Promulgated by: National Health Commission, National Administration of Traditional Chinese Medicine, and National Disease Control and Prevention Administration. Document No.: 国卫规划发〔2022〕29号. Adopted and promulgated on August 8, 2022. Effective upon promulgation.
医疗卫生机构网络安全管理办法
第一章 总则
Article 1. These Measures are formulated, in order to strengthen cybersecurity management at healthcare institutions, further promote the development of “Internet Plus Health Care,” give full play to the role of health and medical big data as an important foundational strategic resource of the State, and prevent cybersecurity incidents, in accordance with the Law on the Promotion of Basic Medical and Health Care, the Cybersecurity Law, the Cryptography Law, the Data Security Law, the Personal Information Protection Law, the Security Protection Regulations for Critical Information Infrastructure, the Cybersecurity Review Measures, and the Multi-Level Protection Scheme (MLPS) and other relevant laws, regulations, and standards.
Article 2. The following principles shall be upheld:
Cybersecurity serves the people and relies on the people; the integrated development of cybersecurity education, technology, and industry shall be promoted; the promotion of development and management in accordance with law shall be unified; and security controllability and open innovation shall be given equal weight.
Graded protection and emphasis on key priorities shall be upheld. Priority protection shall be given to critical information infrastructure (CII), Level-3 and above networks under the Multi-Level Protection Scheme (MLPS) (hereinafter “Level-3 and above networks”), and important data and personal information security.
Active defense and comprehensive protection shall be upheld. Artificial intelligence, big data analysis, and other technologies shall be fully utilized to strengthen security monitoring, situational awareness, threat notification and early warning, and emergency response; and the “three transformations and six defenses” (三化六防) cybersecurity protection measures — comprising “operationalization, systematization, and normalization” and “dynamic defense, active defense, in-depth defense, precision protection, holistic control, and joint defense and control” — shall be implemented.
The principle of “whoever manages business manages security” and “whoever has jurisdiction bears responsibility, whoever operates bears responsibility, and whoever uses bears responsibility” shall be upheld; the cybersecurity accountability system shall be implemented; and the responsibilities of all parties shall be clearly defined.
Article 3. For the purposes of these Measures, “network” means a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges, and processes information in accordance with certain rules and procedures.
The “data” referred to in these Measures is network data, meaning various electronic data collected, stored, transmitted, processed, and generated through networks by healthcare institutions, including but not limited to various clinical, research, and management business data, data generated by medical devices, personal information, and data derivatives.
These Measures apply to the cybersecurity management of networks operated by healthcare institutions. Primary-level healthcare institutions that have not been incorporated into a regional primary healthcare information system shall implement these Measures by analogy.
Article 4. The National Health Commission (NHC), the National Administration of Traditional Chinese Medicine (NATCM), and the National Disease Control and Prevention Administration (NDCPA) are responsible for the overall planning, guidance, assessment, and supervision of cybersecurity work at healthcare institutions. Local health administrative departments at the county level and above (including departments responsible for traditional Chinese medicine and disease control, the same below) are responsible for guiding and supervising cybersecurity work at healthcare institutions within their respective administrative areas.
Healthcare institutions bear primary responsibility for cybersecurity management at their own institutions. Each healthcare institution shall, in writing, agree with entities participating in informatization construction and relevant medical device manufacturers and distributors on the cybersecurity obligations and liability for breach of each party.
第二章 网络安全管理
Article 5. Each healthcare institution shall establish a leading group for cybersecurity and informatization work, with the institution’s principal responsible person serving as the leader of the group; the group shall convene at least one cybersecurity working meeting per year to deploy key security tasks and implement the requirements of the Security Protection Regulations for Critical Information Infrastructure and the Multi-Level Protection Scheme (MLPS). Healthcare institutions with Level-2 and above networks shall designate a functional department responsible for cybersecurity management work, and designate positions responsible for the duties of cybersecurity supervisor and cybersecurity administrator; establish a cybersecurity management system, strengthen cybersecurity protection, and reinforce emergency response; and, on this basis, provide key protection for critical information infrastructure (CII) to prevent cybersecurity incidents.
Article 6. Each healthcare institution shall, in accordance with the principle of “whoever has jurisdiction bears responsibility, whoever operates bears responsibility, and whoever uses bears responsibility,” clearly define, during the network construction process, the management responsibilities of the jurisdiction department, operating department, informatization department, and user department for each of its networks; and shall carry out classification and rating, filing, assessment, and security construction rectification work under the Multi-Level Protection Scheme (MLPS) for the networks within its operating scope.
(1) For newly constructed networks, the cybersecurity protection level shall be determined during the planning and reporting phase. Each healthcare institution shall comprehensively sort through all types of networks within the institution, in particular the basic situation regarding new-technology applications including cloud computing, the Internet of Things, blockchain, 5G, and big data, and shall scientifically determine the cybersecurity protection level of each network based on the network’s functions, service scope, service objects, and data processed, in accordance with relevant standards, and shall submit the determination for review and approval by the superior competent authority.
(2) Newly constructed networks put into use shall carry out MLPS filing work in accordance with laws and regulations. Level-2 and above networks shall, within ten working days after the cybersecurity protection level is determined, be filed with the public security organs by their operators, and the filing status shall be reported to the superior health administrative department; where a network is withdrawn or its security protection level changed, the filing shall be withdrawn or amended with the original public security filing organ within ten working days, and a concurrent report shall be made to the superior health administrative department.
(3) A comprehensive analysis of cybersecurity protection requirements shall be conducted; an overall plan and construction proposal meeting the cybersecurity protection level requirements shall be developed in accordance with the requirement of “one center (security management center) and three-tier protection (secure communication network, secure area boundary, and secure computing environment)”; security management during the in-house development or outsourced development of information systems shall be strengthened; cybersecurity construction shall be conscientiously carried out; and security protection measures shall be fully implemented.
(4) Each healthcare institution shall conduct detection and assessment of the security of its already-classified and filed networks. Level-3 and Level-4 networks shall engage a MLPS assessment institution to conduct cybersecurity level assessments at least once per year. Level-2 networks shall engage a MLPS assessment institution to conduct periodic cybersecurity level assessments; among these, networks involving the personal information of more than 100,000 persons shall conduct a cybersecurity level assessment at least once every three years, and other networks at least once every five years. Newly constructed networks shall undergo a security test before going online and into operation.
(5) For problems and hidden dangers identified during level assessments, each healthcare institution shall, in light of external threat risks and in accordance with the requirements of laws, regulations, policies, and standards, formulate a cybersecurity rectification plan; carry out targeted rectification; promptly eliminate risks and hidden dangers; shore up management and technical weaknesses; and enhance security protection capability.
Article 7. Each healthcare institution shall, by leveraging the national cybersecurity information notification mechanism, strengthen its own cybersecurity notification and early-warning capacity-building. Tertiary-grade hospitals are encouraged to explore the construction of situational awareness platforms to promptly collect, aggregate, and analyze cybersecurity information from all sources; to strengthen threat intelligence work; to organize cybersecurity threat analysis and situational assessments; and to provide timely notifications, early warnings, and responses to prevent events such as network destruction and data leakage.
Article 8. Each healthcare institution shall establish an emergency response mechanism and, through developing and improving emergency response plans and organizing emergency drills, effectively handle security incidents such as network interruptions, cyber attacks, and data leakage, and improve the capacity to respond to cybersecurity incidents. Institutions shall actively participate in cybersecurity offense-and-defense drills to enhance protection and countermeasures capability.
Article 9. During network operations, each healthcare institution shall annually conduct security self-inspections in various forms, including document verification, vulnerability scanning, and penetration testing, to promptly identify potential problems and hidden dangers. Security vulnerabilities identified during security self-inspections, monitoring and early warning, and security notification processes shall be conscientiously rectified and reinforced to prevent networks from operating with pre-existing flaws; and the results of security self-inspection and rectification shall be reported to the superior health administrative department as required. Self-inspection and rectification may be carried out concurrently with rectification of problems identified during level assessments.
The annual security self-inspection and rectification work includes:
(1) In accordance with the requirements of the superior supervisory and regulatory authority, each healthcare institution shall complete an information asset inventory, ascertain the classification, filing, and other status of its networks, compile an asset list, and organize a security self-inspection.
(2) In accordance with the requirements of the superior supervisory and regulatory authority, each healthcare institution shall, based on the results of the security self-inspection, carry out rectification of identified problems and hidden dangers and submit a rectification report to the relevant supervisory and regulatory authority for the record.
Article 10. Critical information infrastructure (CII) operators shall conduct security background checks on the heads of security management bodies and personnel in key positions. Each healthcare institution shall strengthen the management of personnel involved in network operations, including both its own internal staff and third-party personnel; shall clearly define the full-process security management for internal staff covering onboarding, training, assessment, and departure; for third-party personnel shall clearly define the application and approval process for accessing networks; and shall carry out real-name registration, personnel background checks, and the signing of confidentiality agreements to prevent security risks arising from personnel qualifications and unauthorized operations.
Article 11. Network operations and maintenance management shall be strengthened; operational specifications and workflows shall be formulated. Physical security protection shall be strengthened; security control measures for server rooms, office environments, and operations and maintenance sites shall be improved to prevent information leakage resulting from unauthorized physical access. Remote operations and maintenance management shall be strengthened; where, due to genuine business needs, remote operations and maintenance through the internet is required, an assessment and demonstration shall be conducted and corresponding security control measures shall be taken to prevent security incidents caused by exposure of remote ports.
Article 12. Each healthcare institution shall strengthen business continuity management and continuously monitor network operational status. For Level-3 and above networks, key link and key device redundancy backup shall be strengthened; healthcare institutions with the capability to do so shall establish application-level disaster recovery backup to prevent interruptions to key business functions.
Article 13. When using new technologies such as big data, artificial intelligence, and blockchain to provide services, the security risks of the new technologies shall be assessed and security controls applied before going online, to achieve a balance between application and security.
Article 14. Each healthcare institution shall standardize and strengthen the protection of medical device data and personal information as well as cybersecurity management; shall establish and improve cybersecurity management systems covering tendering and procurement, installation and commissioning, operation and use, maintenance and repair, and disposal of medical devices; shall periodically inspect or assess medical device cybersecurity; and shall take corresponding security control measures to ensure medical device cybersecurity.
Article 15. Each healthcare institution shall, in accordance with the Cryptography Law and other relevant laws and regulations and standards and specifications for cryptographic applications, synchronously plan, construct, and operate cryptographic protection measures in the network construction process, and shall use cryptographic products and services meeting the relevant requirements.
Article 16. Each healthcare institution shall give attention to the security management of all participants in the entire network chain; where third parties outside the institution are involved, it shall implement security management over design, construction, operation, and maintenance services, and shall procure secure network products and services to prevent third-party security incidents.
Article 17. Each healthcare institution shall strengthen the security management of decommissioned networks; conduct risk assessments on equipment associated with decommissioned networks; promptly take measures to seal or destroy such equipment; ensure the secure disposal of data in decommissioned networks; and prevent network data leakage.
第三章 数据安全管理
Article 18. Each healthcare institution shall, in accordance with the provisions of relevant laws and regulations and with reference to national cybersecurity standards, fulfill its data security protection obligations; shall adhere to the equal importance of ensuring data security and development; and shall, through management and technical means, ensure an effective balance between data security and data application. Critical information infrastructure (CII) operators shall formulate critical information infrastructure security protection plans and shall establish and improve systems for data security and personal information protection.
Article 19. A data security management organizational structure shall be established; the primary responsibilities of business departments and management departments in data security activities shall be clearly defined; through means such as security responsibility letters, the rights and responsibilities of the institution’s data management departments, business departments, and informatization departments in the entire lifecycle of data security management shall be regulated; a data security accountability system shall be established; and an accountability and investigation system shall be implemented.
Article 20. Each healthcare institution shall conduct a comprehensive annual review of its data assets and, on the basis of implementing the Multi-Level Protection Scheme (MLPS), shall establish the institution’s data classification and grading standards based on the importance of the data and the degree of harm caused by its compromise. Data classification and grading shall follow the principles of legal compliance, executability, timeliness, autonomy, differentiation, and objectivity.
Article 21. Each healthcare institution shall establish and improve data security management systems, operating procedures, and technical specifications; the management systems involved shall be revised at least once per year; it is recommended that relevant personnel sign confidentiality agreements annually. Annual data security risk assessments shall be conducted on the institution’s data to keep abreast of the data security status in a timely manner. Data security education and training shall be strengthened; security awareness education and data security management system publicity and training shall be organized. Combined with the institution’s actual circumstances, complete data use application and approval workflows shall be established and improved, following the principles of “whoever manages, reviews,” prior application and approval, monitoring during the process, and post-process review; the work procedure requiring the consent of the business management department and approval by the healthcare institution’s leadership shall be strictly executed; and the compliance of data activity processes shall be guided.
Article 22. Each healthcare institution shall strengthen the full-lifecycle security management of data covering collection, storage, transmission, processing, use, exchange, and destruction; data lifecycle activities shall be conducted within the territory of China; where, due to genuine business needs, data must be provided to entities outside the territory, a security assessment or review shall be conducted in accordance with relevant laws, regulations, and requirements; data processing activities that affect or may affect national security shall be submitted for a national security review; and data security incidents shall be prevented.
(1) Each healthcare institution shall strengthen the management of the lawfulness of data collection and shall clearly define the primary responsibilities of business departments and management departments in the lawfulness of data collection. Preventive measures such as data de-identification, data encryption, and link encryption shall be taken to prevent data leakage during the data collection process.
(2) On the basis of data classification and grading, the encrypted transmission requirements for data at different security levels shall be further clarified. Interface security controls during the transmission process shall be strengthened to ensure security during transmission through interfaces and to prevent data theft.
(3) Each healthcare institution shall, in accordance with relevant laws and standards, select an appropriate data storage architecture and storage media and store data within the territory of China, and shall adopt backup, encryption, and other measures to strengthen data storage security. Where data is stored on the cloud, the potential security risks shall be assessed. The data storage period shall not exceed the retention period determined by the data use rules. Access control security, data copy security, and data archiving security management during the storage process shall be strengthened.
(4) Each healthcare institution shall strictly define the access rights of different personnel; shall strengthen the management of application and approval workflows during data use; shall ensure that data is used within a controllable scope; shall strengthen log retention and management; shall prevent the falsification or deletion of logs; and shall prevent unauthorized use of data. Each data-using department and each data user shall use data strictly in accordance with the purpose and scope stated in the application and shall be responsible for the security of the data. Without approval, no department or individual may transmit information data that has not been publicly disclosed outside the department or disclose it in any manner.
(5) When each healthcare institution publishes or shares data, the potential security risks shall be assessed and necessary security prevention and control measures shall be taken; where data reporting is involved, the party proposing data reporting shall be responsible for interpreting the reporting requirements, determining the reporting scope and reporting rules, and ensuring that data reporting is secure and controllable.
(6) When a healthcare institution conducts facial recognition or facial identification, it shall simultaneously provide a non-facial-recognition identity verification method; the institution shall not refuse a data subject’s use of its basic business functions on account of the data subject’s refusal to consent to the collection of facial recognition data; and facial recognition data shall not be used for purposes other than identity verification, including but not limited to assessing or predicting a data subject’s work performance, financial status, health status, preferences, or interests. Each healthcare institution shall take security measures to store and transmit facial recognition data, including but not limited to encrypted storage and transmission of facial recognition data, and the use of physical or logical isolation to store facial recognition data and personal identity information separately.
(7) When destroying data, a destruction method that ensures the data cannot be restored shall be used, with particular attention to the risks of data remnants and data backup.
第四章 监督管理
Article 23. Each healthcare institution shall actively cooperate with the supervision and management of the relevant competent supervisory and regulatory authorities, accept routine inspections of cybersecurity management, and do a good job of cybersecurity protection.
Article 24. Each healthcare institution shall promptly rectify vulnerabilities, hidden dangers, and other problems identified by the relevant competent supervisory and regulatory authorities during inspections, and shall prevent major cybersecurity incidents.
Article 25. Where a security incident involving the leakage, damage, or loss of personal information or data occurs, or a cybersecurity incident such as a cyber attack, intrusion, or takeover of network systems occurs, or where a network vulnerability or hidden danger is discovered or cybersecurity risk is significantly increased, each healthcare institution shall immediately activate its emergency response plan, take necessary remediation and response measures, promptly notify the relevant parties through various means such as telephone, SMS, email, or letter, and report to the relevant competent supervisory and regulatory departments as required.
Article 26. Health administrative departments at all levels shall establish a working mechanism for the notification of cybersecurity incidents and shall promptly notify cybersecurity incidents.
Article 27. When a cybersecurity incident occurs, each healthcare institution shall promptly report to the health administrative department and the public security organs, take measures to protect the scene and preserve relevant records, and provide technical support and assistance to the public security organs and other supervisory departments in lawfully maintaining national security and conducting investigations.
第五章 管理保障
Article 28. Each healthcare institution shall attach great importance to cybersecurity management work, place it on the agenda for important deliberations, and strengthen overall leadership and planning and design; shall in accordance with laws and regulations address major issues including the allocation of personnel and funds and the construction of security protection measures; and shall ensure that security protection measures for information systems are planned, constructed, and used synchronously.
Article 29. Each healthcare institution shall strengthen business exchanges on cybersecurity, strictly implement the continuing education system for cybersecurity, and encourage management and technical positions to obtain and maintain relevant qualifications. Through organizing academic exchanges and skills competitions, cybersecurity talent shall be identified and selected; talent pools shall be established; and mechanisms for the identification, cultivation, selection, and utilization of talent shall be established and improved to provide human resources support for carrying out cybersecurity work.
Article 30. Each healthcare institution shall ensure the allocation of funds for conducting MLPS level assessments, risk assessments, offense-and-defense drill competitions, security construction and rectification, security protection platform construction, cryptographic security system construction, operations and maintenance, and education and training. The cybersecurity budget for newly constructed informatization projects shall not be less than five percent of the project’s total budget.
Article 31. Each healthcare institution shall further improve the cybersecurity assessment and evaluation system, clarify assessment indicators, and organize assessments. Healthcare institutions with the capability to do so are encouraged to link assessment results to performance.
第六章 附则
Article 32. Violations of these Measures that result in personal information or data leakage, or in major cybersecurity incidents, shall be handled in accordance with the Cybersecurity Law, the Cryptography Law, the Law on the Promotion of Basic Medical and Health Care, the Data Security Law, the Personal Information Protection Law, the Security Protection Regulations for Critical Information Infrastructure, the Multi-Level Protection Scheme (MLPS), and other laws and regulations.
Article 33. Networks involving State secrets shall be handled in accordance with relevant State regulations.
Article 34. These Measures shall come into force on the date of promulgation.