Shulou(Shulou.com)11/24 Report--

CTOnews.com news on August 29, today, the State Health Commission, the State Administration of traditional Chinese Medicine and the State Administration of Disease Control issued the measures for the Administration of Network Security in Medical and Health institutions (hereinafter referred to as "measures").

The measures propose that for new networks, the level of network security protection should be determined at the planning and declaration stage. All medical and health institutions shall comprehensively sort out the basic situation of all kinds of networks of their units, especially cloud computing, Internet of things, blockchain, 5G, big data and other new technology application, and according to the function, service scope, service object and data processing of the network, scientifically determine the security protection level of the network according to the relevant standards, and submit it to the competent department at a higher level for examination and approval.

In addition, all medical and health institutions should strengthen the safety management of the whole life cycle of data collection, storage, transmission, processing, use, exchange and destruction, and the whole life cycle activities of data should be carried out in China. If the business really needs to be provided abroad, security assessment or audit shall be conducted in accordance with relevant laws and regulations and relevant requirements, and data processing activities that affect or may affect national security shall be submitted for national security review. Prevent data security incidents from happening.

CTOnews.com learned that medical and health data are widely used in a variety of scenarios in daily life. For example, through big data efficient analysis of drug composition, dose time and other conditions, to find the best combination of rational use of drugs; through a large number of clinical data for scientific analysis to find the cause, and clinical etiological analysis and chronic disease monitoring.

In addition, big data can also quickly screen and predict genomic analysis of diseases and potential genetic defects through a large number of gene sequence analysis; after remote disease data collection, combined with a large number of clinical etiological data analysis, to achieve telemedicine diagnosis and treatment; through intelligent wearable devices to collect data to achieve human vital signs detection, early warning of potential health risks, health management The application of big data and other algorithms, the formulation of health insurance payment standards, and based on this accurate health insurance decision analysis and so on.

In April 2020, the World Health Organization issued a statement saying that the number of cyber attacks during the epidemic increased fivefold compared with the same period last year. Qianxin Group issued a series of network security reports, pointing out that after the outbreak of the epidemic in 2020, for the first time in the history of the health care industry, it surpassed the government, finance, national defense, energy, telecommunications and other fields, and became the primary target of global APT (cyber attacks and attacks launched against customers for the purpose of stealing core data). 23.7% of global APT events are related to the health care industry. For the first time, China has surpassed the United States, South Korea, the Middle East and other countries and regions to become the primary regional goal of global APT activities.

The original text is as follows: notice on issuing measures for the Administration of Network Security in Medical and Health institutions

The health committees and traditional Chinese medicine bureaus of all provinces, autonomous regions, municipalities directly under the Central Government and the Xinjiang production and Construction Corps, the departments, bureaus and contact units of the organs of the State Health Commission, the China Association for the aged, the State Administration of traditional Chinese Medicine and the State Bureau of Disease Control and Prevention:

In order to guide medical and health institutions to strengthen network security management, the State Health Commission, the State Administration of traditional Chinese Medicine and the State Bureau of Disease Control have formulated the measures for the Administration of Network Security in Medical and Health institutions. It is now issued to you, please implement it conscientiously.

National Health Commission   National Administration of traditional Chinese Medicine   National Bureau of Disease Control

August 8, 2022

(form of information disclosure: active disclosure)

Measures for the Administration of Network Security in Medical and Health institutions

Chapter I General principles of  

Article 1 in order to strengthen the network security management of medical and health institutions, further promote the development of "Internet + Medical Health", give full play to the role of health care big data as an important basic strategic resource of the country, strengthen the network security management of medical and health institutions, and prevent the occurrence of network security incidents. These measures are formulated in accordance with the basic Medical and Health Promotion Law, the Network Security Law, the password Law, the data Security Law, the personal Information Protection Law, the regulations on the Security Protection of critical Information Infrastructure, and the measures for Network Security Review, as well as the network security level protection system and other relevant laws and regulations.

Article 2   insists that network security is for the people and depends on the people, adheres to the integrated development of network security education, technology and industry, adheres to the unity of promoting development and management according to law, and attaches equal importance to security controllability and open innovation.

Adhere to hierarchical protection and highlight key points. Focus on ensuring the security of critical information infrastructure, network security level 3 (hereinafter referred to as level 3) and above, as well as important data and personal information.

Adhere to active defense and comprehensive protection. Make full use of artificial intelligence, big data analysis and other technologies to strengthen key work such as security monitoring, situational awareness, notification and early warning, and emergency handling, and implement the "three modernizations and six defenses" measures of network security protection: "actual combat, systematization, and normalization" and "dynamic defense, active defense, in-depth defense, precise protection, overall prevention and control, and joint defense and control."

Adhere to the principle of "managing business means managing security" and "who is responsible for who is in charge, who is responsible for operation, and who is responsible for who uses it", implement the network security responsibility system, and clarify the responsibilities of all parties.

Article 3   the network referred to in these measures refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information in accordance with certain rules and procedures.

The data referred to in these measures is network data, which refers to all kinds of electronic data collected, stored, transmitted, processed and generated by medical and health institutions through the network, including but not limited to all kinds of clinical, scientific research, management and other business data, data generated by medical equipment, personal information and data derivatives.

These measures are applicable to the safety management of the operation network of medical and health institutions. Grass-roots medical and health institutions that are not included in the regional grass-roots health information system shall refer to the implementation.

Article 4 the State Health Commission of  , the State Administration of traditional Chinese Medicine and the State Administration of Disease Control shall be responsible for overall planning, guidance, evaluation and supervision of the network security work of medical and health institutions. The local health administrative departments at or above the county level (including traditional Chinese medicine and disease control departments, the same below) shall be responsible for the guidance and supervision of the network safety of medical and health institutions within their respective administrative areas.

Medical and health institutions shall bear the main responsibility for the network security management of their own units, and all medical and health institutions shall agree in writing with the participating units of information construction and relevant medical equipment production and operation enterprises on the network security obligations and liability for breach of contract of all parties.

Chapter II   Network Security Management

Article 5 all medical and health institutions in   shall set up a leading group for network security and information work, with the principal person in charge of the unit as the leader of the leading group, convene a network security office meeting at least once a year, deploy key security work, and implement the regulations on the Security Protection of key Information Infrastructure and the requirements of the network security level protection system. Medical and health institutions with secondary or above networks shall clearly define the functional departments responsible for network security management, clearly assume the posts of security supervisors and security administrators, establish a network security management system, strengthen network security protection, strengthen emergency handling, and on this basis, focus on the protection of key information infrastructure to prevent the occurrence of network security incidents.

Article 6 all medical and health institutions in   shall, in accordance with the principle of "who is in charge, who is responsible for operation, and who uses who is responsible", clearly define the management responsibilities of the competent departments, operation departments, information departments and user departments of their networks in the process of network construction, and carry out grade protection and grading, filing, evaluation, safety construction and rectification of the networks within the operation scope of the units.

(1) for new networks, the level of network security protection shall be determined at the planning and declaration stage. All medical and health institutions shall comprehensively sort out the basic situation of all kinds of networks of their units, especially cloud computing, Internet of things, blockchain, 5G, big data and other new technology application, and according to the function, service scope, service object and data processing of the network, scientifically determine the security protection level of the network according to the relevant standards, and submit it to the competent department at a higher level for examination and approval.

(2) the work of grade protection and filing shall be carried out in accordance with the law when the newly built network is put into use. The network at or above the second level shall, within 10 working days after the determination of the network security protection level, be submitted by its operator to the public security organ for the record, and the filing situation shall be reported to the health and health administrative department at a higher level. If the security protection level is revoked or changed due to the network, it shall be rescinded or changed to the original public security organ for the record within 10 working days, and shall be reported to the superior health administrative department at the same time.

(3) comprehensively sort out and analyze the requirements of network security protection, and in accordance with the requirements of "one center (security management center) and triple protection (secure communication network, secure area boundary, secure computing environment)", formulate an overall plan and construction plan that meets the requirements of the level of network security protection, strengthen security management in the process of self-development or outsourcing development of information systems, and conscientiously carry out network security construction. Security measures will be fully implemented.

(4) all medical and health institutions shall test and evaluate the security of the classified filing network, and the third or fourth level of the network shall entrust a grade protection evaluation institution to carry out the network security level evaluation at least once a year. The second-level network shall entrust a grade protection evaluation institution to carry out network security level evaluation on a regular basis, in which networks involving personal information of more than 100000 people shall conduct network security level evaluation at least once every three years, and other networks shall conduct network security level evaluation at least once every five years. Security testing should be carried out before the new network is put into operation.

(5) in view of the problems and hidden dangers found in the grade assessment, all medical and health institutions shall, in the light of external threat risks, formulate network security rectification and reform plans in accordance with the requirements of laws, regulations, policies and standards, and carry out rectification and reform in a targeted way. timely eliminate hidden risks, strengthen management and technical deficiencies, and enhance the ability of security protection.

Article 7 all medical and health institutions in   shall rely on the national network security information communication mechanism to strengthen the construction of network security notification and early warning forces of their own units. Tertiary hospitals are encouraged to explore the construction of a situation awareness platform, collect, collect and analyze network security information of all parties in a timely manner, strengthen threat intelligence work, organize network security threat analysis and situation research, and notify early warning and disposal in a timely manner. to prevent network damage, data leakage and other events.

Article 8 all medical and health institutions in   shall establish emergency handling mechanisms and effectively deal with network interruptions, network attacks, data leakage and other security incidents by establishing and improving emergency plans and organizing emergency drills, so as to improve their ability to deal with network security incidents. Actively participate in network security attack and defense drills to enhance protection and confrontation capabilities.

Article 9 in the process of network operation, all medical and health institutions of   shall carry out various forms of security self-examination such as document verification, vulnerability scanning and penetration testing every year, so as to find possible problems and hidden dangers in time. In view of the hidden dangers found in the process of safety self-inspection, monitoring and early warning, safety notification, etc., rectification and reinforcement should be carried out conscientiously to prevent the network from running with disease, and the situation of safety self-inspection and rectification should be reported to the superior health administrative department as required. Self-inspection and rectification can be carried out together with the rectification of grade evaluation problems.

The annual safety self-inspection and rectification work includes:

(1) in accordance with the requirements of the competent regulatory authority at a higher level, all medical and health institutions shall complete the sorting of information assets, find out the network grading and filing of their own units, form a list of assets, and organize safety self-inspection.

(2) in accordance with the requirements of the competent regulatory authority at a higher level, all medical and health institutions shall rectify the problems and hidden dangers found on the basis of the results of safety self-inspection, and form a rectification report to be reported to the relevant competent regulatory authority.

Article 10 operators of   critical information infrastructure shall conduct security background checks on the heads of security management agencies and personnel in key positions. All medical and health institutions should strengthen the management of personnel related to network operation, including internal personnel and third-party personnel, and clarify the safety management of the whole process of entry, training, assessment and departure of internal personnel. for third parties, they should clarify the application and approval process when personnel come into contact with the network, and do a good job in real-name registration, personnel background check, confidentiality agreement signing and other work, so as to prevent security risks caused by personnel qualifications and illegal operations.

Article 11   shall strengthen the management of network operation and maintenance and formulate operation standards and work processes for operation and maintenance. Strengthen physical security protection, improve security control measures such as computer room, office environment and operation and maintenance site, and prevent information leakage caused by unauthorized access to the physical environment. To strengthen the management of remote operation and maintenance, as the business really needs remote operation and maintenance through the Internet, evaluation and demonstration should be carried out, and corresponding security control measures should be taken to prevent security incidents caused by remote port exposure.

Article 12 all medical and health institutions in   shall strengthen business continuity management and continuously monitor the operation status of the network. For the third-level and above networks, we should strengthen the protection of redundant backup of key links and key equipment, and conditional medical and health institutions should establish application-level disaster recovery backup to prevent the interruption of key business.

Article 13 when   uses new technologies such as big data, artificial intelligence and blockchain to carry out services, it shall evaluate the security risks of the new technologies and carry out safety control before launching, so as to achieve the balance between application and safety.

Article 14 all medical and health institutions in   shall standardize and strengthen the protection of medical equipment data and personal information and the management of network security, establish and improve relevant network security management systems such as bidding procurement, installation, commissioning, operation, maintenance and scrap disposal of medical equipment, regularly check or evaluate the network security of medical equipment, and take corresponding safety control measures to ensure the network security of medical equipment.

Article 15   medical and health institutions shall, in accordance with the Code Law and other relevant laws and regulations and relevant standards and norms for password application, synchronously plan, build and operate password protection measures in the process of network construction, and use password products and services that meet the relevant requirements.

Article 16 all medical and health institutions of the   shall pay attention to the safety management of the participants in the whole network chain. When a third party other than their own unit is involved, they shall implement safety management for the design, construction, operation, maintenance and other services, purchase safe network products and services, and prevent the occurrence of third-party security incidents.

Article 17 all medical and health institutions in   shall strengthen the security management of the annulment network, assess the risk of the relevant equipment of the annulment network, and take timely measures to seal or destroy them, so as to ensure the safety of data disposal in the annulment network and prevent the leakage of network data.

Chapter III   data Security Management

Article 18 all medical and health institutions in   shall, in accordance with the provisions of relevant laws and regulations and with reference to national network security standards, perform their obligations to protect data security, attach equal importance to ensuring data security and development, and ensure an effective balance between data security and data application through management and technical means. Key information infrastructure operators should draw up key information infrastructure security protection plans and establish and improve data security and personal information protection systems.

Article 19   shall establish an organizational structure for data security management, clarify the principal responsibilities of business departments and management departments in data security activities, standardize the powers and responsibilities of their own data management departments, business departments and information departments in the whole life cycle of data security management, establish a responsibility system for data security work, and implement the accountability system.

Article 20 all medical and health institutions in   shall comprehensively sort out the data assets every year, and on the basis of implementing the network security level protection system, establish their own data classification and classification standards according to the importance of the data and the degree of harm after being destroyed. Data classification and classification should follow the principles of legal compliance, enforceability, timeliness, autonomy, difference and objectivity.

Article 21 all medical and health institutions in   shall establish and improve data security management systems, operating procedures and technical specifications, the management systems involved shall be revised at least once a year, and relevant personnel are advised to sign confidentiality agreements every year. Carry on the data security risk assessment to the data of the unit every year, and grasp the data security status in time. Strengthen data security education and training, organize security awareness education and data security management system publicity and training. Combined with the reality of the unit, establish and improve the application and approval process for the use of data, follow the principles of "who is in charge, who examines", and follow the principles of application and approval in advance, supervision in the event, and review afterwards, strictly implement the work procedures agreed by the business management department and approved by the leaders of medical and health institutions, and guide the compliance of the data activity process.

Article 22 all medical and health institutions of   shall strengthen the safety management of the whole life cycle of data collection, storage, transmission, processing, use, exchange and destruction, and the activities of the whole life cycle of data shall be carried out in China. If the business really needs to be provided abroad, it shall conduct safety assessment or examination in accordance with relevant laws and regulations and relevant requirements. Data processing activities that affect or may affect national security need to be submitted for national security review to prevent the occurrence of data security incidents.

(1) all medical and health institutions should strengthen the management of the legality of data collection and clarify the main responsibilities of business departments and management departments in the legality of data collection. Take data desensitization, data encryption, link encryption and other prevention and control measures to prevent data leakage in the process of data collection.

(2) on the basis of data classification and classification, further clarify the encrypted transmission requirements of data with different security levels. Strengthen the interface security control in the process of transmission to ensure the security of transmission through the interface and prevent data from being stolen.

(3) all medical and health institutions shall, in accordance with relevant laws and regulations, select appropriate data storage structures and media to store in China, and take measures such as backup and encryption to enhance the security of data storage. When it comes to storing data on the cloud, you should assess the possible security risks. The data storage cycle should not exceed the retention period determined by the data usage rules. Strengthen the security of access control, data copy security and data archiving security in the storage process.

(4) all medical and health institutions shall strictly regulate the authority of different personnel, strengthen the management of the application and approval process in the use of data, ensure the use of data within a controllable range, and strengthen the retention and management of logs, put an end to the phenomenon of tampering and deletion of logs, and prevent the use of data beyond its authority. Each data user department and data user shall use the data in strict accordance with the purpose and scope mentioned in the application and be responsible for the security of the data. Without approval, no department or individual may transmit undisclosed information and data outside the department or divulge it in any way.

(5) when issuing and sharing data, all medical and health institutions shall assess the possible security risks and take necessary safety prevention and control measures; when it comes to data reporting, the data reporting provider shall be responsible for interpreting the reporting requirements, determine the reporting scope and reporting rules, and ensure that the data reporting is safe and controllable.

(6) when carrying out face recognition or face recognition, all medical and health institutions shall provide the identification method of non-face recognition at the same time, and shall not refuse the data subject to use its basic business functions because the data subject does not agree to collect face recognition data, face recognition data shall not be used for purposes other than identity recognition Including, but not limited to, assessing or predicting data subjects' performance, economic status, health status, preferences, interests, etc. Medical and health institutions should take security measures to store and transmit face recognition data, including but not limited to encrypted storage and transmission of face recognition data, using physical or logical isolation to store face recognition and personal identity information respectively.

(7) the method of data destruction shall be adopted to ensure that the data cannot be restored, focusing on the risk of data residue and data backup.

Chapter IV Supervision and Administration of  

Article 23 all medical and health institutions in   shall actively cooperate with the relevant competent regulatory agencies for supervision and management, accept daily inspection of network security management, and do a good job in network security protection.

Article 24 the medical and health institutions of the   shall promptly rectify the loopholes and hidden dangers found in the inspection process of the relevant competent regulatory bodies, so as to prevent the occurrence of major network security incidents.

Article 25 when security incidents such as leakage, destruction or loss of personal information and data and network security incidents such as attacks, intrusions and control of network systems occur in  , or hidden dangers of network vulnerabilities are found or network security risks are significantly increased, all medical and health institutions shall immediately initiate emergency plans, take necessary remedial and disposal measures, and promptly inform the relevant subjects by phone, text message, mail or letter, etc. And report to the relevant competent regulatory authorities as required.

Article 26 the health and health administrative departments at all levels of   shall establish a working mechanism for reporting network security incidents and notify them in a timely manner.

Article 27 when a network security incident occurs in  , all medical and health institutions shall promptly report to the health administrative department and public security organ, do a good job in on-the-spot protection and keep relevant records, and provide technical support and assistance to public security organs and other supervisory departments in safeguarding national security and carrying out investigation and other activities in accordance with the law.

Chapter V   Management guarantee

Article 28 all medical and health institutions in   shall attach great importance to network security management, put it on the important agenda, strengthen overall leadership and planning and design, implement major issues such as personnel, funding and the construction of security protection measures in accordance with the law, and ensure the simultaneous planning, construction and use of security protection measures during the construction of the information system.

Article 29 all medical and health institutions in   shall strengthen the exchange of network security business, strictly implement the system of continuing education on network security, and encourage certified management and technical posts. By organizing academic exchanges and competitions, we can find and select network security talents, establish a talent pool, and establish and improve the mechanism for the discovery, training, selection and use of talents, so as to provide talent guarantee for doing a good job of network security.

Article 30 all medical and health institutions in   shall ensure the investment of funds such as network security level assessment, risk assessment, attack and defense drill competitions, security construction and rectification, security protection platform construction, password guarantee system construction, operation and maintenance, education and training, etc. The network security budget of the new information project is not less than 5% of the total budget of the project.

Article 31 all medical and health institutions in   shall further improve the network security assessment and evaluation system, define the assessment indicators, and organize the assessment. Encourage qualified medical and health institutions to link assessment to performance.

Chapter VI Supplementary provisions

Article 32 where   violates the provisions of these measures, personal information and data are disclosed, or major network security incidents occur, they shall be dealt with in accordance with laws and regulations such as the Network Security Law, the State Code Law, the basic Medical and Health Promotion Law, the data Security Law, the personal Information Protection Law, the regulations on the Security Protection of key Information Infrastructure, and the network security level protection system.

Article 33   networks involving state secrets shall be implemented in accordance with the relevant provisions of the State.

Article 34 these measures of   shall enter into force as of the date of issuance.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.