The health ministry about print and distribute "health industry information security level Protection work instruction opinion "inform the

Health does hair [2011] no. 85

        All provinces, autonomous regions, municipalities directly under the central government health TingJu, xinjiang production and construction corps and the state plan health bureau, directly under the various units, each department authority department bureau people:

        Implementation of the national information security level protection system, regulating and guide national health industry information security level protection work, according to the ministry of public security "about carrying out the information security level protection safety construction work guiding opinions of rectification" (to provide the Ann [2009] no. 1429) requirements, our combined with actual health industry, make the health industry information security level protection work instruction opinion ". Hereby printed and distributed to you, please comply with.

On 29 November 2011

Health industry information security level of protection work of guidance

        Health information security is our country health development of important component. Provide the information security level protection work, to promote the healthy development of health information, guarantee the medical health system reform, and to safeguard the public interests, the social order and national security has important significance. Implementation of the national information security level protection system, regulating and guide national health industry information security level protection work, these guiding opinions are formulated.

        A, work goal

        On the basis of the national information security level protection system, comply with relevant standards, in the health care industry overall information security level protection filing, and grading construction rectification and level assessment, definite information security key, carries out the information security responsibility, set up the information security level protection work long-effect mechanism, improve the health industry information safety protection ability, potential danger found ability, the emergency response ability and for health information provide a reliable guarantee the healthy development, maintain a comprehensive public interests, the social order and national security.

        Two, work principle

        (1) follow standard, key protection. Follow the national information security level protection related standards, combined with the health care industry information system characteristic, priority protection of important health information system, give priority to key information security needs.

        (2) industry guidance, apanage management. Health industry information security level protection work for industry guidance, apanage management. Local health administrative departments at all levels to information security level in accordance with state protection system the request, completes the region health information system security level protection guidance and management work. Health industry units should according to "competent and who is responsible, who who who is responsible for the operation, the requirements of", carries out the information security responsibility.

        (3) synchronous construction, dynamic perfect. In the information system planning design and construction process, synchronous development information security level protection work. For information and information system and the application scope of business types such as changes result in security demand conditions change, should readjust the information system security protection level, perfect security measures.

        Three, working mechanism

        Local health administrative departments at all levels to take local health information security responsibility, information work leading group as a whole organization local health information security level protection work. Health information work leading group is responsible for the national health care industry information security level of protection work coordination, supervision and guidance, and the organization carries out the department authority information security level protection work. Provincial prefecture, the administrative department of health information work leading group responsible for this area health industry information security level of protection work coordination, supervision and guidance, and the organization carries out the unit of information security level protection work.

        The health ministry set up the information security level protection liaison mechanisms, each provincial administrative departments for public health shall set information security level protection liaison. Duty is to implement government liaison information security level protection work related policy and technology standards, to understand the areas of information security level protection work and the overall situation dynamic, to represent the areas and the health ministry and the information security level protection management to daily contact and communication, coordination carries out the areas of information security level protection work.

        The health ministry and the provincial public health administrative department shall respectively established the information technology security expert committee, participate in information system, record review, grading guidance project demonstration, safety consulting, safety inspection technology work. Information technology security experts committee shall include health industry, public security organs and information technology security experts.

        Four, job

        (1) the record grading.

        1. The health industry each unit shall this unit construction and operation of health information system make self-examination, level of contingent to information system, grading, shall, in accordance with the information technology security information system security level protection grading guide "work for grading.

        The national information security level protection system will protect information security are rated category five: the first level for independent protection level, the second for guiding protection level, the third level supervision and protection level, the fourth grade enforcement of protection, the fifth grade control protection. The following important health information system security protection level in principle is not less than the third level:

        (1) health statistics report system, network straight infectious disease report system, health supervision information report system, public health emergencies emergency command information system etc cross national network operation of the provincial information system;

        (2) national, provincial, city level 3 health information platform, and new farming close, health supervision, such as maternity and child care national data center;

        (3) three level of first-class hospital's core business information systems;

        (4) the health ministry website system;

        (5) other through information technology security experts committee assess for the third class above (contain the third grade) information system.

        2. For the third class above worked (including the third grade) health information system shall be subject to the information technology security experts committee demonstration, review.

        3. The health industry each unit in the determination of the information system security protection after grade, for the first level 2 above (contain 2) information system, the public security organ shall be submitted to the territory and the public health administrative department for the record. Spanning provinces nationwide network run by the ministry of public health and grading information system, the ministry of public security report by the ministry of public health record; In all, the application of the branch operation system, the public security organ shall be submitted to the territory for the record.

        (2) construction and the improvement.

        1. To determine the safety protection level has the first level 2 above (contain 2) health information system shall, according to the national information security level protection standard and the information technology security information system security level protection of fundamental requirements "state standards, and carry out security protection status analysis, find potential safety problems and the national information security level and the gap between the protection standards, determine the safety requirements.

        2. According to the information system security protection status analysis results, according to the information technology security information system security level protection basic requirements ", "information technology security information system security level design technology requirements" state standards, and make the information system security level protection construction improvement scheme. The third class above (contain the third grade) health information system security construction improvement scheme shall be subject to the information technology security experts committee demonstration.

        3. The health industry each unit shall, in accordance with the information system security construction improvement scheme, improve safety protection facilities, establish the system of safety management and implement safety management measures, forms the information security technology protection system and information security management system, effectively protect health information system security.

        (3) level evaluation.

        1. The system construction work after the completion of the rectification shall, pursuant to the information security level protection management method "requirement, from the national information security level assessment agency recommended list protection choose level evaluation institutions, for the third class above (contain the third grade) health information system evaluation level.

        2. After passing test, it shall report to public security organs assessment territory and the public health administrative department for the record.

        3. The third class above shall be in every year (including the third grade) health information system evaluation level. For important department 2 information system, we can refer to the above requirements assessment level.

        (4) propaganda training.

        1. The health administrative departments at all levels shall be leading group for information technology advancement region of all kinds of medical and health institutions at various levels level protection policies and standards training, improve each unit of information security management personnel technical ability and the management level.

        2. The health industry each unit shall carry out internal information safety training, improve overall information safety consciousness, the standard information security operation behavior, improve the information security ability.

        (5) the supervision and inspection.

        1. Health information work leading group responsible for supervision inspection medical and health institutions all information security level protection work to carry out the situation, and urged department authority important information system responsibility for carrying out the information security protection unit level.

        2. The health administrative departments at the provincial level leading group for information technology advancement is responsible for supervision inspection in the health industry each unit of information security level protection work to carry out the situation, and to supervise the units in information security level protection work.

        3. The provincial public health administrative department shall be leading group for information technology advancement in the end of each year, to the ministry of information work leading group submitted to the region information system construction of the record, reorganization, grading level and assessment, and work in self-examination.

        Five, the job requirements

        (1) high attention and strengthening leadership. Health industry each unit, more attention must be fully realize the information security level protection work to protect residents health information security, medical and health institutions and social stability of the normal operation of the important significance. Each unit is mainly responsible for the comrades want to overall responsibility, responsible for the responsible men catch, clear responsibilities and tasks, emphasize the key, the information security level protection work as an important agenda and work performance evaluation indicator, level 1 catch level, layer upon layer grasps carries out.

        (2) security funds, strengthen the supervision. Health industry each unit to establish the funds investment mechanism, the information security level protection construction reorganization, the level assessment, information security service, the technical training costs into the information construction budget, and strengthen the supervision of the use of funds.

        (3) strengthen the communication and cooperation. Health administrative departments at all levels shall strengthen the information security level with local protection and management department communication, establish cooperation mechanism, and in the information security level of protection for the record, construction reorganization, grading level evaluation, supervision and inspection of the links such as close cooperation and jointly promote the information security level protection work.