IMPLEMENTASI SNI ISO/IEC 27001:2022 TERHADAP PERLINDUNGAN DATA REKAM MEDIS ELEKTRONIK (RME) PADA FASILITAS PELAYANAN KESEHATAN DI INDONESIA

Abstrak

The implementation of Electronic Medical Records (EMR) in healthcare facilities in Indonesia can be understood as a normative obligation framework established through health sector regulations and reinforced by Law Number 27 of 2022 concerning Personal Data Protection (PDP Law). Health data are classified as specific personal data requiring a high level of protection. SNI ISO/IEC 27001:2022, as a national information security standard, is considered sufficiently relevant to support the protection of EMR data through the implementation of an Information Security Management System (ISMS), as it is based on a risk management approach. This study aims to critically examine the implementation of SNI ISO/IEC 27001:2022 in protecting EMR data in Indonesian healthcare facilities from a normative legal perspective. The method employed is a systematic literature review based on the PRISMA protocol, utilizing the Theory–Context–Characteristics–Methodology (TCCM) framework. The findings indicate that the majority of the literature still positions SNI ISO/IEC 27001:2022 as a technical and administrative instrument, without explicitly linking it to the fulfilment of legal obligations under the PDP Law. The implementation of ISMS tends to be oriented toward procedural compliance and certification, while substantive protection of patient privacy rights has not yet become the primary focus. These findings affirm that compliance with SNI ISO/IEC 27001:2022 does not constitute a legal safe harbour, but rather serves as evidence of due diligence, which must be integrated with legal compliance governance to ensure comprehensive protection of EMR data.