcoded in source or config instead of a vault, and never rotated.
  • Log retention below the CERT-In 180-day requirement and clocks not synchronised to NIC/NPL NTP.
  • VAPT performed by a non-empanelled tester, or critical/high findings left open at go-live.
  • No CERT-In 6-hour incident-reporting procedure and no DPDP-aligned breach-notification path.
  • Hosting outside MEITY-empanelled/Indian infrastructure, breaching data-residency expectations.
  • Processors and TSPs engaged without signed DPAs, sub-processor inventory or right-to-audit clauses.
  • Grievance mechanism published but non-functional, with no SLA tracking or Grievance Officer accountability.
  • Mobile/PHR apps lacking secure storage, certificate pinning and root/jailbreak detection.

15. ABDM Health Data Security mapped to other frameworks

The ABDM control domains align closely with India's statutory regime and international standards, letting entities reuse existing certifications as evidence. The mapping below is indicative, not one-to-one.

ABDM domainDPDP Act, 2023ISO/IEC 27001:2022CERT-In / other
D1 Governance and Accountabilitys.8 duties, s.10 SDF (DPO, DPIA, audit)A.5.1-A.5.4 policies and rolesNHA HDM Policy; ISO 27701
D2 Consent Managements.6-7 consent, noticeA.5.34 privacy and PII protectionHDM Policy; HIE-CM spec
D3 Identity and Accesss.8(4) reasonable safeguardsA.5.15-A.5.18 access controlABDM ABHA/HPR/HFR spec
D4 Cryptographys.8(5) security safeguardsA.8.24 cryptographySPDI Rules; NIST guidance
D5 Interoperability and Exchanges.8(2) processor obligationsA.8.26 application security requirementsABDM FHIR R4 profiles
D6 Data Lifecycle and Minimisations.6(1) purpose, s.8(7) retentionA.8.10-A.8.12 deletion/maskingHDM Policy de-identification
D7 Application and Product Securitys.8(4) safeguardsA.8.25-A.8.29 secure developmentOWASP ASVS/MASVS; CERT-In VAPT
D8 Infrastructure and Clouds.8(4) safeguardsA.8.1-A.8.9 infrastructureMEITY empanelment; CIS
D9 Logging and Monitorings.8(4) safeguardsA.8.15-A.8.16 logging/monitoringCERT-In (180-day logs, NTP)
D10 Incident and Breachs.8(6) breach intimationA.5.24-A.5.28 incident managementCERT-In 6-hour directions
D11 Data Principal Rightss.11-14 rights and grievanceA.5.34 PII; A.5.32 IP/recordsHDM Policy patient rights
D12 Third-Party Assurances.8(2) processor contractsA.5.19-A.5.23 supplier securityISO 27001/SOC 2 attestations

16. How CyberSigma helps

Partner with CyberSigma for ABDM readiness and assurance
CyberSigma is a CERT-In empanelled cybersecurity firm with PCI QSA credentials and deep experience in Indian health-data compliance. We take health-tech and healthcare-provider teams end to end: ABDM role and milestone scoping, gap assessment against domains D1-D12, DPIA and DPDP alignment, consent-lifecycle and FHIR interoperability validation, CERT-In empanelled VAPT of web/API/mobile, cryptography and key-management review, cloud and logging hardening, and a fully indexed evidence pack for your M1-M3 submissions. Post go-live we provide continuous assurance — annual re-audit, SIEM monitoring guidance, incident-response drills and vendor reassessment — so your ABDM integration stays compliant as the ecosystem evolves. Talk to CyberSigma to book an ABDM Health Data Security readiness assessment.

Frequently asked questions

What data does ABDM protect?
Sensitive personal health data linked to ABHA, governed by the ABDM Health Data Management Policy and India’s DPDP Act.
Official documents

Need help with ABDM Health Data?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.