Notice on the issuance of network security management measures for medical and health institutions

Guowei Planning Distribution [2022] No. 29

All provinces, autonomous regions, municipalities, and Xinjiang Production and Construction Corps Health and Health Commission, Traditional Chinese Medicine Bureau, the State Health and Health Commission's bureaus, commissions and contact units, China Aging Association, State Administration of Traditional Chinese Medicine, State CDC All units directly under the affiliated:

In order to guide medical and health institutions to strengthen network security management, the National Health and Health Commission, the State Administration of Traditional Chinese Medicine, and the State Centers for Disease Control have formulated the "Measures for Network Security in Medical and Health Institutions". It is issued to you, please conscientiously implemented.

National Health and Health Commission of the State CDC

August 8, 2022

(Form of information disclosure: proactive disclosure)

Network Security Management Measures for Medical and Health Institutions

Chapter 1 General Principles

Article 1 In order to strengthen the network security management of medical and health institutions, further promote the development of "Internet+medical and health", give full play to the role of health medical big data as an important basic strategic resource of the country, strengthen network security management of medical and health institutions, prevent network security incidents In case, in accordance with the "Basic Medical and Health and Health Promotion Law", "Cyber ​​Security Law", "Password Law", "Data Security Law", "Personal Information Protection Law", "Regulations on the Security Protection of Key Information Infrastructure" Relevant laws and regulations such as the level protection system, and formulate these measures.

Article 2 Adhere to network security to the people, network security relying on the people, adherence to network security education, technology, industrial integration and development, adhere to the promotion of development and unified management in accordance with the law, adhere to security, controllable, and open innovation.

Adhere to the protection of levels and highlight the focus. Key guarantee key information infrastructure, network security level protection third (hereinafter referred to as the third level) and above networks, as well as above, as well as important data and personal information security.

Adhere to active defense and comprehensive protection. Make full use of technologies such as artificial intelligence and big data analysis, strengthen key tasks such as security monitoring, situation perception, notify early warning and emergency disposal, and implement network security protection "actual combat, systematic, normalization" and "dynamic defense, active defense, depth in depth The "three -way and six defense" measures of defense, precision protection, overall prevention and control, joint prevention and control ".

Adhere to the principles of "managing business", "who is responsible for who is responsible, who operates who is responsible, and who uses who is responsible", implement the network security responsibility system, and clarify the responsibilities of all parties.

Article 3 The network referred to in these Measures refers to a system that consists of a computer or other information terminals and related devices in accordance with certain rules and procedures to collect, store, transmit, exchange, and process information.

The data mentioned in these measures are network data, which refers to various electronic data collected, storage, transmission, processing, and generated through the network collection, storage, transmission, processing, and generation of medical and health institutions, including but not limited to various clinical, scientific research, management and other business data and medical equipment. Data, personal information and data derivatives.

These measures are applicable to the security management of the operation network of medical and health institutions. The grass -roots medical and health institutions that are not included in the regional grass -roots health information system are implemented.

Article 4 The National Health and Health Commission, the State Administration of Traditional Chinese Medicine, and the State CDC are responsible for planning, guiding, evaluating, and supervising the network security work of medical and health institutions. The local health administrative department at or above the county level (including Chinese medicine and illness and control department, the same below) is responsible for the network security guidance and supervision of medical and health institutions in the administrative region.

Medical and health institutions shall be responsible for the main body of network security management in the unit, and all medical institutions shall stipulate the network security obligations and liability of the parties with the production and operation enterprises of relevant medical equipment and the production and operation of related medical equipment.

Chapter 2 Network Security Management

Article 5 The medical and health institutions shall establish a leading group of network security and informatization work. Protection Regulations and Cyber ​​Security Level Protection System requirements. Medical and health institutions with secondary and above networks should clearly be responsible for the functional departments responsible for network security management, and clearly undertake positions such as security supervisors and security administrators; establish a network security management system, strengthen network security protection, and strengthen emergency response. On this basis, key information infrastructure is implemented to protect the occurrence of network security incidents.

Article 6 The principles of medical and health institutions in accordance with the principle of "who is in charge and who is responsible, who operates, and who uses who is responsible", in the process of network construction, clarify the competent departments, operating departments, information departments, and use departments of each network of the unit in the network construction process. For management responsibilities, carry out grade protection, filing, evaluation, safety construction and rectification of the network within the operation scope of the unit.

(1) For new networks, the network security protection level should be determined during the planning and application stage. All medical and health institutions should comprehensively sort out the basic situation of new technologies such as cloud computing, the Internet of Things, blockchain, 5G, big data, etc., and in particular, according to the functions, service scope, service objects and processing of network functions, service scope, service objects and processing of the network Data and other situations determine the security protection level of the network in accordance with relevant standards, and report to the higher authorities to review and agree.

(2) The new network investment and use shall carry out hierarchical protection filing in accordance with laws and regulations. The network above the second level shall be recorded with the public security organs within 10 working days after the network security protection level is determined, and the filing situation will be reported to the higher -level health administrative department. Within 10 working days, the public security organs were revoked or changed to the original filing of the public security organs, and they were reported to the superior health administrative department. (3) Comprehensively combing and analyzing the needs of network security protection, in accordance with the requirements of "one center (security management center), triple protection (security communication network, security regional boundary, security computing environment)", formulate the overall planning that meets the requirements of network security protection levels With the construction plan, strengthen the security management in the process of development or outsourcing development of the information system, earnestly carry out network security construction, and comprehensively implement security protection measures.

(4) All medical and health institutions test and evaluate the security of the grade filing network. The third or fourth -level network shall commission the level protection evaluation agency at least once a year. The second -level network should commission the level protection evaluation agency to conduct regular network security rating evaluation, of which the network involving more than 100,000 personal information should be carried out at least three years of network security level evaluation, and other networks will be carried out at least five years of network security level. Evaluation. Safety tests should be performed before the new network is launched.

(5) In response to the hidden dangers found in the grade assessment, all medical institutions should combine the external threat risk, formulate a network security rectification plan in accordance with laws, regulations, policies and standards in accordance with the requirements of laws, regulations, policies, and standards. , Strengthen management and technology shortcomings, improve security protection capabilities.

Article 7 The medical and health institutions shall rely on the national network security information notification mechanism to strengthen the construction of the unit's network security notification and early warning forces. Encourage the tertiary hospitals to explore the construction of the platform, collect, summarize, analyze the network security information of all parties in a timely manner, strengthen threat intelligence work, organize the analysis of network security threat analysis and trend research, and timely inform early warning and disposal to prevent network damage and data outside the data. Discovery and other events.

Article 8 Each medical and health institutions shall establish an emergency response mechanism. By establishing and improving the methods of emergency plans and organizational emergency drills, it shall effectively handle security incidents such as network interruption, network attacks, and data leakage to improve the ability to cope with network security incidents. Actively participate in network security offensive and defensive drills to improve protection and confrontation.

Article 9 In the process of network operations, various medical and health institutions shall carry out various forms of security self -examination such as documentation verification, vulnerability scanning, and penetration testing every year, and timely find possible problems and hidden dangers. The safety hazards found in the process of safety self -inspection, monitoring and early warning, and safety reports should be carried out carefully to carry out rectification and reinforcement to prevent the operation of network belt diseases, and to report the safety and rectification of the security self -inspection and rectification as required. Self -inspection and rectification can be implemented with the rectification of the level evaluation.

Safety self -inspection and rectification work every year includes:

(1) In accordance with the requirements of the superior supervisory regulatory agency, various medical and health institutions have completed the information assets of information assets, understand the network level and filing of the unit, form a list of assets, and organize a safe self -inspection.

(2) In accordance with the requirements of the superior supervisory supervisory agency, various medical and health institutions rectified the problems and hidden dangers found in accordance with the results of safety self -examination, and form a rectification report to report to the relevant competent regulatory agencies.

Article 10 Key information infrastructure operators shall conduct a safety background review in response to the heads of safety management agencies and key positions. All medical and health institutions should strengthen the management of relevant personnel of network operations, including internal personnel and third -party personnel in the unit, and clarify the safety management of the entire process of internal personnel's employment, training, assessment, and departure. The approval process, do a good job of real -name registration, personnel background review, and confidentiality agreement signing to prevent safety risks caused by personnel qualifications and illegal operations.

Article 11 Strengthen network operation and maintenance management, formulate operation and maintenance operation specifications and work processes. Strengthen physical security protection, improve security control measures such as computer rooms, office environment and operation and maintenance site, and prevent information leakage from non -authorized access to the physical environment. To strengthen remote operation and maintenance management, if the business does need to pass the Internet remote operation and maintenance, the evaluation argument should be performed, and corresponding security control measures should be taken to prevent the exposure of the remote port and cause security incidents.

Article 12 Each medical institution shall strengthen business continuity management and continue to monitor the operating status of the network. For the third and above networks, we should strengthen the guarantee of key links and redundancy backups of key equipment. Conditional medical and health institutions should establish application -level disaster recovery backups to prevent key business interruption.

Article 13 When new technologies such as big data, artificial intelligence, and blockchain are applied to services, the security risks of new technologies should be evaluated before launching and controlled security control to achieve the balance of application and security.

Article 14 Each medical and health institutions shall standardize and strengthen medical equipment data, personal information protection and network security management, and establish and improve relevant network security management systems such as bidding procurement, installation, commissioning, operation, maintenance, and scrap disposal of medical equipment. Check or evaluate the network security of medical equipment and take corresponding security control measures to ensure the network security of medical equipment.

Article 15 All medical and health institutions shall follow relevant laws and regulations such as the Code Law and the relevant standards and specifications of the password application, and simultaneously plan, construct, and operate password protection measures simultaneously during the network construction process. Serve. Article 16 Each medical institution shall pay attention to the safety management of the entire network of full -chain participants. When involving a third party of the non -home unit, it shall implement security management in terms of design, construction, operation, and maintenance. , Prevent third -party security incidents.

Article 17 Each medical institution shall strengthen the security management of the abolition of the network, evaluate the risk of abolishing related equipment that abolish the network, and take a timely sealing or destruction measures to ensure the security of data disposal in the network and prevent network data from leakage.

Chapter III Data Security Management

Article 18 Each medical and health institutions shall refer to the national network security standards in accordance with the relevant laws and regulations, fulfill the obligations of data security protection, adhere to the security and development of data security, and ensure the effective balance of data security and data applications through management and technical means. Essence Key information infrastructure operators shall formulate key information infrastructure security protection plans to establish and improve data security and personal information protection systems.

Article 19 The structure of data security management shall be established, clarify the main responsibility of the business department and the management department in data security activities, and standardize the data management department, business department, and information departments of the unit through security responsibility letters and other methods. Manage the power and responsibility in the entire life cycle, establish a data security work responsibility system, and implement the accountability system.

Article 20 Each medical institution shall comprehensively sort out data assets each year. Based on the implementation of the network security level protection system, the data classification and grading standards of the unit are established based on the importance of the data and the degree of harm after being destroyed. The data classification grading shall follow the principles of legal compliance, the principle of execution, the principle of time, the principles of autonomy, the principle of autonomy, the principles of differences, and the principles of objectivity.

Article 21 Each medical and health institutions shall establish and improve the data security management system, operating regulations and technical specifications, and the management system involves shall be revised at least once a year. It is recommended that the relevant personnel sign the confidentiality agreement each year. The data security risk assessment of the data of the unit is performed in a timely manner. Strengthen data security education and training, organize security awareness education and data security management system promotion and training. Based on the actual situation of the unit, establish and improve the application process and approval process of data use, follow the principles of "who is in charge, who reviews", follows the application and approval, supervision during the matter, and the after -the -after review principles. Work procedures, guide data activity processes compliance.

Article 22 Each medical and health institutions shall strengthen data collection, storage, transmission, processing, use, exchange, and destroying the safety management of the whole life cycle. The security assessment or review should be performed in accordance with relevant laws and regulations and relevant requirements. Data processing activities that affect or affect national security need to be submitted to national security review to prevent data security incidents from occurring.

(1) Each medical institution shall strengthen the management of data collection legality, and clarify the main responsibility of business departments and management departments in the legitimacy of data collection. Adopting data desensitization, data encryption, link encryption and other prevention and control measures to prevent the data from being leaked during the data collection process.

(2) On the basis of data classification classification, further clarify the encryption transmission requirements of different security level data. Strengthen the interface security control during the transmission process to ensure the security during transmission through the interface and prevent data from being stolen.

(3) All medical and health institutions shall choose the appropriate data storage architecture and medium to store domestic storage in accordance with relevant regulations, and take measures such as backup and encryption to strengthen the storage security of data. When it comes to storage data on the cloud, the security risks that may bring. The data storage cycle should not exceed the preservation period determined by the data usage rules. Strengthen access to control security, data copy security, and data archiving security control during the storage procedure.

(4) All medical and health institutions should strictly strictly stipulate the authority of different personnel, strengthen the application and approval process management in the process of data use, ensure that the data is used within the controllable range, strengthens the retention and management of logs, and eliminates the phenomenon of tampering and deleting logs. It happens to prevent the use of data more than the use of power. Each data usage department and data users must use data strictly in accordance with the purpose and scope of the application, and be responsible for the security of the data. Without approval, no department or individual may pass the information data that has not been disclosed to the department, and it may not leak in any way.

(5) Each medical and health institution shall be evaluated when the release and sharing data that may bring possible security risks, and take necessary security prevention and control measures; when the data reports are involved, the data shall be reported to be responsible for the interpretation of the report requirements to determine the scope of the report and the scope of the report and the scope of the reporting report and the scope of the reporting report and the scope of the reporting report and the scope of the reporting report and the scope of the report and the scope of the reporting report and the scope of the reporting report and the scope of the reporting report and the scope of the reporting report and the scope of the reporting report and the scope of the reporting report and the scope of the reporting report and the scope of the reporting report and the scope of the reporting report and the scope of the reporting report and the scope of the reporting report and the scope of the reporting report and the scope of the report and the scope of the reporting. Report rules to ensure that data reporting is safe and controllable.

(6) When the facial recognition or face recognition of various medical and health institutions should provide a non -human face recognition method at the same time, it shall not refuse the data subject to use its basic business functions because the data subject does not agree to collect the data of the face recognition data. Face recognition data shall not be used to remove other goals other than identity recognition, including but not limited to the performance performance, economic conditions, health status, preferences, interests, etc. All medical and health institutions should take security measures to store and transmit face recognition data, including but not limited to encrypted storage and transmission of face recognition data, and use physical or logical isolation methods to store face recognition and personal identity information, respectively. (7) Data destruction should be used to ensure that the data cannot be restored, focusing on data residual risks and data backup risks.

Chapter 4 Supervision and Management

Article 23 Each medical and health institutions shall actively cooperate with the supervision and management of relevant competent supervisors, undergo daily inspection of network security management, and do a good job of network security protection.

Article 24 The medical and health institutions shall promptly rectify problems such as vulnerabilities and hidden dangers found during the inspection process of the competent supervisory and supervisory agencies to prevent major network security incidents.

Article 25: Security incidents such as personal information and data leakage, damage, loss, and network systems have been attacked, invaded, and controlled, or found that there are hidden dangers of vulnerabilities in the network and significantly increased network security risks. The institution shall immediately start the emergency plan, take necessary remedies and disposal measures, and inform the relevant entities in a variety of methods such as telephone, SMS, mail or letter in time, and report to the relevant competent supervisory departments in accordance with the requirements.

Article 26 The health and health administrative departments at all levels shall establish a network security incident notification working mechanism to timely report network security incidents.

Article 27 When a cyber security incident occurs, all medical institutions shall report to the health administrative department and public security organs in time to do a good job of on -site protection and retain relevant records, and to maintain national security and conduct investigations and investigations in accordance with the law and other regulators such as public security organs. Provide technical support and assistance for activities.

Chapter 5 Management Guarantee

Article 28 The medical and health institutions shall attach great importance to the management of cyber security, include it in important schedules, strengthen overall leadership and planning and design, and implement major issues such as personnel, fund investment, and safety protection measures in accordance with laws and regulations. Safety protection measures are planned, constructed and used simultaneously during the construction of information systems.

Article 29 Each medical and health institutions shall strengthen the exchange of network security business, strictly implement the network security continuing education system, and encourage management positions and technical positions to hold a certificate. By organizing the way to carry out academic exchanges and competitions, discover selection of network security talents, establish talent pools, establish and improve talent discovery, training, selection and use mechanisms, and provide talent guarantee for network security work.

Article 30 Each medical and health institutions shall ensure the investment in the evaluation of network security level, risk assessment, offensive and defensive drill competitions, safety construction rectification, security protection platform construction, password guarantee system construction, operation and maintenance, education and training and other funding. The network security budget of new information projects is not less than 5%of the total project budget.

Article 31 The medical and health institutions shall further improve the network security assessment and evaluation system, clarify the assessment indicators, and organize the assessment. Encourage conditional medical and health institutions to link assessment with performance.

Chapter 6 Affiliated

Article 32 If you violate the provisions of these Measures, the leakage of personal information and data, or major network security incidents, in accordance with the "Cyber ​​Security Law", "Password Law", "Basic Medical Health and Health Promotion Law", "Data Security Law", "Data Security Law", "Data Security Law" The Personal Information Protection Law is handled by laws and regulations such as the "Regulations on the Safety Protection of Key Information Infrastructure" and the protection system of network security level.

Article 33 The network involving state secrets shall be implemented in accordance with relevant state regulations.

Article 34: These Measures shall be implemented from the date of printing.

Source: The Department of Planning and Information Technology of the National Health and Health Commission

- END -