MediEco · MOH Audit Prep + External Pen-Test · 7 Jan

1. 🎯 Phase Summary

Phase	MOH Audit Prep + External Pen-Test
Duration	7 Jan - 28 Feb 2027 (8 weeks)
Goal	Compliance pack complete · external pen-test passed · MOH walkthrough rehearsed · regulator briefing material ready · Q6 gate satisfied · production cert defensible
Capacity	3.5 FTE (1 Compliance Lead + 1 Eng Lead + 1 BE + 0.5 DevOps) + 1 external compliance consultant + 1 external pen-test firm
Critical milestone	28 Feb 2027 · Q6 production cert · GO LIVE 1 Mar
Blocked by	Hi-End upgrade complete · 4-5 tenants on-prem inference
Blocks	1 Mar 2027 production live

Clinical safety: SOAP accuracy · CPG citations · DDI flag accuracy · ADR reporting · clinical override audit
Privacy + PDPA: Patient consent · data retention · cross-border data restriction · audio purge · access logs
Multi-tenant isolation: Tenant scope on every query · cross-tenant access requires explicit consent · audit on both sides
Audit immutability: WORM audit log · M9 verification · sign-off audit hash chain
NPRA pharmacovigilance: ADR Form ADR-1 submissions · stock movement reporting · controlled substances handling
MyInvois compliance: e-Invoice format · LHDN integration · receipt traceability
Cybersecurity: Authentication · authorisation · transport security · data-at-rest encryption · key management
AI governance: Model versioning · feature flag audit · HITL log · bias monitoring · clinical override rate
Disaster recovery: RPO ≤ 1h · RTO ≤ 4h · tested restore · multi-region backup

14 documents · binder-ready · sign-off by named owner · cross-referenced.

#	Document	Owner	Length
1	System Description (clinical context)	Doc Zam + Founder	~20pp
2	Architecture + Data Flow	Eng Lead	~15pp
3	Patient Data Model + Lifecycle	BE	~10pp
4	Consent Framework + PDPA Mapping	Compliance Lead + Legal	~12pp
5	AI Model Inventory + Versioning	Prompt Eng + Eng Lead	~8pp
6	Clinical Decision Support Risk Assessment	Doc Zam + Compliance Lead	~15pp
7	Audit Log Architecture + Immutability Proof	Eng Lead	~6pp
8	NPRA + MyInvois Compliance	BE + Compliance Lead	~8pp
9	Multi-Tenant Isolation Proof	Eng Lead + Pen-test firm	~10pp
10	Cybersecurity Posture (NIST CSF mapping)	DevOps + Compliance Lead	~12pp
11	Disaster Recovery + Business Continuity	DevOps	~8pp
12	Incident Response Runbook	Eng Lead	~10pp
13	Pilot + Production Outcome Metrics	Founder + Doc Zam	~15pp
14	Q1-Q5 Gate Evidence Pack	Eng Lead + Compliance Lead	~30pp
TOTAL			~180pp

Vendor: Independent CREST-accredited firm · clinical SaaS experience preferred · Malaysian-registered
Scope: External web · authenticated app · multi-tenant isolation · API · LLM injection · audit log tamper · physical (basic) · social (basic)
Methodology: OWASP ASVS L2 · OWASP MASVS for tablet UI · OWASP LLM Top 10 (prompt injection · data exfil · model theft)
Duration: 3 weeks active testing + 1 week report + 2 weeks remediation + 1 week retest
Pass criteria: 0 critical · 0 high · ≤ 3 medium with mitigations · all low triaged
Deliverable: Executive summary · technical report · evidence pack · remediation log · retest letter

W17-13 Jan · Compliance Lead + Consultant Onboard
Compliance Lead in seat · external consultant kicks off · doc 1 + 2 drafted.

W214-20 Jan · Doc Pack Drafting Sprint
All 14 docs first draft · cross-team interviews · clinical risk assessment with Doc Zam.

W321-27 Jan · Pen-Test Active · Doc Review Round 1
Pen-test firm starts active testing · doc round-1 reviewed · gaps identified · iterate.

W428 Jan-3 Feb · Pen-Test Mid + Remediation Begins
Pen-test mid-report shared · critical/high findings remediated immediately · doc round-2 ready.

W54-10 Feb · Pen-Test Report + Remediation Sprint
Final pen-test report · remediation closeout · evidence binders assembled.

W611-17 Feb · Pen-Test Retest + Doc Pack Final
Retest letter received · doc pack final review · external compliance consultant attestation.

W718-24 Feb · MOH Walkthrough Rehearsal
Q&A drills · 2-day rehearsal · 100+ likely regulator questions · script binder.

W825 Feb-28 Feb · MOH Walkthrough + Q6 Decision
MOH walkthrough · evidence presented · 28 Feb Q6 gate decision · GO/NO-GO for 1 Mar production.

Binder 1: System Description + Architecture (docs 1-2)
Binder 2: Data Model + Privacy (docs 3-4)
Binder 3: AI Model + Clinical Risk (docs 5-6)
Binder 4: Audit + NPRA + MyInvois (docs 7-8)
Binder 5: Multi-Tenant + Cybersecurity (docs 9-10)
Binder 6: DR + Incident Response (docs 11-12)
Binder 7: Pilot Outcomes + Q1-Q5 Gates (docs 13-14)
Binder 8: Pen-Test Report + Retest + Remediation Log
Digital evidence portal: signed PDFs · audit log exports · monitoring snapshots · video walkthroughs

Mock-question category	Examples
Clinical safety	"What if SOAP misses an allergy?" · "How do you prevent over-triage?" · "Show me a clinical override with rationale."
Privacy + PDPA	"Where is patient consent stored?" · "Show me audio retention timeline." · "How do you handle revocation?"
Multi-tenant	"Show me proof Tenant A cannot read Tenant B." · "What audit trail exists when patient consents to share?"
AI governance	"Who approves model upgrades?" · "Where is your bias monitoring dashboard?" · "Show me HITL override log."
NPRA/MyInvois	"Show me an ADR Form ADR-1 submission with ack." · "Show me an e-Invoice round-trip."
Cybersecurity	"Pen-test report results?" · "Encryption at rest?" · "Key rotation policy?"
DR/BC	"Walk me through a 4-hour outage." · "Show me a tested restore from last quarter."
Outcomes	"Pilot metrics?" · "Network effect data?" · "Adverse outcomes investigated?"

Role	Allocation	Source
Compliance Lead (new hire)	1.0 FTE	Internal · 8 weeks
Eng Lead	1.0 FTE	Internal
BE Dev	1.0 FTE	Internal
DevOps	0.5 FTE	Internal
Founder	0.5 FTE	Internal · stakeholder + walkthrough lead
Doc Zam	0.5 FTE	Internal · clinical risk assessment + Q&A
Compliance consultant	0.5 FTE	External · 8 weeks · attestation
Pen-test firm	—	External · 7 weeks (test + retest)

Item	Cost	Notes
Compliance consultant	RM 30K-45K	8 weeks · attestation included
Pen-test firm	RM 40K-60K	3 weeks active + retest · CREST-accredited
Compliance Lead salary (8 weeks)	RM 32K	Continues post-audit as ongoing role
Internal effort (3.5 FTE × 8 weeks)	RM 70K	Opportunity cost
Binder + printing + travel	RM 5K	Physical evidence + MOH meeting
Total	~RM 180-220K	One-time prep cost

Doc pack: 14 documents complete · external consultant attestation signed
Pen-test: 0 critical · 0 high · ≤ 3 medium remediated/mitigated · retest letter signed
Pilot evidence: 8-week pilot data · 6 weeks onboarding · > 50 cross-clinic fetches
Clinical safety: 0 P0 incidents in last 60 days · < 5 P1 · all closed
Doc Zam written attestation: "MediEco is clinically defensible for production deployment"
MOH walkthrough: Conducted · feedback documented · gaps closed
Production runbook: Tested 3× · on-call rota active · escalation chain printed
1 Mar production cutover plan: Approved by Founder + Doc Zam + Compliance Lead

Risk	Trigger	Response
Pen-test critical finding	Critical sev	Immediate hot-fix sprint · slip Q6 by 2 weeks if needed
Compliance consultant unavailable	Late onboarding	Engage backup firm · expand internal Compliance Lead scope
Doc pack incomplete	< 12/14 by W6	Triage remaining as P0 · external writer on-call
MOH walkthrough scheduling slip	Regulator unavailable	Push 1 Mar production by 2-4 weeks · keep tenants on extended pilot mode
External attestation withheld	Consultant rejects	Address findings · escalate to second consultant · NO production launch without attestation