 Home > Active Ingredient News > Drugs Articles > The 18-month policy has 12 consecutive launches. This medical segmentation track is already on the line

The 18-month policy has 12 consecutive launches. This medical segmentation track is already on the line

 Last Update: 2021-07-30
 Source: Internet
 Author: User

Tags

what dentists use numb

contact customer service

Search more information of high quality chemicals, good prices and reliable suppliers, visit www.echemi.com

Before July 2021, when it comes to health and medical data security, everyone's response is usually "this is very important", but it is not so important when it is implemented
.

However, several major events that will happen together in the second half of 2021 will greatly change existing concepts and make health and medical data security the protagonist under the spotlight

First, on June 10, 2021, the 29th meeting of the Standing Committee of the 13th National People's Congress passed the "Data Security Law of the People's Republic of China", which will come into force on September 1, 2021
.

This law will become a vital legal foundation in China's big data strategy and an important cornerstone in the field of data security and the development of the digital economy

Subsequently, the well-known incident of Didi Chuxing’s listing in the United States triggered supervision and became the first public network security review case since the promulgation of the "Network Security Review Measures" in April 2020
.

Affected by this, technology companies that were originally scheduled to go public in the United States in the near future have temporarily shelved their listing plans

For example, the medical technology company Zerokrypton Technology, which focuses on the field of oncology, provides a big data platform for cancer patients, and provides services for medical institutions and pharmaceutical companies, announced on July 8 that it had shelved its original scheduled trip to the United States on Nasda the next day.
The plan to go public has been postponed
.

Prior to this, the company had just updated its prospectus on July 1, and formally updated its IPO application to the US Securities and Exchange Commission (SEC) on July 6

Almost at the same time as Didi’s listing in the United States on July 1, the "Guidelines for Information Security Technology, Health and Medical Data Security" (GB/T 39725-2020, hereinafter referred to as "Security Guidelines") were formally implemented
.

The strong earthquakes caused by this series of events continue
.

On July 10, the Cyberspace Administration of China issued the "Cyber Security Review Measures (Revised Draft for Solicitation of Comments)", requiring operators with personal information of more than 1 million users to apply for a cyber security review to the Cyber Security Review Office when they go to a foreign listing

In recent years, relevant departments have noticed the hidden dangers of health and medical data security, and have gradually promoted the establishment of regulations and standards to improve the top-level design
.

According to arterial network statistics, since 2020, relevant departments have successively issued 12 policies and standards related to health and medical data security, the intensity of which is eye-catching

There is no doubt that with the strengthening of supervision, various industries including medical and health will re-examine data security in the next period of time and adjust its weight in the plan
.

Artery Network (WeChat ID: VCBeat) will also launch a series of articles to interpret the current medical and health data security

Always count down, never exception! Health and medical data security is not optimistic

"The current situation of health and medical data security is not optimistic!" Zhu Suishong, director of the Information Department of Huazhong University of Science and Technology Union Shenzhen Hospital, believes that with the advancement of informatization in the health and medical field in recent years, as well as new types of 5G, big data, artificial intelligence and the Internet of Things With the development of technology, the degree of application and openness of health and medical data is gradually deepening
.

This also makes health and medical data face more and more security challenges at all stages of the entire life cycle

As for what is health and medical data, various departments have had their own different interpretations before this
.
The newly released "Safety Guidelines" have made a clear definition of this-"including personal health and medical data and health and medical-related electronic data obtained after processing of personal health and medical data
.
"

"Personal health and medical data" refers to "relevant electronic data that can identify a specific natural person alone or combined with other information or reflect the physical or mental health of a specific natural person
.
" "Health and medical related electronic data obtained after processing and processing of personal health and medical data "includes the results of the overall analysis population, trend forecasting, statistical data and other disease prevention
.
In other words, health and medical data are divided into two aspects: "individual" and "group"
.

In general, health and medical data can be divided into personal attribute data, health status data, medical application data, medical payment data, health resource data, and public health data
.

The screenshot is from the "Guide to Information Security Technology, Health and Medical Data Security"

It is not difficult to see that health and medical data have universal authenticity and privacy
.
These data include data on the health of individuals, medical visits and other data from the micro level, and data on the spread of diseases and the health status of the regional population from the macro level.
The safety of health and medical data is related to the safety of patients’ lives, personal information security, social and public interests, and the state.
Safe
.

Generally speaking, due to the basic professional ethics of medical staff, medical institutions holding large amounts of medical and health data will not actively disclose health and medical data
.
However, concerns about the security of health and medical data are not groundless
.
After all, the performance of medical institutions in terms of data security, both at home and abroad, is lacklustre
.

According to statistics from Tencent Smart Security’s "Special Report on Ransomware in the Medical Industry", during the WannaCry ransomware epidemic in 2017, 247 top-tier hospitals across the country detected ransomware
.
This ransomware can spread in the form of a worm through the Eternal Blue loophole
.
Therefore, once WannaCry invades the intranet of medical institutions, it can quickly spread to the intranet
.

However, what is ironic is that for the Eternal Blue vulnerability, Microsoft officially released a patch for the vulnerability a year before the incident
.

In February 2018, a hospital in Central China was attacked by a ransomware virus.
All data files on the server were forcibly encrypted, causing the hospital system to be paralyzed and all businesses affected
.
The hacker asked the hospital to pay 1 Bitcoin ransom for each infected terminal within six hours, which is approximately 66,000 yuan for each terminal to be unlocked
.
Coincidentally, there are reports that the information system of a hospital in East China has also been hacked and extorted 200 million yuan worth of ether
.

Of course, the situation abroad is not getting better there
.
In September 2020, the University Hospital of Dusseldorf in Germany was attacked by a ransomware virus, which caused 30 servers in the hospital to be encrypted and the hospital information system to collapse
.
However, judging from the demand for extortion, the hacker actually intends to extort the Heinrich Hein University affiliated to the University Hospital of Düsseldorf, not the hospital itself
.

The police immediately contacted and informed the hackers that they were blackmailing hospitals rather than universities
.
The "conscientious" hacker subsequently withdrew the blackmail attempt and provided a digital key to decrypt the data
.
However, this accident has led to a tragedy-because of the collapse of the hospital system, a patient who was rushed to the hospital for emergency treatment had to be transferred to a hospital in Wuppertal about 32 kilometers away from the hospital
.
Due to delays in treatment, the unfortunate patient died
.

IBM Security's "Data Breach Cost Report 2020" surveyed 17 industries in 17 countries and regions.
The industry with the highest average total cost of data breaches in 2020 is the medical industry.
The average total cost is as high as $7.
13 million, which is higher than that in 2020.
The industry’s average total cost of a data breach of $3.
86 million is nearly twice as high
.

The average total cost of data breach by industry (unit: million US dollars), the data is from the "2020 Data Breach Cost Report", arterial network mapping

The percentage change in the average total cost of each industry from 2019 to 2020, the data is from the "Data Breach Cost Report 2020", arterial network mapping

Even more embarrassing is that since 2015, the cost of data breaches in the healthcare industry has been at the top of the list
.
The average total cost in 2020 has increased by 10% over the industry's level in 2019
.

The average time for each industry to detect and control data breaches (unit: days), the data is from the "Data Breach Cost Report 2020", arterial network mapping

In terms of the average time to discover and control data breaches, the health care industry performed the worst-it took an average of 236 days to discover a data breach, and another 93 days to contain it
.
In contrast, the best-performing financial industry only took 233 days to discover the leak and the time to contain it (177 days for discovery, 56 days for containment)
.

In other words, while the financial industry has already dealt with the data breach, the medical industry has not even discovered a data breach at all
.

Number of data breach incidents divided by industry, data from "2021 DBIR", arterial network mapping

In Verizon's "2021 Data Breach Investigation Report" (2021 DBIR), the performance of the medical industry is also relatively poor
.
The investigation recorded 472 confirmed data breaches, ranking among the top three in all industries where data was leaked
.
From the perspective of the types of data breaches, 36% are delivery errors, which has been the same in the past few years
.
Although not malicious in nature, it means that basic human error continues to plague the industry
.

In addition, some medical information leaks have also been reported in the arts and entertainment industries
.
Through further digging into the data, it is found that this may be related to related sports
.
This also shows that don't think that non-medical and health institutions have no medical data or have no obligation to protect health and medical data
.

Why are health and medical data security risks increasing sharply?

So, why does the medical and health industry face such a big risk in data security? The reason is simple, money! In the Verizon "2021 Data Breach Investigation Report" on the investigation of data breach motives, 61% of the threats in the medical industry come from outside , 91% of the motivation comes from finances
.

In general, data risks in the medical and health field are mainly divided into data unavailability risks and data leakage risks
.

The first is the risk of data unavailability
.
Compared with other institutions, the hospital information system is special, and most of the data belongs to the information that needs to be used urgently
.
Once encrypted by the ransomware virus, the data is unavailable, or the system malfunctions, it will have a great impact on the business, directly affecting the normal medical treatment of the patient, and even the life safety of the patient
.
Therefore, the medical and health industry will generally try its best to restore normal business operations as quickly as possible, and it is more likely to pay the ransom obediently
.

Second, there is the risk of data leakage
.
Health and medical data has strong privacy.
Personal attribute data includes a large amount of information such as personal name, address, contact information, social insurance number, bank account information, and so on
.
This information is enough to sell for a good price on the black market, and it may also be stolen by someone, illegally obtaining prescription drugs or even defrauding insurance
.

Once the health privacy of some public figures is leaked, it will have a serious negative impact on their lives and work
.
Therefore, these health and medical data are often targeted by hackers to ask for money or resell them to paparazzi for profit
.
Just recently, the hair transplant photos of a top singer have been leaked to the public, becoming the latest victim of a health and medical data breach
.
This situation has been repeated in recent years
.

In addition, a large amount of medical data has begun to be provided for third-party development and testing, and it is also easy to cause personal privacy data leakage
.
In the emerging biotechnology industry involving high-value biological data such as national human genetic resources and gene editing, once data leakage occurs, the consequences will be very serious
.

The current health and medical data security risks, which are mainly hospitals, are serious, and the industry generally believes that the main reasons are as follows
.

First, the hospital information system is not an isolated system.
With the further development of information system interconnection and application mining of health and medical data, hospitals lacking adequate preparation are facing more external security threats, and the risk of hackers and network attacks Will further intensify
.

Second, compared with the emphasis on medical quality and safety, the hospital's safety awareness is relatively weak and the management system is imperfect
.
Most hospitals do not have a dedicated information security management organization and a complete set of standardized management systems, which are seriously lagging behind the speed of informatization development
.

For example, most hospitals have unclear division of internal and external networks and lack of isolation measures between internal and external networks.
At the same time, they have not deployed terminal security management and audit systems, and even non-compliant terminals can be connected to the internal network at any time, resulting in terminal security It cannot be traced after the accident
.

Third, the security measures of the hospital information system are not perfect
.
For example, the core HIS system operation lacks effective security protection measures and audit mechanisms; the hospital portal website lacks necessary security protection measures, and there is a risk of SQL injection attacks and website suspension
.

Fourth, a series of health and medical data such as patient information and diagnosis and treatment information in the medical and health industry have great commercial value, and are gradually coveted by the gray industry chain
.

Fifth, hospitals are increasingly dependent on various information systems
.
For example, the HIS system involves the all-round management of the flow of people, logistics, and finances by the various departments of the hospital.
Each link of the patient's medical treatment needs to be directly linked to it.
Once the core information system has a problem, the impact will be huge
.

Chen Lei, the solution director of Sangfor Medical Division, mentioned in an interview with Artery Network that most customers in the medical industry do not actually know where their pain points are
.
At present, the medical and health industry does not have enough knowledge and awareness of data security
.
In many cases, hospitals do not actually know how many data assets they have, let alone data security
.

At the same time, most organizations do not have an overall plan during construction.
There are many situations in which a certain point of data security is driven by events, and it is too difficult to cope.
Finally, data security has always been closely related to the strength of policies
.
When the current policies and promotion are not refined to a certain degree in the industry, it will also cause a "confusion period" in the construction process
.

Because of this, the health and medical data security situation has become more and more serious, and it has reached an imminent point
.

The policy has been issued in 12 consecutive months in the past 18 months, and the top-level plan for health and medical data security has gradually increased

Data security has always been an area that our government attaches great importance to
.
As early as February 1994, the State Council promulgated the "Regulations on the Security Protection of Computer Information Systems," which for the first time determined that computer information system security level protection will be implemented nationwide
.

The so-called "industry development, legislative standards first", after entering the 21st century, China has begun to improve the top-level planning and design of health and medical data security, and has significantly increased its efforts in recent years
.

In May 2007, the Ministry of Public Security issued the "Administrative Measures for Graded Information Security Protection
.
" Subsequently, the General Administration of Quality Supervision, Inspection and Quarantine and the National Standardization Management Committee have successively formulated and issued national standards such as "Basic Requirements for Information System Security Graded Protection (GB/T22239-2008)", and the graded protection system has been formally implemented, which is commonly known as Waiting for Warranty 1.
0
.
Equal Insurance 1.
0 is widely used in various industries and has played a vital role in the process of promoting informatization in China
.

Taking the medical and health industry as an example, in December 2011, the former Ministry of Health issued the "Guiding Opinions on Information Security Level Protection in the Health Industry"
.
The health industry is required to carry out the grading work in accordance with the "Guidelines for the Grading of Information Security Technology Information System Security Level Protection", and it is clear that the security protection level of important health information systems shall not be lower than the third level in principle
.

On April 15, 2014, at the first plenary meeting of the Central National Security Committee, the major strategic thinking of the "Overall National Security Concept" including information security was put forward for the first time
.
The National Security Law promulgated in 2015 clearly included data security in the scope of national security
.
From then on, China's policies in the field of health and medical data security began to be rolled out quickly
.

In order to adapt Internet security supervision and protection to the technical requirements of the new era, in June 2017, the "Cyber Security Law" became China's first comprehensive legislation in the field of cyber security
.
"Network security" has entered China's top-level design in the form of legislation, and has put forward higher standards and requirements for China's network security construction
.
And laid a legal foundation for the subsequent update of the grade protection standards
.

After its establishment in 2018, the National Health Commission has successively adopted various policies to strengthen the importance of data security in the medical and health industry
.
In April 2018, the National Health Commission issued the "National Hospital Information Construction Standards and Specifications (Trial)", which put forward requirements for data center security, terminal security, network security, and disaster recovery backup for hospitals above secondary hospitals
.

In 2018, the National Health and Medical Commission successively issued the "National Health and Medical Big Data Standards, Safety and Service Management Measures (Trial)" and "Internet Hospital Management Measures (Trial)", clearly stipulating the platform that carries the health and medical big data and the Internet.
The hospital's platform must pass the required level of iso-guarantee test
.

As the first standard for health and medical data security, the "Health and Medical Information Security Guidelines" draws on the research of foreign legislation and standards, especially the US HIPPA Act, ISO 27799, NIST800-66 and other standards, which can solve the integration of health and medical data.
Sharing and open applications allow data to serve the interests of individuals and the country while also ensuring the safety of personal information and the needs of the national public interest
.

Beginning in 2020, the implementation of relevant regulations and standards has shown high-intensity characteristics.
From 2020 to the present 18 months, the policy has been issued in a "12 consecutive" period
.

Main policies and standards of health and medical data security in my country

Lu Guanglin, president of Tianpeng Tianyuan Big Data, believes that from the successive policies and regulations, it can be seen that the state attaches great importance to data security in the medical industry
.
Whether from the informatization construction of hospitals and primary medical institutions, or the current development of "Internet + medical health", "medical big data", to the construction of some traditional medical information systems that basically benefit the people and the people, and the first part of the country Basic and comprehensive laws in the field of health care all emphasize the implementation of health and medical network information and data security
.

These policies have played an important role in strengthening the data security and system network security of the medical and health industry, and the security awareness of medical institutions and their practitioners is constantly increasing
.
Taking the implementation of cybersecurity level protection in medical institutions as an example, according to CHIMA's Survey of China's Hospital Informatization Status in 2019-2020, among the 1017 participating hospitals, over 50% of the hospitals have secondary and tertiary network security protection.
Filing system
.

At the same time, according to the arterial network's understanding of the medical staff of several top tertiary hospitals in a certain municipality
.
At present, the hospital has attached great importance to security.
It not only holds regular training and drills on data security, but also protects the channels through which medical staff may leak secrets
.

For example, the USB interface is cancelled on the hardware of the medical staff workstation, and data cannot be copied through mobile storage
.
The authority is strictly controlled, and if data needs to be copied, it needs to be submitted to the higher-level leaders for approval
.
In contrast, military hospitals have stricter safety requirements and have implemented strict controls in the early years
.

Data security is vetoed by one vote, and Equal Guarantee 2.
0 will further strengthen health and medical data security

However, the era of the formulation of Dianbao 1.
0 has been relatively long, resulting in the lack of grade protection specifications for some new technologies and new applications, such as cloud computing and the Internet of Things
.
Secondly, in addition to the traditional five steps, risk assessment, safety monitoring, and notification and early warning work are imperfect
.
Finally, there is an imperfect system of policies, standards, evaluation, technology, and services
.

This makes it gradually difficult to meet the global application of mobile Internet, cloud computing, big data, industrial Internet, artificial intelligence, Internet of Things and other technologies
.

Therefore, relevant agencies have begun to update the existing equivalent guarantee standards
.
In May 2019, the State Administration for Market Supervision and the National Standardization Administration issued the "Basic Requirements for Information Security Technology Network Security Level Protection (GB/T22239-2019)", which began to be implemented in December 2019, marking China’s entry into Equal Guarantee 2.
0 Times
.

The main difference between Equal Insurance 2.
0 and Equal Insurance 1.
0

Compared with Dianbao 1.
0, Dianbao 2.
0’s requirements are more detailed: it includes a wider range of systems, extending from the original basic information network and information system to including network infrastructure, information systems, big data centers, cloud computing platforms, networking, industrial control systems, mobile Internet, smart devices and so on
.

The "Three-Level Hospital Evaluation Standards (2020 Edition)" issued at the end of 2020 implements a "one-vote veto system" for safety
.
In the first part of the pre-requisites, it is mentioned that "a large-scale medical data leak or other major network security incidents have caused serious consequences
.
" The review will be directly postponed for one year
.
During the postponement period, the hospital's original ranking will be cancelled and managed in accordance with "undecided wait"
.
For hospitals, failure to pay attention to safety will cause extremely serious consequences
.

At the same time, the evaluation criteria also put forward the requirements of "implementing the "Network Security Law", implementing the national information security level protection system, and implementing the information system classified management according to the level of protection
.
This is not superfluous
.
In fact, as far as the current situation is concerned, most hospitals only use the minimum pass as the standard for waiting insurance, which violates the original intention of hierarchical protection
.

Earlier we mentioned that in the CHIMA "2019-2020 China Hospital Informationization Status Survey", more than 50% of hospitals have secondary and tertiary network security protection filing systems
.
However, only one of the systems has passed the secondary and tertiary security filing in the majority
.

Regardless of whether it is a tertiary protection filing or a secondary protection filing, the proportion of hospitals with only one system passing the record is the highest, at 21.
34% and 19.
76%, plus the proportion of not passing, which means that the proportion of hospitals with multiple systems passing the filing Only about 30%
.

The status of hospital grade protection filing, the data is from the "2019-2020 China Hospital Informatization Status Survey", arterial network mapping

In accordance with the new requirements, tertiary hospitals should fully implement the national information security grading protection system, and implement the hierarchical management of the information system according to the level of protection
.
If the level of protection is not carried out, or if only a core system is passed through the hospital, the safety work is obviously not perfect
.

On the one hand, some hospitals are to save costs
.
For example, according to Artery Orange News, on July 21, 2021, Maoming Maternal and Child Health Hospital of Guangdong Province initiated a bid for the Equal Guarantee 2.
0 construction project, and its budget reached 2.
0763 million yuan, which is not a sum for most hospitals.
Small number
.

Chen Lei, the solution director of Sangfor Medical Division, said that the construction of waiting insurance requires a certain amount of financial support.
Some hospitals do not provide enough support for the safety business, and the cost approval is relatively tight
.
In addition, it needs to purchase a lot of safety equipment.
After the evaluation, the hospital is not clear whether these equipment really play a safety value
.

On the other hand, some hospitals are also misled by companies, adopting multiple systems to package and merge them into a hospital information system to pass the test
.
This "shortcut" is not desirable
.
First of all, most hospitals' information systems are relatively independent business systems; second, the original intention of waiting insurance is to manage different levels of systems.
For the key protection of the core system, it is obviously inappropriate to integrate all of them into one system
.

Zhu Suishong, director of the Information Department of Huazhong University of Science and Technology Union Shenzhen Hospital, believes that waiting for security is not to deal with inspections, but to strengthen the company's own safety; besides important systems must be protected, different systems should also be managed at different levels
.

Chen Lei, the solution director of Sangfor Medical Business Unit, also believes that the purpose of the promotion of the guarantee evaluation is not to simply pass the guarantee.
It is necessary to build a practical security system: "At present, there are more and more applications of data service types in the construction of smart hospitals.

The definition of the core business system is constantly evolving and changing from basic HIS and EMR, to clinical data centers, scientific research data centers, etc.
From the perspective of safety construction, it tends to be a practical safety system construction, while adapting to industry business changes.
The safe construction of the future is the direction of future development
.
"

Policies still need to be improved, and technology is equally important

On the whole, although the situation of medical and health data security is still relatively severe, with the legislation and standard formulation in recent years, the situation is developing in a controllable direction
.

Of course, under the current system of laws, regulations and standards that have been promulgated, the top-level design of health and medical data security still has problems such as overlaps and gaps, and the detailed rules of the supporting system are not perfect
.

Taking the current hot health and medical big data as an example, Lu Guanglin, President of Tianpeng Tianyuan Big Data, said that the application of big data in health care has risen in recent years, and laws and regulations are still in the process of follow-up.
When there are no clear laws and regulations, they will be based on applicable principles reference standards, such as "personal information protection law", "information security level protection management (tentative)" and so on
.

"At present, some standards and regulations have been formed in the industry, associations, and academic groups
.
For example, the Guangzhou Standards Promotion Association issued the "Guangdong Province Health and Medical Data Desensitization Technical Specifications
.
" I think these standards and specifications will be formed after they are improved through practice.
National standards
.
" He added
.

Chen Lei, solution director of Sangfor Medical Division, also mentioned that at present, the top-level design of data security is not enough at the industry adaptation level
.
The basis of data security is the hierarchical classification of data.
This part is very different from traditional network security and requires very strong technology and industry adaptation and combination
.
From the perspective of each hospital, its use, management, and process of data are inconsistent
.
Therefore, it needs to be more detailed in the detail standard
.

At the same time, security technology will also play a more important role in it and drive the development of the industry
.
The classification of the security field is quite detailed.
According to the scope of product protection, network security products can be divided into endpoint security, boundary security and cloud security
.
Among them, each field has multiple sub-fields
.

According to the definition of the safety cow, safety is subdivided into 14 first-level safety classifications and 106 second-level subdivisions, and there are a total of 347 domestic safety companies
.
These companies are silently protecting our safety on the secret front
.
So, what is the future of the health and medical data security industry? Which emerging products and technologies have better exploration experience in the medical and health industry? Next, Artery Network will continue to pay attention to health and medical data security and launch a series of articles, so stay tuned
.
Readers are also welcome to provide relevant topics and clues
.

Reference

IBM Security: "2020 Data Breach Cost Report"

Verizon: 2021 Data Breach Investigations Report

H3C.
com: "Hospital Equivalence Solution"

Tencent Smart Security: "Special Report on Extortion Virus in the Medical Industry"

National Industrial Information Security Development Research Center: "Data Security White Paper"

Anhua Jinhe and other units: "Data Security Governance White Paper 3.
0"

China Academy of Information and Communications Technology: "Digital Medical Network Security Observation Report"

CHIMA: "Survey on the Informatization Status of Chinese Hospitals in 2019-2020"

Caixin.
com: "Zero Krypton Technology Postpones its U.
S.
IPO Lawyer Calls for Concern for the Protection and Use of Medical Data"

Eleven people in Finance and Economics: "China Enters a New Phase of Online Supervision"

Lei Feng.
com: "The HIS system of a public hospital in Shanghai was hacked and extorted 200 million "ether"

Securityweek.
com: German Hospital Hacked, Patient Taken to Another City Dies

Security Bull: "Panorama of China's Cyber Security Industry (Eighth Edition in March 2021)"

This article is an English version of an article which is originally in the Chinese language on echemi.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to service@echemi.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.