---
title_en: "National Standards and Norms for Hospital Informatization Construction (Trial)"
title_zh: "全国医院信息化建设标准与规范（试行）"
abbreviation: "Hospital Informatization Standards"
hierarchy: "standard"
issuing_body: "National Health Commission; State Administration of Traditional Chinese Medicine"
adopted_date: 2018-04-02
effective_date: 2018-04-02
status: "effective"
source_url: "https://www.nhc.gov.cn/guihuaxxs/s10741/201804/"
related_laws: ["csl", "healthcare-institutions-cybersecurity-measures", "healthcare-institutions-data-security-pi-measures", "electronic-medical-records-application-specification"]
domains: ["health", "data-security"]
url: https://datacompliancechina.com/laws/hospital-informatization-standards/
summary: "Issued on 2 April 2018 by the General Office of the National Health Commission (document no. 国卫办规划发〔2018〕4号), this trial standard defines the baseline build-out content and requirements for hospital informatization across China. It builds on the earlier 'Hospital Information Platform Application Function Guide' and 'Hospital Informatization Construction Application Technology Guide' and organizes 262 specific items into five chapters — business applications, information platform, infrastructure, security protection, and emerging technologies — with tiered requirements for Grade-II, Grade-III Class-B, and Grade-III Class-A hospitals. Chapter 4 (Security Protection) is the data-compliance core: it specifies functional requirements for data-center security, endpoint security, network security, and disaster-recovery backup, including firewalls, database audit and access control, intrusion detection/prevention, encryption gateways, data-leak prevention, and offsite backup. The full instrument is a large tabular technical standard; the page below translates the issuing notice in full and gives a structured English summary of the standard's security, network-security, and information-security functional requirements."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/hospital-informatization-standards/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "National Standards and Norms for Hospital Informatization Construction (Trial)", https://datacompliancechina.com/laws/hospital-informatization-standards/
> *DCC note.* This page reproduces the **issuing notice in full** (faithful translation) and provides a **structured English summary** of the attached standard. The standard itself — *National Standards and Norms for Hospital Informatization Construction (Trial)* — is a large tabular technical document (5 chapters, 22 categories, 262 graded line-items, each specified separately for Grade-II, Grade-III Class-B, and Grade-III Class-A hospitals). It is not reproduced verbatim; instead, the summary focuses on its data-security, network-security, and information-security functional requirements (Chapter 4 and the emerging-technologies chapter), which are the parts relevant to data compliance.

---

## Issuing Notice (full translation)

**Notice on the Issuance of the *National Standards and Norms for Hospital Informatization Construction (Trial)***

Document No.: Guo Wei Ban Gui Hua Fa [2018] No. 4

To the health and family planning commissions of all provinces, autonomous regions, municipalities directly under the Central Government and cities specifically designated in the State plan, and the Xinjiang Production and Construction Corps; to all departments and bureaus of the Commission; and to the units directly under and affiliated with the Commission, and the hospitals affiliated with (administered by) the Commission:

In order to promote and standardize hospital informatization construction, our Commission — building upon the *Hospital Information Platform Application Function Guide* and the *Hospital Informatization Construction Application Technology Guide* — has formulated the *National Standards and Norms for Hospital Informatization Construction (Trial)*, which clarifies the construction content and construction requirements for hospital informatization. It is hereby issued to you (it may be downloaded from the website of the National Health Commission). Please implement it by reference.

Contact persons: Wang Yong and Shen Jianfeng, Department of Planning
Telephone: 010-68792937, 68791911

General Office of the National Health Commission
2 April 2018

Attachment: *National Standards and Norms for Hospital Informatization Construction (Trial)*

---

## Structured summary of the Standard

### Status and scope

The *National Standards and Norms for Hospital Informatization Construction (Trial)* (the "Construction Standards") were drafted by the Department of Planning and Information of the National Health Commission together with its Statistical Information Center, with input from more than 60 experts and technicians. The Standards target the clinical-business and hospital-management needs of Grade-II hospitals, Grade-III Class-B hospitals, and Grade-III Class-A hospitals, looking out over a 5–10 year development horizon. Maternal-and-child health hospitals and specialty hospitals may apply them by reference. Grade-II-and-above hospitals are directed to comply, in addition, with health-industry information standards including the **basic dataset for electronic medical records**, the **EMR shared-document specification**, and the **EMR-based hospital information platform technical specification**.

### Document structure (5 chapters, 22 categories, 262 items)

- **Chapter 1 — Business Applications** (9 categories): convenience services, medical services, medical management, medical collaboration, operations management, logistics management, research management, teaching management, human-resources management.
- **Chapter 2 — Information Platform** (2 categories): information-platform foundation, platform service integration.
- **Chapter 3 — Infrastructure** (3 categories): equipment-room foundation, hardware equipment, basic software.
- **Chapter 4 — Security Protection** (4 categories): data-center security, endpoint security, network security, disaster-recovery backup.
- **Chapter 5 — Emerging Technologies** (4 categories): big-data technology, cloud-computing technology, artificial-intelligence technology, Internet-of-Things technology.

Each line-item is specified at three capability tiers, so that a Grade-II hospital generally must meet a reduced subset of the functions and service types that a Grade-III Class-A hospital must meet.

### Chapter 4 — Security Protection (the data-compliance core)

This is the chapter most relevant to data security and network security. It is framed as a catalogue of security devices and capabilities and their required functions.

**Data-center security.** Specifies dedicated security equipment and the functions each must provide, including:
- **Web application firewall** — web access control, page anti-tampering, identity authentication, log auditing, and other functions.
- **Database firewall / database audit and access control** — database auditing, database access control, database access detection and filtering, database service discovery, de-identified-data discovery, and database-status monitoring; support for bridge, gateway, and hybrid deployment, access-control policies based on security-level labels, and active-standby hot backup for continuity of service.
- **Network-boundary firewall** — access control, intrusion prevention, virus prevention, application identification, web protection, load balancing, traffic control, identity authentication, and **data-leak prevention**, with multiple access-control modes (zone access control, packet-level access control, session access control, content-filtering access control, application-identification access control).
- **Security-audit appliances** — recording network behaviour and user behaviour; audit records capturing event time and date, user, event type, and success/failure; analysis and audit-report generation. Includes database-operation auditing (query, protection, backup, analysis, audit, real-time monitoring, risk alerting, operation playback), operations-and-maintenance auditing (resource authorization, O&M monitoring, O&M-operation audit, real-time alerting and blocking of violations, session audit and playback), and host-security auditing.
- **Encryption appliances** — database encryption, key management, database-status monitoring, database risk-scanning; **mail encryption** with attachment encryption, gateway-to-gateway encryption and related modes, plus mail security defence.
- **Intrusion-prevention / intrusion-detection appliances** — active defence against network attacks (with cross-reference to the national standard GB/T 20275-2013 on network intrusion-detection systems), wireless-attack defence, anti-DoS, traffic monitoring, statistical thresholds, and real-time blocking; detection of trojans/backdoors, DoS, buffer-overflow, IP-fragment and network-worm attacks, with source-IP, attack-type, attack-target and attack-time logging and alerting on serious incidents.
- **Network-admission control** — admission identity authentication, compliance/health checks, terminal policy management, and log auditing to screen out non-compliant devices and personnel.
- **Website-protection appliances** — website-attack filtering, file-access control, security verification, attack-event alerting, security-policy management, backup, synchronization, automatic recovery, server-reliability monitoring, and audit logging.

**Endpoint security.** Functional requirements for securing clinical and office terminals (anti-malware, terminal control, and related controls), graded by hospital tier.

**Network security.** Boundary protection, access control, intrusion prevention, and monitoring across the hospital network, consistent with the national Multi-Level Protection Scheme (等级保护 / MLPS).

**Disaster-recovery backup.** Requirements for local full backup and offsite backup of important data, redundancy of key links and key devices, and recoverability — feeding the broader health-data requirement that medical data be reliably backed up and recoverable.

### Chapter 5 — Emerging Technologies (security-relevant notes)

The emerging-technologies chapter (big data, cloud computing, artificial intelligence, Internet of Things) sets capability expectations that carry their own security implications — for example, security assessment of cloud platforms and data, and protection of data processed through big-data and AI applications. These requirements are echoed and tightened by the later *Measures for Cybersecurity Management of Healthcare Institutions* and the *Measures for Data Security and Personal Information Protection of Healthcare Institutions (Trial)*.

### Why this matters for data compliance

For overseas medtech, hospital-IT, and health-data vendors building or supplying systems to Chinese hospitals, the Construction Standards are the reference catalogue that hospitals use to specify security functions in tenders and acceptance testing. The Chapter 4 device/function list is, in practice, a checklist of the security controls a compliant hospital information environment is expected to contain — firewalls, database audit and access control, intrusion detection/prevention, encryption and key management, data-leak prevention, audit logging, network-admission control, and offsite backup. A supplier whose product is intended to operate inside a Grade-III hospital environment should expect these controls to be present and to be required to interoperate with them.

---

— *National Standards and Norms for Hospital Informatization Construction (Trial)*, issued 2 April 2018 by the General Office of the National Health Commission (Guo Wei Ban Gui Hua Fa [2018] No. 4). The issuing notice above is a faithful DCC translation; the description of the standard is a structured DCC summary of a large tabular technical document, not a verbatim translation. For the source document, see the [National Health Commission website](https://www.nhc.gov.cn/guihuaxxs/s10741/201804/).
