Policy Interpretation of Measures for the Administration of Network Security of Medical and Healthcare Institutions
With the deepening of high-quality development, the national healthcare sector has ushered in a period of important opportunities, with informatization playing a key supporting role, and medical and healthcare data generated in the process is not only an important factor of production, but also a basic strategic resource of the country, so that the importance of cybersecurity is becoming increasingly prominent. In this context, the release of the Measures for the Management of Network Security in Healthcare Institutions (hereinafter referred to as the Measures) further standardizes the management of network and data security in healthcare institutions, promotes the development of "Internet + Healthcare", and accelerates the process of promoting the high-quality development of the healthcare industry.
The Measures clearly define the basic principles of network and data security management, management division of labor, implementation standards, supervision and punishment requirements for each healthcare institution, reflecting the overall balance between integrated security and development, and a series of policies and regulations previously issued, pointing out the general direction of network security management for healthcare institutions, which is mainly embodied in the following four aspects:
I, Emphasize a cycle. The Measures throughout the entire text of the leading idea of full life cycle management. In terms of network security, centered on the full life cycle of the information system, put forward the implementation of the hierarchical protection system, monitoring and early warning, emergency response, security rectification, personnel management, application of new technologies, cryptographic security, medical equipment, supply chain management, etc.; in terms of data security, in order to safeguard the confidentiality, integrity, availability of data as the goal, requiring the adoption of data encryption, data backup, data desensitization and other technologies. Strengthen the security protection of the whole life cycle of data collection, transmission, storage, use, exchange and destruction. In actual use, based on the network and data life cycle perspective, combing security policy architecture, identifying specific business scenarios, targeted design of security measures to achieve security protection.
Second, highlighting two key points. Measures emphasize that the security management of medical and health institutions should focus on top-level design and system to ensure that the two key points to promote. Top-level design, on the basis of the overall network security system, based on the characteristics of the data to construct a network and data security top-level design, the implementation of the division of responsibility for security, clear data management departments, business departments, information technology departments in the network and data security management work in the rights and responsibilities. In terms of institutional safeguards, the Measures make it clear that medical and healthcare organizations should establish and improve safety management systems, operating procedures and technical specifications. In the process of implementation, they should closely combine with the changes in their own business model, revise and improve the system requirements in a timely manner, and maintain the effective implementation of the network and data security system and full synergy.
Third, integration of the trinity. The Measures require the establishment of a network security management system system, strengthen network security protection, and safeguard the effective balance of data security and data application through management and technical means. In practice, the overall security strategy should be dismantled to the specific security management requirements, and through the security technology to achieve the management requirements, and ultimately integrated into the corresponding security operation system, the formation of the integration of management, technology, operation of a three-dimensional network security management model.
Four, build four systems. The Measures pointed out that the establishment of protection, monitoring, disposal, protection of the four systems of synergistic integrated prevention and control pattern. In terms of security protection, requires the establishment of "combat, systematic, normalized" security protection system, the formation of "dynamic defense, active defense, defense in depth, accurate defense, overall prevention and control, joint prevention and control" of the security protection posture; at the level of security monitoring, encourages tertiary hospitals to explore situational awareness. Encourage tertiary hospitals to explore the construction of situational awareness platform, timely collection, summarization, analysis of network security information from all parties, and docking with national and industry platforms; in the area of security disposal, the formation of supervisory and management, security inspection, emergency preparedness, joint prevention and control of synergistic system; in the area of security, through the coordination of leadership and planning and design, personnel training, security training, and financial support to achieve a full range of protection.
Overall, the Measures adhere to the basic principles of security and control and open innovation, and its promulgation provides a working guide for the network security management of health care institutions, builds a solid security barrier for health care institutions, and lays the foundation for the development of network security in the health care industry.