Partner Data Security Closed‑Loop Management at Haodf Online

Background: With the enactment of China's Data Security Law and Personal Information Protection Law in 2021, Haodf Online, which hosts over 880,000 doctors and serves 76 million patients, handles large amounts of sensitive health data and must protect privacy.

Partner data security management is a key focus, as data leaks often occur through partners; Haodf collaborates with partners for free consultations, inquiries, prescription purchases, involving patient identity, medical descriptions, and prescriptions.

Closed‑loop management: Instead of using the generic DSMM lifecycle, Haodf adopts a Software Development Lifecycle (SDL) model to manage partner data across four stages—partner information management, security assessment & design, API security testing, and security monitoring—mirroring SDL’s requirement, design, test, and operation phases.

Partner information management: A partner security management specification defines responsibilities of business, legal, and security teams, and records partner basic info, API details, and sensitive data fields in an asset management platform.

Security assessment & design: Haodf follows a data security compliance assessment specification to evaluate partner data exchange, covering general security posture, data handling, and API design, and produces risk findings.

API security testing: Test cases based on OWASP API Security Top 10 are created (e.g., authentication, horizontal privilege escalation, data protection). Semi‑automated tools replace payloads and compare response lengths to detect unauthorized access and XSS.

Security monitoring and analysis: After deployment, API traffic is logged, visualized in dashboards, and abnormal patterns trigger alerts. Data‑security maps, API segmentation, and audit logs enable real‑time risk detection and incident response.

Continuous improvement: Future work includes automated API security testing, refined alerting, and fine‑grained monitoring of sensitive data usage.

Conclusion: Partner data security is tightly coupled with asset management, SDL processes, and monitoring infrastructure; Haodf’s cross‑team collaboration demonstrates the importance of integrated security practices.