According to information on August 29, at present, the National Health Commission, the National Administration of Traditional Chinese Medicine, and the National Bureau of Disease Control and Prevention issued the “Measures for the Administration of Network Security in Medical and Health Institutions” (hereinafter known as the “Measures”).
The “Measures” suggest that for brand new networks, the community safety safety degree needs to be decided on the planning and reporting stage. All medical and well being establishments ought to comprehensively type out the essential scenario of varied networks of their very own models, particularly the appliance of latest applied sciences reminiscent of cloud computing, Internet of Things, blockchain, 5G, huge knowledge, and so on. Data and different conditions, scientifically decide the safety safety degree of the community based on related requirements, and report it to the higher-level competent authority for assessment and approval.
In addition, all medical and well being establishments ought to strengthen the protection administration of your complete life cycle of information assortment, storage, transmission, processing, use, change, and destruction.The knowledge life cycle actions needs to be carried out in China. If the enterprise actually must be supplied abroad, a safety evaluation or assessment needs to be carried out in accordance with related legal guidelines, rules and related necessities.knowledge processing actions that have an effect on or might have an effect on nationwide safety have to be submitted for nationwide safety assessment to stop knowledge safety incidents from occurring.
IT Home understands that medical and well being knowledge are broadly utilized in varied eventualities of day by day life. For instance, by means of the environment friendly evaluation of drug elements, dosage time and different situations by means of huge knowledge, to search out the very best mixture of rational drug use; by means of scientific evaluation of numerous medical knowledge to search out the trigger, and perform medical etiology evaluation and continual illness monitoring.
In addition, huge knowledge may quickly display screen and predict illnesses and potential genetic defects by means of genomics evaluation of enormous quantities of gene sequences; after distant illness knowledge assortment on sufferers, mixed with numerous medical etiological knowledge evaluation, to comprehend telemedicine Diagnosis and therapy; gather knowledge by means of good wearable units to detect human very important indicators, warn of potential well being dangers, and conduct well being administration; apply huge knowledge and different algorithms to formulate medical insurance coverage cost requirements, and conduct correct medical insurance coverage determination evaluation primarily based on this, and so on.
In April 2020, the World Health Organization issued an announcement saying that the variety of cyberattacks in the course of the epidemic elevated 5 instances year-on-year. Qi Anxin Group launched a collection of stories on community safety and identified that after the outbreak of the epidemic in 2020, the medical and well being trade has surpassed the federal government, finance, nationwide protection, vitality, telecommunications and different fields for the primary time within the historical past to turn into a worldwide APT (hackers intention to steal core info, focusing on prospects. cyber-attacks and intrusions) actions are the first targets of concern. 23.7% of worldwide APT occasions are associated to the healthcare trade. For the primary time, China has surpassed the United States, South Korea, the Middle East and different international locations and areas to turn into the first regional goal of worldwide APT actions.
Notice on Printing and Distributing the Measures for the Administration of Network Security of Medical and Health Institutions
All provinces, autonomous areas, municipalities straight below the Central Government and Xinjiang Production and Construction Corps Health and Health Committees, Traditional Chinese Medicine Bureaus, departments and bureaus of the National Health and Health Commission, affiliated and phone models of the National Health and Health Commission, China Aging Association, State Administration of Traditional Chinese Medicine, and varied departments and bureaus of the National Center for Disease Control and Prevention , All straight affiliated models:
In order to information medical and well being establishments to strengthen community safety administration, the National Health and Health Commission, the State Administration of Traditional Chinese Medicine, and the National Bureau of Disease Control and Prevention have formulated the “Network Security Management Measures for Medical and Health Institutions.” It is issued to you, please rigorously carried out.
National Health Commission National Administration of Traditional Chinese Medicine National Bureau of Disease Control
August 8, 2022
(type of info disclosure: lively disclosure)
Measures for the Administration of Network Security of Medical and Health Institutions
Chapter 1 General Provisions
Article 1 In order to strengthen the community safety administration of medical and well being establishments, additional promote the event of “Internet + medical health”, give full play to the position of well being and medical huge knowledge as an essential fundamental strategic useful resource of the nation, strengthen the community safety administration of medical and well being establishments, and stop community safety incidents According to the “Basic Medical Health and Health Promotion Law”, “Cyber Security Law”, “Cryptography Law”, “Data Security Law”, “Personal Information Protection Law”, “Key Information Infrastructure Security Protection Regulations”, “Network Security Review Measures” and community safety These Measures are formulated for the related legal guidelines, rules and requirements such because the hierarchical safety system.
Article 2 Adhere to cyber safety for the folks, cyber safety is dependent upon the folks, adhere to the built-in improvement of cyber safety training, know-how, and trade, adhere to the unification of improvement promotion and authorized administration, and cling to each safety and controllability and open innovation.
Adhere to graded safety and spotlight key factors. Focus on making certain the safety of crucial info infrastructure, community safety degree 3 (hereinafter known as degree 3) and above, in addition to essential knowledge and private info.
Adhere to lively protection and complete safety. Make full use of synthetic intelligence, huge knowledge evaluation and different applied sciences to strengthen key duties reminiscent of safety monitoring, situational consciousness, notification and early warning, and emergency response, and implement community safety safety “practical, systematic, and normalized” and “dynamic defense, active defense, in-depth The “three modernizations and 6 defenses” measures of defense, precise protection, overall prevention and control, and joint prevention and control.
Adhere to the principles of “managing enterprise, managing safety”, “whoever is in cost is accountable, whoever operates is accountable, and whoever makes use of is accountable”, implement the network security responsibility system, and clarify the responsibilities of all parties.
Article 3 The term “community” as mentioned in these Measures refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures.
The data referred to in these Measures is network data, which refers to various electronic data collected, stored, transmitted, processed and generated by medical and health institutions through the network, including but not limited to various types of clinical, scientific research, management and other business data, and generated by medical equipment. data, personal information and data derivatives.
These measures are applicable to the security management of the operation network of medical and health institutions. The grassroots medical and health institutions that are not included in the regional grassroots health information system shall be implemented by reference.
Article 4 The National Health Commission, the National Administration of Traditional Chinese Medicine, and the National Bureau of Disease Control and Prevention are responsible for overall planning, guidance, evaluation, and supervision of the network security work of medical and health institutions. Local health administrative departments at or above the county level (including traditional Chinese medicine and disease control departments, the same below) are responsible for the guidance and supervision of the network security of medical and health institutions within their respective administrative regions.
Medical and health institutions are primarily responsible for their own unit’s network security management, and each medical and health institution shall agree in writing with the information construction participating units and relevant medical equipment production and operation enterprises on the network security obligations and breach of contract responsibilities of each party.
Chapter II Network Security Management
Article 5 Each medical and health institution shall establish a network security and informatization work leading group, with the main person in charge of the unit as the leader of the leading group, and hold a network security office meeting at least once a year, deploy key security tasks, and implement the “Key Information Infrastructure Security”. Protection Regulations and the requirements of the network security level protection system. Medical and health institutions with second-level or higher networks should specify the functional departments responsible for network security management, and clearly assume the positions of security supervisors, security administrators, etc.; establish a network security management system, strengthen network security protection, and strengthen emergency response. On this basis, key protection of key information infrastructure is implemented to prevent network security incidents from occurring.
Article 6 In accordance with the principle of “whoever is in cost is accountable, whoever operates is accountable, and whoever makes use of the community is accountable”, in the process of network construction, each medical and health institution shall specify the competent department, operation department, information technology department, and user department of each network of the unit. and other management responsibilities, and carry out hierarchical protection, grading, filing, evaluation, security construction rectification and other work for the network within the operation scope of the unit.
(1) For newly-built networks, the network security protection level shall be determined during the planning and reporting stages. All medical and health institutions should comprehensively sort out the basic situation of various networks of their own units, especially the application of new technologies such as cloud computing, Internet of Things, blockchain, 5G, big data, etc. Data and other situations, scientifically determine the security protection level of the network according to relevant standards, and report it to the higher-level competent authority for review and approval.
(2) When a newly built network is put into use, the filing of graded protection shall be carried out in accordance with laws and regulations. Within 10 working days after the network security protection level is determined, the operator of the network above the second level shall file a record with the public security organ, and report the recordation to the higher-level health and health administrative department. Within 10 working days, it should be revoked or changed to the original public security organ, and reported to the higher-level health administrative department at the same time.
(3) Comprehensively sort out and analyze network security protection requirements, and formulate an overall plan that meets the requirements of network security protection levels in accordance with the requirements of “one heart (safety administration heart) and triple safety (safe communication community, safe space boundary, and safe computing atmosphere)” and construction plans, strengthen the security management in the process of self-development or outsourced development of information systems, earnestly carry out network security construction, and fully implement security protection measures.
(4) Each medical and health institution shall test and evaluate the security of the network that has been graded and filed, and the network of the third or fourth level shall entrust a graded protection evaluation agency to conduct network security grade evaluation at least once a year. Networks at the second level should entrust a level protection assessment agency to conduct regular network security level assessments. Networks involving personal information of more than 100,000 people should conduct network security level assessments at least once every three years, and other networks should conduct network security level assessments at least once every five years. assessment. A security test should be performed before the newly created network goes online.
(5) In response to the hidden problems found in the rating evaluation, each medical and health institution shall formulate a network security rectification plan in accordance with the requirements of laws, regulations, policies and standards in accordance with external threats and risks, carry out targeted rectification, and eliminate hidden risks in a timely manner , strengthen management and technical shortcomings, and improve security protection capabilities.
Article 7 Each medical and health institution shall rely on the national network security information notification mechanism to strengthen the construction of its own network security notification and early warning force. Encourage tertiary hospitals to explore the construction of situational awareness platforms, collect, summarize, and analyze network security information from all parties in a timely manner, strengthen threat intelligence work, organize and carry out network security threat analysis and situation research and judgment, report early warning and disposal in a timely manner, and prevent network damage and data leakage. leaks, etc.
Article 8 Each medical and health institution shall establish an emergency response mechanism, and effectively deal with security incidents such as network interruption, network attack, and data leakage by establishing and improving emergency plans, organizing emergency drills, etc., and improve the ability to respond to network security incidents. Actively participate in cyber security offensive and defensive drills to improve protection and confrontation capabilities.
Article 9 In the process of network operation, each medical and health institution shall carry out various forms of security self-examinations such as document verification, vulnerability scanning, and penetration testing every year, and timely discover possible problems and hidden dangers. For the hidden safety hazards found in the process of safety self-inspection, monitoring and early warning, and safety notification, rectification and reinforcement should be carried out seriously to prevent the network from running with diseases, and the situation of safety self-inspection and rectification should be reported to the higher-level health and health administrative department as required. Self-examination and rectification can be implemented together with the rectification of grade assessment questions.
The annual safety self-inspection and rectification work includes:
(1) According to the requirements of the supervisory authority at a higher level, each medical and health institution completes the sorting out of information assets, finds out the network rating and filing of the unit, forms an asset list, and organizes security self-inspection.
(2) According to the requirements of the superior supervisory authority, each medical and health institution shall rectify the discovered problems and hidden dangers according to the results of the safety self-inspection, and form a rectification report to the relevant supervisory authority for filing.
Article 10 Critical information infrastructure operators shall conduct security background checks on the person in charge of the security management agency and personnel in key positions. All medical and health institutions should strengthen the management of personnel related to network operations, including internal personnel of the unit and third-party personnel, and clarify the security management of the entire process of entry, training, assessment, and departure of internal personnel. Approval process, do a good job in real-name registration, personnel background review, signing of confidentiality agreements, etc., to prevent security risks caused by personnel qualifications and illegal operations.
Article 11 Strengthen network operation and maintenance management, and formulate operation and maintenance operation specifications and work procedures. Strengthen physical security protection, improve security control measures such as computer rooms, office environments, and operation and maintenance sites to prevent information leakage caused by unauthorized access to the physical environment. Strengthen remote operation and maintenance management. If the business really needs to be operated and maintained remotely through the Internet, evaluation and demonstration should be carried out, and corresponding security control measures should be taken to prevent security incidents caused by the exposure of remote ports.
Article 12 All medical and health institutions shall strengthen business continuity management and continuously monitor network operation status. For the third-level and above networks, the redundant backup of key links and key equipment should be strengthened, and medical and health institutions with conditions should establish application-level disaster recovery backup to prevent interruption of key services.
Article 13 When using new technologies such as big data, artificial intelligence, and blockchain to provide services, the security risks of the new technologies should be assessed and security management and control should be carried out before going online to achieve a balance between application and security.
Article 14 All medical and health institutions should standardize and strengthen the protection of medical equipment data, personal information and network security management, establish and improve relevant network security management systems for medical equipment bidding and procurement, installation and commissioning, operation and use, maintenance and repair, and scrap disposal. Check or evaluate the network security of medical equipment, and take corresponding security control measures to ensure the network security of medical equipment.
Article 15 All medical and health institutions shall, in accordance with the “Cryptography Law” and other relevant laws and regulations and relevant standards and specifications for the application of encryption, simultaneously plan, simultaneously construct, and simultaneously operate password protection measures in the process of network construction, and use encryption products and products that meet relevant requirements. Serve.
Article 16 All medical and health institutions should pay attention to the security management of the participants in the entire network chain. When a third party other than their own unit is involved, they should implement security management of services such as design, construction, operation, and maintenance, and purchase safe network products and services. , to prevent third-party security incidents.
Article 17 All medical and health institutions shall strengthen the security management of abolished networks, conduct risk assessments on equipment related to abolished networks, and take measures to seal or destroy them in a timely manner to ensure the safety of data disposal in the abolished networks and prevent network data leakage.
Chapter III Data Security Management
Article 18 All medical and health institutions shall, in accordance with the provisions of relevant laws and regulations, refer to national network security standards, perform data security protection obligations, insist on ensuring data security and development, and ensure an effective balance between data security and data application through management and technical means . Critical information infrastructure operators shall formulate critical information infrastructure security protection plans, and establish and improve data security and personal information protection systems.
Article 19 An organizational structure for data security management should be established, the main responsibilities of business departments and management departments in data security activities should be defined, and the data security departments of the unit, business departments, and information technology departments should be regulated by means of security responsibility letters. Manage the rights and responsibilities in the whole life cycle, establish a data security work responsibility system, and implement an accountability system.
Article 20 Each medical and health institution shall conduct a comprehensive review of data assets every year, and on the basis of implementing the network security level protection system, establish its own data classification and grading standards according to the importance of the data and the degree of damage after damage. Data classification and grading should follow the principles of legality and compliance, enforceability, timeliness, autonomy, difference and objectivity.
Article 21 All medical and health institutions shall establish and improve data security management systems, operating procedures and technical specifications, and the involved management systems shall be revised at least once a year, and relevant personnel are advised to sign confidentiality agreements every year. Data security risk assessment is carried out on the data of the unit every year, and the data security status is grasped in time. Strengthen data security education and training, organize security awareness education and data security management system publicity training. Based on the actual situation of the unit, establish and improve the data use application and approval process, follow the principle of “who’s in cost, who will assessment”, follow the principles of prior application and approval, in-process supervision, and post-event review, and strictly implement the business management department. Work procedures to guide data activity process compliance.
Article 22 All medical and health institutions should strengthen the safety management of the entire life cycle of data collection, storage, transmission, processing, use, exchange, and destruction. Data life cycle activities should be carried out within the country. , should conduct security assessment or review in accordance with relevant laws and regulations and relevant requirements, and submit data processing activities that affect or may affect national security for national security review to prevent data security incidents from occurring.
(1) All medical and health institutions should strengthen the management of the legality of data collection, and clarify the main responsibilities of business departments and management departments in the legality of data collection. Prevention and control measures such as data desensitization, data encryption, and link encryption are taken to prevent data leakage during data collection.
(2) On the basis of data classification and grading, further clarify the requirements for encrypted transmission of data at different security levels. Strengthen the interface security control during the transmission process to ensure the security during transmission through the interface and prevent data from being stolen.
(3) Each medical and health institution shall, in accordance with relevant regulations and standards, select appropriate data storage architecture and media for storage within the country, and take measures such as backup and encryption to enhance data storage security. When it comes to storing data on the cloud, you should evaluate the possible security risks. The data storage period should not exceed the retention period determined by the data usage rules. Strengthen access control security, data copy security, and data archive security management and control during storage.
(4) Each medical and health institution should strictly stipulate the authority of different personnel, strengthen the management of the application and approval process in the process of data use, ensure that the data is used within a controllable scope, strengthen the retention and management of logs, and prevent tampering and deletion of logs. occurs to prevent unauthorized use of data. Each data user department and data user must use the data strictly in accordance with the purpose and scope stated in the application, and be responsible for the security of the data. Without approval, any department or individual shall not transfer undisclosed information and data to outside the department, and shall not disclose it in any way.
(5) When publishing and sharing data, each medical and health institution shall evaluate the possible security risks and take necessary security prevention and control measures; when data reporting is involved, the data reporting party shall be responsible for interpreting the reporting requirements, determining the reporting scope and Reporting rules to ensure that data reporting is safe and controllable.
(6) When carrying out face recognition or face recognition, each medical and health institution shall provide non-face recognition identification methods at the same time, and shall not refuse the data subject to use its basic business functions because the data subject does not agree to the collection of face recognition data, Facial recognition data shall not be used for purposes other than identification, including but not limited to assessing or predicting the data subject’s work performance, economic status, health status, preferences, interests, etc. Each medical and health institution shall take security measures to store and transmit face recognition data, including but not limited to encrypted storage and transmission of face recognition data, and separate storage of face recognition and personally identifiable information by physical or logical isolation.
(7) When destroying data, a method of destruction that ensures that the data cannot be restored shall be adopted, focusing on data residual risks and data backup risks.
Chapter IV Supervision and Management
Article 23 All medical and health institutions shall actively cooperate with the relevant competent regulatory agencies in the supervision and management, accept daily inspections of network security management, and do a good job in network security protection.
Article 24 All medical and health institutions shall promptly rectify problems such as loopholes and hidden dangers discovered during the inspection of relevant competent regulatory agencies, and prevent the occurrence of major network security incidents.
Article 25 When personal information and data leakage, damage, loss and other security incidents occur, and network systems are attacked, intruded, controlled, and other network security incidents, or when network vulnerabilities are discovered, and network security risks are significantly increased, all medical and health care Institutions should immediately activate emergency plans, take necessary remedial and disposal measures, promptly notify relevant subjects by telephone, text message, email or letter and other means, and report to relevant competent regulatory authorities as required.
Article 26 Health administrative departments at all levels shall establish a working mechanism for reporting network security incidents to report network security incidents in a timely manner.
Article 27 When a cybersecurity incident occurs, each medical and health institution shall report to the health administrative department and public security organ in a timely manner, do a good job in on-site protection, keep relevant records, and protect national security and conduct investigation and investigation for the public security organ and other regulatory departments in accordance with the law Provide technical support and assistance for other activities.
Chapter V Management Guarantee
Article 28 All medical and health institutions should attach great importance to network security management, put it on the important agenda, strengthen overall leadership and planning and design, and implement major issues such as personnel, capital investment, and security protection measures in accordance with laws and regulations to ensure that During the construction of the information system, the security protection measures shall be planned, constructed and used simultaneously.
Article 29 All medical and health institutions should strengthen network security business exchanges, strictly implement the network security continuing education system, and encourage management and technical positions to hold certificates. By organizing academic exchanges and competitions, we can discover and select network security talents, establish a talent pool, and establish and improve the mechanism of talent discovery, training, selection and use, so as to provide talent guarantee for good network security work.
Article 30 Each medical and health institution shall ensure the investment in network security level assessment, risk assessment, offensive and defensive drills and competitions, security construction and rectification, security protection platform construction, password security system construction, operation and maintenance, education and training, etc. The network security budget of a new informatization project shall not be less than 5% of the total project budget.
Article 31 All medical and health institutions shall further improve the network security assessment and evaluation system, clarify assessment indicators, and organize assessments. Encourage qualified medical and health institutions to link assessment with performance.
Chapter VI Supplementary Provisions
Article 32 In case of violation of the provisions of these Measures, personal information and data leakage occurs, or major network security incidents occur, according to the “Network Security Law”, “National Cryptography Law”, “Basic Medical Health and Health Promotion Law” and “Data Security Law” The “Personal Information Protection Law”, “Key Information Infrastructure Security Protection Regulations” and the network security level protection system and other laws and regulations will be dealt with.
Article 33 Networks involving state secrets shall be implemented in accordance with relevant state regulations.
Article 34 These Measures shall come into power on the date of issuance.