echemi logo
Product
  • Product
  • Supplier
  • Inquiry
    Home > Medical News > Medical World News > Notice of Issuing the Measures for the Administration of Network Security of Medical and Health Institutions

    Notice of Issuing the Measures for the Administration of Network Security of Medical and Health Institutions

    • Last Update: 2022-09-06
    • Source: Internet
    • Author: User
    Search more information of high quality chemicals, good prices and reliable suppliers, visit www.echemi.com
    All provinces, autonomous regions, municipalities directly under the Central Government and Xinjiang Production and Construction Corps Health and Health Committees, Traditional Chinese Medicine Bureaus, departments and bureaus of the National Health and Health Commission, affiliated and contact units of the National Health and Health Commission, China Aging Association, State Administration of Traditional Chinese Medicine, and various departments and bureaus of the National Center for Disease Control and Prevention , All directly affiliated units: In order to guide medical and health institutions to strengthen network security management, the National Health and Health Commission, the State Administration of Traditional Chinese Medicine , and the National Bureau of Disease Control and Prevention have formulated the "Administrative Measures for Network Security of Medical and Health Institutions"
    .
    It is hereby issued to you, please implement it conscientiously
    .
    National Health Commission, National Administration of Traditional Chinese Medicine, National Bureau of Disease Control and Prevention August 8, 2022 (Information Disclosure Form: Active Disclosure) Chapter 1 General Provisions of Network Security Management Measures for Medical and Health Institutions Article 1 is to strengthen the network security management of medical and health institutions, and further Promote the development of "Internet + medical health", give full play to the role of health and medical big data as an important basic strategic resource of the country, strengthen the network security management of medical and health institutions, and prevent the occurrence of network security incidents.
    These Measures are formulated in accordance with the Cybersecurity Law, the Cryptography Law, the Data Security Law, the Personal Information Protection Law, the Regulations on the Security Protection of Critical Information Infrastructures, the Cybersecurity Review Measures, and the cybersecurity graded protection system
    .
    Article 2 Adhere to cyber security for the people, cyber security depends on the people, adhere to the integrated development of cyber security education, technology, and industry, adhere to the unification of development promotion and legal management, and adhere to both security and controllability and open innovation
    .
    Adhere to graded protection and highlight key points
    .
    Focus on ensuring the security of critical information infrastructure, network security level 3 (hereinafter referred to as level 3) and above, as well as important data and personal information
    .
    Adhere to active defense and comprehensive protection
    .
    Make full use of artificial intelligence, big data analysis and other technologies to strengthen key tasks such as security monitoring, situational awareness, notification and early warning, and emergency response, and implement network security protection "practical, systematic, and normalized" and "dynamic defense, active defense, in-depth The "three modernizations and six defenses" measures of defense, precise protection, overall prevention and control, and joint prevention and control
    .
    Adhere to the principles of "managing business, managing security", "whoever is in charge is responsible, whoever operates is responsible, and whoever uses is responsible", implement the network security responsibility system, and clarify the responsibilities of all parties
    .
    Article 3 The term "network" as mentioned in these Measures refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures
    .
    The data referred to in these Measures is network data, which refers to various electronic data collected, stored, transmitted, processed and generated by medical and health institutions through the network, including but not limited to various types of clinical, scientific research, management and other business data, and generated by medical equipment.
    data, personal information and data derivatives
    .
    These measures are applicable to the security management of the operation network of medical and health institutions
    .
    The grassroots medical and health institutions that are not included in the regional grassroots health information system shall be implemented by reference
    .
    Article 4 The National Health Commission, the National Administration of Traditional Chinese Medicine, and the National Bureau of Disease Control and Prevention are responsible for overall planning, guidance, evaluation, and supervision of the network security work of medical and health institutions
    .
    Local health administrative departments at or above the county level (including traditional Chinese medicine and disease control departments, the same below) are responsible for the guidance and supervision of the network security of medical and health institutions within their respective administrative regions
    .
    Medical and health institutions are primarily responsible for their unit’s network security management, and each medical and health institution shall agree in writing with the information construction participating units and relevant medical equipment production and operation enterprises on the network security obligations and breach of contract of each party
    .
    Chapter II Network Security Management Article 5 Each medical and health institution shall establish a network security and informatization work leading group, with the main person in charge of the unit as the leader of the leading group, and hold at least one network security office meeting every year to deploy key security tasks and implement "Key Information Infrastructure Security Protection Regulations" and network security level protection system requirements
    .
    Medical and health institutions with second-level or higher networks should specify the functional departments responsible for network security management, and clearly assume the positions of security supervisors, security administrators, etc.
    ; establish a network security management system, strengthen network security protection, and strengthen emergency response.
    On this basis, key protection of key information infrastructure is implemented to prevent network security incidents from occurring
    .
    Article 6 In accordance with the principle of "whoever is in charge is responsible, whoever operates is responsible, and whoever uses the network is responsible", in the process of network construction, each medical and health institution shall specify the competent department, operation department, information technology department, and user department of each network of the unit.
    and other management responsibilities, and carry out hierarchical protection, grading, filing, evaluation, security construction rectification and other work for the network within the operation scope of the unit
    .
    (1) For newly-built networks, the network security protection level shall be determined during the planning and reporting stages
    .
    All medical and health institutions should comprehensively sort out the basic situation of various networks of their own units, especially the application of new technologies such as cloud computing, Internet of Things, blockchain, 5G, big data, etc.
    Data and other situations, scientifically determine the security protection level of the network according to relevant standards, and report it to the higher-level competent authority for review and approval
    .
    (2) When a newly built network is put into use, the filing of graded protection shall be carried out in accordance with laws and regulations
    .
    Within 10 working days after the network security protection level is determined, the operator of the network above the second level shall file a record with the public security organ, and report the filing situation to the higher-level health and health administrative department.
    Revocation or change within 10 working days to the original filing public security organ, and simultaneously reported to the higher-level health administrative department
    .
    (3) Comprehensively sort out and analyze network security protection requirements, and formulate an overall plan that meets the requirements of network security protection levels in accordance with the requirements of "one center (security management center) and triple protection (secure communication network, secure area boundary, and secure computing environment)" and construction plans, strengthen the security management in the process of self-development or outsourced development of information systems, earnestly carry out network security construction, and fully implement security protection measures
    .
    (4) Each medical and health institution shall test and evaluate the security of the network that has been graded and filed, and the network of the third or fourth level shall entrust a graded protection evaluation agency to conduct network security grade evaluation at least once a year
    .
    Networks at the second level should entrust a level protection assessment agency to conduct regular network security level assessments.
    Networks involving personal information of more than 100,000 people should conduct network security level assessments at least once every three years, and other networks should conduct network security level assessments at least once every five years.
    assessment
    .
    A security test should be performed before the newly created network goes online
    .
    (5) In response to the hidden problems found in the rating evaluation, each medical and health institution shall formulate a network security rectification plan in accordance with the requirements of laws, regulations, policies and standards in accordance with external threats and risks, carry out targeted rectification, and eliminate hidden risks in a timely manner , strengthen management and technical shortcomings, and improve security protection capabilities
    .
    Article 7 Each medical and health institution shall rely on the national network security information notification mechanism to strengthen the construction of its own network security notification and early warning force
    .
    Encourage tertiary hospitals to explore the construction of situational awareness platforms, collect, summarize, and analyze network security information from all parties in a timely manner, strengthen threat intelligence work, organize and carry out network security threat analysis and situation research and judgment, report early warning and disposal in a timely manner, and prevent network damage and data leakage.
    leaks,
    etc.
    Article 8 Each medical and health institution shall establish an emergency response mechanism, and effectively deal with security incidents such as network interruption, network attack, and data leakage by establishing and improving emergency plans, organizing emergency drills, etc.
    , and improve the ability to respond to network security incidents
    .
    Actively participate in cyber security offensive and defensive drills to improve protection and confrontation capabilities
    .
    Article 9 In the process of network operation, each medical and health institution shall carry out various forms of security self-examinations such as document verification, vulnerability scanning, and penetration testing every year, and timely discover possible problems and hidden dangers
    .
    For the hidden safety hazards found in the process of safety self-inspection, monitoring and early warning, and safety notification, rectification and reinforcement should be carried out seriously to prevent the network from running with diseases, and the situation of safety self-inspection and rectification should be reported to the higher-level health and health administrative department as required
    .
    Self-examination and rectification can be implemented together with the rectification of grade assessment questions
    .
    The annual security self-inspection and rectification work includes: (1) According to the requirements of the superior supervisory authority, each medical and health institution completes the sorting out of information assets, finds out the network rating and filing of the unit, forms an asset list, and organizes security self-inspection
    .
    (2) According to the requirements of the superior supervisory authority, each medical and health institution shall rectify the discovered problems and hidden dangers according to the results of the safety self-inspection, and form a rectification report to the relevant supervisory authority for filing
    .
    Article 10 Critical information infrastructure operators shall conduct security background checks on the person in charge of the security management agency and personnel in key positions
    .
    All medical and health institutions should strengthen the management of personnel related to network operations, including internal personnel of the unit and third-party personnel, and clarify the security management of the entire process of entry, training, assessment, and departure of internal personnel.
    Approval process, do a good job in real-name registration, personnel background review, signing of confidentiality agreements, etc.
    , to prevent security risks caused by personnel qualifications and illegal operations
    .
    Article 11 Strengthen network operation and maintenance management, and formulate operation and maintenance operation specifications and work procedures
    .
    Strengthen physical security protection, improve security control measures such as computer rooms, office environments, and operation and maintenance sites to prevent information leakage caused by unauthorized access to the physical environment
    .
    Strengthen remote operation and maintenance management.
    If the business really needs to be operated and maintained remotely through the Internet, evaluation and demonstration should be carried out, and corresponding security control measures should be taken to prevent security incidents caused by the exposure of remote ports
    .
    Article 12 All medical and health institutions shall strengthen business continuity management and continuously monitor network operation status
    .
    For the third-level and above networks, the redundant backup of key links and key equipment should be strengthened, and medical and health institutions with conditions should establish application-level disaster recovery backup to prevent interruption of key services
    .
    Article 13 When using new technologies such as big data, artificial intelligence, and blockchain to provide services, the security risks of the new technologies should be assessed and security management and control should be carried out before going online to achieve a balance between application and security
    .
    Article 14 All medical and health institutions shall standardize and strengthen the protection of medical equipment data, personal information and network security management, establish and improve relevant network security management systems for medical equipment bidding and procurement, installation and commissioning, operation and use, maintenance and repair, and scrap disposal, etc.
    Check or evaluate the network security of medical equipment, and take corresponding security control measures to ensure the network security of medical equipment
    .
    Article 15 All medical and health institutions shall, in accordance with the "Cryptography Law" and other relevant laws and regulations and relevant standards and specifications for the application of encryption, synchronously plan, synchronously build, and synchronously operate password protection measures in the process of network construction, and use encryption products that meet relevant requirements.
    service
    .
    Article 16 All medical and health institutions should pay attention to the security management of the participants in the entire network chain.
    When a third party other than their own unit is involved, they should implement security management of services such as design, construction, operation, and maintenance, and purchase safe network products and services.
    , to prevent third-party security incidents
    .
    Article 17 All medical and health institutions shall strengthen the security management of abolished networks, conduct risk assessments on equipment related to abolished networks, and take measures to seal or destroy them in a timely manner to ensure the safety of data disposal in the abolished networks and prevent network data leakage
    .
    Chapter III Data Security Management Article 18 All medical and health institutions shall, in accordance with the provisions of relevant laws and regulations, refer to national network security standards, perform data security protection obligations, insist on ensuring data security and development, and ensure data security through management and technical means and effective balance of data applications
    .
    Critical information infrastructure operators should formulate critical information infrastructure security protection plans, and establish and improve data security and personal information protection systems
    .
    Article 19 An organizational structure for data security management should be established, the main responsibilities of business departments and management departments in data security activities should be defined, and the data security departments of the unit, business departments, and information technology departments should be regulated by means of security responsibility letters.
    Manage the rights and responsibilities in the whole life cycle, establish a data security work responsibility system, and implement the accountability system
    .
    Article 20 Each medical and health institution shall conduct a comprehensive review of data assets every year, and on the basis of implementing the network security level protection system, establish its own data classification and grading standards according to the importance of the data and the degree of damage after damage
    .
    Data classification and grading should follow the principles of legality and compliance, enforceability, timeliness, autonomy, difference and objectivity
    .
    Article 21 All medical and health institutions shall establish and improve data security management systems, operating procedures and technical specifications, and the involved management systems shall be revised at least once a year, and relevant personnel are advised to sign confidentiality agreements every year
    .
    Data security risk assessment is carried out on the data of the unit every year, and the data security status is grasped in time
    .
    Strengthen data security education and training, organize security awareness education and data security management system publicity training
    .
    Based on the actual situation of the unit, establish and improve the data use application and approval process, follow the principle of "who is in charge, who will review", follow the principles of prior application and approval, in-process supervision, and post-event review, and strictly implement the business management department.
    Work procedures to guide data activity process compliance
    .
    Article 22 All medical and health institutions should strengthen the safety management of the entire life cycle of data collection, storage, transmission, processing, use, exchange, and destruction.
    Data life cycle activities should be carried out within the country.
    , should conduct security assessment or review in accordance with relevant laws and regulations and relevant requirements, and submit data processing activities that affect or may affect national security for national security review to prevent data security incidents from occurring
    .
    (1) All medical and health institutions should strengthen the management of the legality of data collection, and clarify the main responsibilities of business departments and management departments in the legality of data collection
    .
    Prevention and control measures such as data desensitization, data encryption, and link encryption are taken to prevent data leakage during data collection
    .
    (2) On the basis of data classification and grading, further clarify the requirements for encrypted transmission of data at different security levels
    .
    Strengthen the interface security control during the transmission process to ensure the security during transmission through the interface and prevent data from being stolen
    .
    (3) Each medical and health institution shall, in accordance with relevant regulations and standards, select appropriate data storage architecture and media for storage within the country, and take measures such as backup and encryption to enhance data storage security
    .
    When it comes to storing data on the cloud, you should evaluate the possible security risks
    .
    The data storage period should not exceed the retention period determined by the data usage rules
    .
    Strengthen access control security, data copy security, and data archive security management and control during storage
    .
    (4) Each medical and health institution should strictly stipulate the authority of different personnel, strengthen the management of the application and approval process in the process of data use, ensure that the data is used within a controllable scope, strengthen the retention and management of logs, and prevent tampering and deletion of logs.
    occurs to prevent unauthorized use of data
    .
    Each data user department and data user must use the data strictly in accordance with the purpose and scope stated in the application, and be responsible for the security of the data
    .
    Without approval, any department or individual shall not transfer undisclosed information and data to outside the department, and shall not disclose it in any way
    .
    (5) When publishing and sharing data, each medical and health institution shall evaluate the possible security risks and take necessary security prevention and control measures; when data reporting is involved, the data reporting party shall be responsible for interpreting the reporting requirements, determining the reporting scope and Reporting rules to ensure that data reporting is safe and controllable
    .
    (6) When carrying out face recognition or face recognition, each medical and health institution shall provide non-face recognition identification methods at the same time, and shall not refuse the data subject to use its basic business functions because the data subject does not agree to the collection of face recognition data, Facial recognition data shall not be used for purposes other than identification, including but not limited to assessing or predicting the data subject's work performance, economic status, health status, preferences, interests, etc.

    .
    Each medical and health institution shall take security measures to store and transmit face recognition data, including but not limited to encrypted storage and transmission of face recognition data, and separate storage of face recognition and personally identifiable information by physical or logical isolation
    .
    (7) When destroying data, a method of destruction that ensures that the data cannot be restored shall be adopted, focusing on data residual risks and data backup risks
    .
    Chapter IV Supervision and Management Article 23 All medical and health institutions shall actively cooperate with relevant competent regulatory agencies in supervision and management, accept daily inspections of network security management, and do a good job in network security protection
    .
    Article 24 All medical and health institutions shall promptly rectify problems such as loopholes and hidden dangers discovered during the inspection of relevant competent regulatory agencies, and prevent the occurrence of major network security incidents
    .
    Article 25 When personal information and data leakage, damage, loss and other security incidents occur, and network systems are attacked, intruded, controlled, and other network security incidents, or when network vulnerabilities are discovered, and network security risks are significantly increased, all medical and health care Institutions should immediately activate emergency plans, take necessary remedial and disposal measures, promptly notify relevant subjects by telephone, text message, email or letter and other means, and report to relevant competent regulatory authorities as required
    .
    Article 26 Health administrative departments at all levels shall establish a working mechanism for reporting network security incidents to report network security incidents in a timely manner
    .
    Article 27 When a cybersecurity incident occurs, each medical and health institution shall report to the health administrative department and public security organ in a timely manner, do a good job in on-site protection, keep relevant records, and protect national security and conduct investigation and investigation for the public security organ and other regulatory departments in accordance with the law Provide technical support and assistance for other activities
    .
    Chapter V Management Guarantee Article 28 All medical and health institutions should attach great importance to network security management, put it on the important agenda, strengthen overall leadership and planning and design, and implement the construction of personnel, funding, and security protection measures in accordance with laws and regulations and other major issues, to ensure that the security protection measures are planned, constructed and used synchronously during the construction of the information system.

    .
    Article 29 All medical and health institutions should strengthen network security business exchanges, strictly implement the network security continuing education system, and encourage management and technical positions to hold certificates
    .
    By organizing academic exchanges and competitions, we can discover and select network security talents, establish a talent pool, and establish and improve the mechanism of talent discovery, training, selection and use, so as to provide talent guarantee for good network security work
    .
    Article 30 Each medical and health institution shall ensure the investment in network security level assessment, risk assessment, offensive and defensive drills and competitions, security construction and rectification, security protection platform construction, password security system construction, operation and maintenance, education and training,
    etc.
    The network security budget of a new informatization project shall not be less than 5% of the total project budget
    .
    Article 31 All medical and health institutions shall further improve the network security assessment and evaluation system, clarify assessment indicators, and organize assessments
    .
    Encourage qualified medical and health institutions to link assessment with performance
    .
    Chapter VI Supplementary Provisions Article 32 In case of violation of the provisions of these Measures, personal information and data leakage occurs, or major network security incidents occur, according to the "Network Security Law", "Cryptography Law", "Basic Medical Health and Health Promotion Law", "Data The Security Law, the Personal Information Protection Law, the Regulations on the Security Protection of Critical Information Infrastructure, and the Network Security Level Protection System and other laws and regulations shall be dealt with
    .
    Article 33 Networks involving state secrets shall be implemented in accordance with relevant state regulations
    .
    Article 34 These Measures shall come into force on the date of issuance
    .
      All provinces, autonomous regions, municipalities directly under the Central Government and Xinjiang Production and Construction Corps Health and Health Committees, Traditional Chinese Medicine Bureaus, departments and bureaus of the National Health and Health Commission, affiliated and contact units of the National Health and Health Commission, China Aging Association, State Administration of Traditional Chinese Medicine, and various departments and bureaus of the National Center for Disease Control and Prevention , All directly affiliated units: In order to guide medical and health institutions to strengthen network security management, the National Health and Health Commission, the State Administration of Traditional Chinese Medicine , and the National Bureau of Disease Control and Prevention have formulated the "Administrative Measures for Network Security of Medical and Health Institutions"
    .
    It is hereby issued to you, please implement it conscientiously
    .
    National Health Commission, National Administration of Traditional Chinese Medicine, National Bureau of Disease Control and Prevention August 8, 2022 (Information Disclosure Form: Active Disclosure) Chapter 1 General Provisions of Network Security Management Measures for Medical and Health Institutions Article 1 is to strengthen the network security management of medical and health institutions, and further Promote the development of "Internet + medical health", give full play to the role of health and medical big data as an important basic strategic resource of the country, strengthen the network security management of medical and health institutions, and prevent the occurrence of network security incidents.
    These Measures are formulated in accordance with the Cybersecurity Law, the Cryptography Law, the Data Security Law, the Personal Information Protection Law, the Regulations on the Security Protection of Critical Information Infrastructures, the Cybersecurity Review Measures, and the cybersecurity graded protection system
    .
    Article 2 Adhere to cyber security for the people, cyber security depends on the people, adhere to the integrated development of cyber security education, technology, and industry, adhere to the unification of development promotion and legal management, and adhere to both security and controllability and open innovation
    .
    Adhere to graded protection and highlight key points
    .
    Focus on ensuring the security of critical information infrastructure, network security level 3 (hereinafter referred to as level 3) and above, as well as important data and personal information
    .
    Adhere to active defense and comprehensive protection
    .
    Make full use of artificial intelligence, big data analysis and other technologies to strengthen key tasks such as security monitoring, situational awareness, notification and early warning, and emergency response, and implement network security protection "practical, systematic, and normalized" and "dynamic defense, active defense, in-depth The "three modernizations and six defenses" measures of defense, precise protection, overall prevention and control, and joint prevention and control
    .
    Adhere to the principles of "managing business, managing security", "whoever is in charge is responsible, whoever operates is responsible, and whoever uses is responsible", implement the network security responsibility system, and clarify the responsibilities of all parties
    .
    Article 3 The term "network" as mentioned in these Measures refers to a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures
    .
    The data referred to in these Measures is network data, which refers to various electronic data collected, stored, transmitted, processed and generated by medical and health institutions through the network, including but not limited to various types of clinical, scientific research, management and other business data, and generated by medical equipment.
    data, personal information and data derivatives
    .
    These measures are applicable to the security management of the operation network of medical and health institutions
    .
    The grassroots medical and health institutions that are not included in the regional grassroots health information system shall be implemented by reference
    .
    Article 4 The National Health Commission, the National Administration of Traditional Chinese Medicine, and the National Bureau of Disease Control and Prevention are responsible for overall planning, guidance, evaluation, and supervision of the network security work of medical and health institutions
    .
    Local health administrative departments at or above the county level (including traditional Chinese medicine and disease control departments, the same below) are responsible for the guidance and supervision of the network security of medical and health institutions within their respective administrative regions
    .
    Medical and health institutions are primarily responsible for their unit’s network security management, and each medical and health institution shall agree in writing with the information construction participating units and relevant medical equipment production and operation enterprises on the network security obligations and breach of contract of each party
    .
    Chapter II Network Security Management Article 5 Each medical and health institution shall establish a network security and informatization work leading group, with the main person in charge of the unit as the leader of the leading group, and hold at least one network security office meeting every year to deploy key security tasks and implement "Key Information Infrastructure Security Protection Regulations" and network security level protection system requirements
    .
    Medical and health institutions with second-level or higher networks should specify the functional departments responsible for network security management, and clearly assume the positions of security supervisors, security administrators, etc.
    ; establish a network security management system, strengthen network security protection, and strengthen emergency response.
    On this basis, key protection of key information infrastructure is implemented to prevent network security incidents from occurring
    .
    Article 6 In accordance with the principle of "whoever is in charge is responsible, whoever operates is responsible, and whoever uses the network is responsible", in the process of network construction, each medical and health institution shall specify the competent department, operation department, information technology department, and user department of each network of the unit.
    and other management responsibilities, and carry out hierarchical protection, grading, filing, evaluation, security construction rectification and other work for the network within the operation scope of the unit
    .
    (1) For newly-built networks, the network security protection level shall be determined during the planning and reporting stages
    .
    All medical and health institutions should comprehensively sort out the basic situation of various networks of their own units, especially the application of new technologies such as cloud computing, Internet of Things, blockchain, 5G, big data, etc.
    Data and other situations, scientifically determine the security protection level of the network according to relevant standards, and report it to the higher-level competent authority for review and approval
    .
    (2) When a newly built network is put into use, the filing of graded protection shall be carried out in accordance with laws and regulations
    .
    Within 10 working days after the network security protection level is determined, the operator of the network above the second level shall file a record with the public security organ, and report the filing situation to the higher-level health and health administrative department.
    Revocation or change within 10 working days to the original filing public security organ, and simultaneously reported to the higher-level health administrative department
    .
    (3) Comprehensively sort out and analyze network security protection requirements, and formulate an overall plan that meets the requirements of network security protection levels in accordance with the requirements of "one center (security management center) and triple protection (secure communication network, secure area boundary, and secure computing environment)" and construction plans, strengthen the security management in the process of self-development or outsourced development of information systems, earnestly carry out network security construction, and fully implement security protection measures
    .
    (4) Each medical and health institution shall test and evaluate the security of the network that has been graded and filed, and the network of the third or fourth level shall entrust a graded protection evaluation agency to conduct network security grade evaluation at least once a year
    .
    Networks at the second level should entrust a level protection assessment agency to conduct regular network security level assessments.
    Networks involving personal information of more than 100,000 people should conduct network security level assessments at least once every three years, and other networks should conduct network security level assessments at least once every five years.
    assessment
    .
    A security test should be performed before the newly created network goes online
    .
    (5) In response to the hidden problems found in the rating evaluation, each medical and health institution shall formulate a network security rectification plan in accordance with the requirements of laws, regulations, policies and standards in accordance with external threats and risks, carry out targeted rectification, and eliminate hidden risks in a timely manner , strengthen management and technical shortcomings, and improve security protection capabilities
    .
    Article 7 Each medical and health institution shall rely on the national network security information notification mechanism to strengthen the construction of its own network security notification and early warning force
    .
    Encourage tertiary hospitals to explore the construction of situational awareness platforms, collect, summarize, and analyze network security information from all parties in a timely manner, strengthen threat intelligence work, organize and carry out network security threat analysis and situation research and judgment, report early warning and disposal in a timely manner, and prevent network damage and data leakage.
    leaks,
    etc.
    Article 8 Each medical and health institution shall establish an emergency response mechanism, and effectively deal with security incidents such as network interruption, network attack, and data leakage by establishing and improving emergency plans, organizing emergency drills, etc.
    , and improve the ability to respond to network security incidents
    .
    Actively participate in cyber security offensive and defensive drills to improve protection and confrontation capabilities
    .
    Article 9 In the process of network operation, each medical and health institution shall carry out various forms of security self-examinations such as document verification, vulnerability scanning, and penetration testing every year, and timely discover possible problems and hidden dangers
    .
    For the hidden safety hazards found in the process of safety self-inspection, monitoring and early warning, and safety notification, rectification and reinforcement should be carried out seriously to prevent the network from running with diseases, and the situation of safety self-inspection and rectification should be reported to the higher-level health and health administrative department as required
    .
    Self-examination and rectification can be implemented together with the rectification of grade assessment questions
    .
    The annual security self-inspection and rectification work includes: (1) According to the requirements of the superior supervisory authority, each medical and health institution completes the sorting out of information assets, finds out the network rating and filing of the unit, forms an asset list, and organizes security self-inspection
    .
    (2) According to the requirements of the superior supervisory authority, each medical and health institution shall rectify the discovered problems and hidden dangers according to the results of the safety self-inspection, and form a rectification report to the relevant supervisory authority for filing
    .
    Article 10 Critical information infrastructure operators shall conduct security background checks on the person in charge of the security management agency and personnel in key positions
    .
    All medical and health institutions should strengthen the management of personnel related to network operations, including internal personnel of the unit and third-party personnel, and clarify the security management of the entire process of entry, training, assessment, and departure of internal personnel.
    Approval process, do a good job in real-name registration, personnel background review, signing of confidentiality agreements, etc.
    , to prevent security risks caused by personnel qualifications and illegal operations
    .
    Article 11 Strengthen network operation and maintenance management, and formulate operation and maintenance operation specifications and work procedures
    .
    Strengthen physical security protection, improve security control measures such as computer rooms, office environments, and operation and maintenance sites to prevent information leakage caused by unauthorized access to the physical environment
    .
    Strengthen remote operation and maintenance management.
    If the business really needs to be operated and maintained remotely through the Internet, evaluation and demonstration should be carried out, and corresponding security control measures should be taken to prevent security incidents caused by the exposure of remote ports
    .
    Article 12 All medical and health institutions shall strengthen business continuity management and continuously monitor network operation status
    .
    For the third-level and above networks, the redundant backup of key links and key equipment should be strengthened, and medical and health institutions with conditions should establish application-level disaster recovery backup to prevent interruption of key services
    .
    Article 13 When using new technologies such as big data, artificial intelligence, and blockchain to provide services, the security risks of the new technologies should be assessed and security management and control should be carried out before going online to achieve a balance between application and security
    .
    Article 14 All medical and health institutions shall standardize and strengthen the protection of medical equipment data, personal information and network security management, establish and improve relevant network security management systems for medical equipment bidding and procurement, installation and commissioning, operation and use, maintenance and repair, and scrap disposal, etc.
    Check or evaluate the network security of medical equipment, and take corresponding security control measures to ensure the network security of medical equipment
    .
    Article 15 All medical and health institutions shall, in accordance with the "Cryptography Law" and other relevant laws and regulations and relevant standards and specifications for the application of encryption, synchronously plan, synchronously build, and synchronously operate password protection measures in the process of network construction, and use encryption products that meet relevant requirements.
    service
    .
    Article 16 All medical and health institutions should pay attention to the security management of the participants in the entire network chain.
    When a third party other than their own unit is involved, they should implement security management of services such as design, construction, operation, and maintenance, and purchase safe network products and services.
    , to prevent third-party security incidents
    .
    Article 17 All medical and health institutions shall strengthen the security management of abolished networks, conduct risk assessments on equipment related to abolished networks, and take measures to seal or destroy them in a timely manner to ensure the safety of data disposal in the abolished networks and prevent network data leakage
    .
    Chapter III Data Security Management Article 18 All medical and health institutions shall, in accordance with the provisions of relevant laws and regulations, refer to national network security standards, perform data security protection obligations, insist on ensuring data security and development, and ensure data security through management and technical means and effective balance of data applications
    .
    Critical information infrastructure operators should formulate critical information infrastructure security protection plans, and establish and improve data security and personal information protection systems
    .
    Article 19 An organizational structure for data security management should be established, the main responsibilities of business departments and management departments in data security activities should be defined, and the data security departments of the unit, business departments, and information technology departments should be regulated by means of security responsibility letters.
    Manage the rights and responsibilities in the whole life cycle, establish a data security work responsibility system, and implement the accountability system
    .
    Article 20 Each medical and health institution shall conduct a comprehensive review of data assets every year, and on the basis of implementing the network security level protection system, establish its own data classification and grading standards according to the importance of the data and the degree of damage after damage
    .
    Data classification and grading should follow the principles of legality and compliance, enforceability, timeliness, autonomy, difference and objectivity
    .
    Article 21 All medical and health institutions shall establish and improve data security management systems, operating procedures and technical specifications, and the involved management systems shall be revised at least once a year, and relevant personnel are advised to sign confidentiality agreements every year
    .
    Data security risk assessment is carried out on the data of the unit every year, and the data security status is grasped in time
    .
    Strengthen data security education and training, organize security awareness education and data security management system publicity training
    .
    Based on the actual situation of the unit, establish and improve the data use application and approval process, follow the principle of "who is in charge, who will review", follow the principles of prior application and approval, in-process supervision, and post-event review, and strictly implement the business management department.
    Work procedures to guide data activity process compliance
    .
    Article 22 All medical and health institutions should strengthen the safety management of the entire life cycle of data collection, storage, transmission, processing, use, exchange, and destruction.
    Data life cycle activities should be carried out within the country.
    , should conduct security assessment or review in accordance with relevant laws and regulations and relevant requirements, and submit data processing activities that affect or may affect national security for national security review to prevent data security incidents from occurring
    .
    (1) All medical and health institutions should strengthen the management of the legality of data collection, and clarify the main responsibilities of business departments and management departments in the legality of data collection
    .
    Prevention and control measures such as data desensitization, data encryption, and link encryption are taken to prevent data leakage during data collection
    .
    (2) On the basis of data classification and grading, further clarify the requirements for encrypted transmission of data at different security levels
    .
    Strengthen the interface security control during the transmission process to ensure the security during transmission through the interface and prevent data from being stolen
    .
    (3) Each medical and health institution shall, in accordance with relevant regulations and standards, select appropriate data storage architecture and media for storage within the country, and take measures such as backup and encryption to enhance data storage security
    .
    When it comes to storing data on the cloud, you should evaluate the possible security risks
    .
    The data storage period should not exceed the retention period determined by the data usage rules
    .
    Strengthen access control security, data copy security, and data archive security management and control during storage
    .
    (4) Each medical and health institution should strictly stipulate the authority of different personnel, strengthen the management of the application and approval process in the process of data use, ensure that the data is used within a controllable scope, strengthen the retention and management of logs, and prevent tampering and deletion of logs.
    occurs to prevent unauthorized use of data
    .
    Each data user department and data user must use the data strictly in accordance with the purpose and scope stated in the application, and be responsible for the security of the data
    .
    Without approval, any department or individual shall not transfer undisclosed information and data to outside the department, and shall not disclose it in any way
    .
    (5) When publishing and sharing data, each medical and health institution shall evaluate the possible security risks and take necessary security prevention and control measures; when data reporting is involved, the data reporting party shall be responsible for interpreting the reporting requirements, determining the reporting scope and Reporting rules to ensure that data reporting is safe and controllable
    .
    (6) When carrying out face recognition or face recognition, each medical and health institution shall provide non-face recognition identification methods at the same time, and shall not refuse the data subject to use its basic business functions because the data subject does not agree to the collection of face recognition data, Facial recognition data shall not be used for purposes other than identification, including but not limited to assessing or predicting the data subject's work performance, economic status, health status, preferences, interests, etc.

    .
    Each medical and health institution shall take security measures to store and transmit face recognition data, including but not limited to encrypted storage and transmission of face recognition data, and separate storage of face recognition and personally identifiable information by physical or logical isolation
    .
    (7) When destroying data, a method of destruction that ensures that the data cannot be restored shall be adopted, focusing on data residual risks and data backup risks
    .
    Chapter IV Supervision and Management Article 23 All medical and health institutions shall actively cooperate with relevant competent regulatory agencies in supervision and management, accept daily inspections of network security management, and do a good job in network security protection
    .
    Article 24 All medical and health institutions shall promptly rectify problems such as loopholes and hidden dangers discovered during the inspection of relevant competent regulatory agencies, and prevent the occurrence of major network security incidents
    .
    Article 25 When personal information and data leakage, damage, loss and other security incidents occur, and network systems are attacked, intruded, controlled, and other network security incidents, or when network vulnerabilities are discovered, and network security risks are significantly increased, all medical and health care Institutions should immediately activate emergency plans, take necessary remedial and disposal measures, promptly notify relevant subjects by telephone, text message, email or letter and other means, and report to relevant competent regulatory authorities as required
    .
    Article 26 Health administrative departments at all levels shall establish a working mechanism for reporting network security incidents to report network security incidents in a timely manner
    .
    Article 27 When a cybersecurity incident occurs, each medical and health institution shall report to the health administrative department and public security organ in a timely manner, do a good job in on-site protection, keep relevant records, and protect national security and conduct investigation and investigation for the public security organ and other regulatory departments in accordance with the law Provide technical support and assistance for other activities
    .
    Chapter V Management Guarantee Article 28 All medical and health institutions should attach great importance to network security management, put it on the important agenda, strengthen overall leadership and planning and design, and implement the construction of personnel, funding, and security protection measures in accordance with laws and regulations and other major issues, to ensure that the security protection measures are planned, constructed and used synchronously during the construction of the information system.

    .
    Article 29 All medical and health institutions should strengthen network security business exchanges, strictly implement the network security continuing education system, and encourage management and technical positions to hold certificates
    .
    By organizing academic exchanges and competitions, we can discover and select network security talents, establish a talent pool, and establish and improve the mechanism of talent discovery, training, selection and use, so as to provide talent guarantee for good network security work
    .
    Article 30 Each medical and health institution shall ensure the investment in network security level assessment, risk assessment, offensive and defensive drills and competitions, security construction and rectification, security protection platform construction, password security system construction, operation and maintenance, education and training,
    etc.
    The network security budget of a new informatization project shall not be less than 5% of the total project budget
    .
    Article 31 All medical and health institutions shall further improve the network security assessment and evaluation system, clarify assessment indicators, and organize assessments
    .
    Encourage qualified medical and health institutions to link assessment with performance
    .
    Chapter VI Supplementary Provisions Article 32 In case of violation of the provisions of these Measures, personal information and data leakage occurs, or major network security incidents occur, according to the "Network Security Law", "Cryptography Law", "Basic Medical Health and Health Promotion Law", "Data The Security Law, the Personal Information Protection Law, the Regulations on the Security Protection of Critical Information Infrastructure, and the Network Security Level Protection System and other laws and regulations shall be dealt with
    .
    Article 33 Networks involving state secrets shall be implemented in accordance with relevant state regulations
    .
    Article 34 These Measures shall come into force on the date of issuance
    .
    Chapter 1 General Provisions for Enterprises Chapter 2 Network Security Management The annual safety self-inspection and rectification work of hospitals includes: Bidding Regulations Chapter 3 Data Security Management Chapter 4 Supervision and Management Chapter 5 Management Guarantee Chapter 6 Supplementary Provisions
    This article is an English version of an article which is originally in the Chinese language on echemi.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to service@echemi.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

    Contact Us

    The source of this page with content of products and services is from Internet, which doesn't represent ECHEMI's opinion. If you have any queries, please write to service@echemi.com. It will be replied within 5 days.

    Moreover, if you find any instances of plagiarism from the page, please send email to service@echemi.com with relevant evidence.