|
US$1299.00 · In stock
Delivery: <= 9 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 39725-2020: Information security technology - Guide for health data security
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 39725-2020 | English | 1299 |
Add to Cart
|
9 days [Need to translate]
|
Information security technology - Guide for health data security
| Valid |
GB/T 39725-2020
|
PDF similar to GB/T 39725-2020
Basic data | Standard ID | GB/T 39725-2020 (GB/T39725-2020) | | Description (Translated English) | Information security technology - Guide for health data security | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 70,757 | | Date of Issue | 2020-12-14 | | Date of Implementation | 2021-07-01 | | Regulation (derived from) | National Standard Announcement No. 28 of 2020 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 39725-2020: Information security technology - Guide for health data security---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Guide for health data security
ICS 35.040
L80
National Standards of People's Republic of China
Information Security Technology
Health and Medical Data Security Guidelines
2020-12-14 release
2021-07-01 implementation
State Administration for Market Regulation
Issued by the National Standardization Management Committee
Table of contents
Preface Ⅲ
Introduction Ⅳ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 2
5 Security objective 3
6 Classification system 3
6.1 Data category scope 3
6.2 Data classification 4
6.3 Related role classification 4
6.4 Circulation usage scenario 5
6.5 Data open format 6
7 Use Disclosure Principle 6
8 Key points of safety measures 7
8.1 Key points of hierarchical safety measures 7
8.2 Key points of scenario security measures 8
8.3 Key points of open security measures 10
9 Safety Management Guide 10
9.1 Overview 10
9.2 Organization 11
9.3 Process 11
9.4 Emergency response 12
10 Safety Technical Guide 13
10.1 General safety technology 13
10.2 De-identification 13
11 Data security in typical scenarios 15
11.1 Doctor access to data security 15
11.2 Patient query data security 17
11.3 Clinical research data security 17
11.4 Data security for secondary use 23
11.5 Health sensor data security 24
11.6 Mobile Application Data Security 25
11.7 Commercial insurance docking security 27
11.8 Medical device data security 30
Appendix A (informative appendix) Scope of personal health and medical data 33
Appendix B (Informative Appendix) Health Information Related Standards 34
Appendix C (informative appendix) Examples of data use management methods 43
Appendix D (informative appendix) Example of data application approval 47
Appendix E (Informative Appendix) Data Processing Use Agreement Template 50
Appendix F (Informative Appendix) Health and Medical Data Security Checklist 55
Appendix G (informative appendix) Example of de-identification of health information data elements 60
References 62
Information Security Technology
Health and Medical Data Security Guidelines
1 Scope
This standard specifies the security measures that health and medical data controllers can take when protecting health and medical data.
This standard is suitable for guiding health and medical data controllers to protect health and medical data, and it can also be used for health care and network security.
Relevant competent departments and third-party evaluation agencies and other organizations carry out the safety supervision, management and evaluation of health and medical data for reference.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 22080-2016 Information Technology Security Technology Information Security Management System Requirements
GB/T 22081-2016 Information Technology Security Technical Information Security Control Practice Guide
GB/T 22239-2019 Information Security Technology Network Security Level Protection Basic Requirements
GB/T 25069 Information Security Technical Terms
GB/T 31168 Information Security Technology Cloud Computing Service Security Capability Requirements
GB/T 35273 Information Security Technology Personal Information Security Specification
GB/T 35274-2017 Information Security Technology Big Data Service Security Capability Requirements
GB/T 37964-2019 Information Security Technology Guidelines for De-identification of Personal Information
ISO 80001 integrates the application of network risk management for medical equipment (ApplicationofriskmanagementforIT-net-
worksincorporatingmedicaldevices)
3 Terms and definitions
The following terms and definitions defined in GB/T 25069 apply to this document.
3.1
Personalhealthdata
A related electronic device that can identify a specific natural person alone or in combination with other information or reflect the physical or mental health of a specific natural person
data.
Note. Personal health medical data relates to the individual's past, present or future physical or mental health status, medical care services received and medical care paid for
For service fees, see Appendix A.
3.2
Healthdata
Personal health and medical data and health and medical-related electronic data obtained after processing of personal health and medical data.
Example. After processing the group health and medical data, the overall group analysis results, trend forecasts, disease prevention statistics, etc. are obtained.
3.3
Health serviceprofessional
Persons who are authorized by the government or industry organizations to perform specific health and medical duties.
It has the right to revoke the authorization at any time.
d) The subject (or its authorized representative) has the right to access its personal health and medical data or request the disclosure of its data, and the controller should disclose according to its requirements.
Reveal corresponding personal health and medical data.
e) The subject has the right to review and obtain a copy of his personal health and medical data, and the controller should provide it, such as through file sharing or online
Provided by inquiry.
f) When the subject discovers that the subject's personal health and medical data held by the controller is inaccurate or incomplete, the controller should provide it with
Methods of requesting corrections or additional information.
g) The entity has the right to make historical backtracking inquiries on the use or disclosure of data by the controller or its processors, and the shortest backtracking period is six years.
h) The entity has the right to require the controller to restrict the use or disclosure of its personal health care in the process of diagnosis, treatment, payment, health services, etc.
Data, and restrictions on the disclosure of information to relevant persons, the controller is not obliged to agree to the above restriction requests; but once agreed, unless otherwise
In the case of legal requirements and medical emergencies, the controller should comply with the agreed restrictions.
i) The controller can use the treatment notes for treatment, and after the necessary de-identification processing, it can be used without personal authorization.
Under circumstances, use or disclose treatment notes for internal training and academic seminars.
j) The controller should formulate and implement reasonable strategies and procedures to limit the use and disclosure to a minimum.
k) The controller should confirm that the processor’s security capabilities meet the security requirements and sign a data processing agreement before allowing the processor to enter
For data processing, the processor should process the data in accordance with the requirements of the controller. Without the permission of the controller, the processor cannot introduce a third party
Assist in processing data.
l) Before the controller provides data to a third-party controller authorized by the government, it should obtain relevant documents stamped with the official seal of the government.
Later, the responsibility for data security and the security of the transmission channel shall be borne by the third-party controller.
m) The controller confirms the legality, legitimacy and necessity of the data use, and confirms that the user has the corresponding data security capabilities, and
After the user has signed a data use agreement and promised to protect the personal health and medical data in the restricted data set, the user can be restricted
The data set is used for scientific research, medical care business, public health and other purposes; users can only use it within the scope of the agreement
Data and assume the responsibility for data security. After the use of the data is completed, it should be returned, completely destroyed, or carried out in accordance with the requirements of the controller.
He handles. Without the permission of the controller, the user cannot disclose the data to a third party.
n) If the controller collects and analyzes personal health and medical data and obtains health and medical related data that cannot identify the individual
According to the data, the data is no longer personal information, but its use and disclosure should comply with other relevant national laws and regulations.
o) If the controller needs to provide corresponding data overseas due to academic research needs, after performing the necessary de-identification processing,
The Data Security Committee discusses, approves, and agrees that non-secret-related and non-important data within 250 items can be provided, otherwise it should be submitted
Approval by relevant departments.
p) Does not involve state secrets, important data, or other data that is prohibited or restricted from being provided abroad, with the authorization and consent of the subject, and the data
According to the approval of the safety committee, the controller can provide personal health and medical data to overseas destinations, and the cumulative data volume should be controlled
The rule is within 250, otherwise it should be submitted to relevant departments for approval.
q) Controllers should not store health and medical data on servers outside the country, and do not host or rent servers outside the country.
r) When the controller conducts external data cooperation development and utilization, it is advisable to adopt the open form of "data analysis platform" to disclose the use of data.
Strict control.
8 points of safety measures
8.1 Key points of hierarchical safety measures
Data can be classified according to the needs of data protection, and different security protection measures can be implemented for different levels of data.
Rights management, identity authentication, and access control management. For example, the key points of data classification and security measures from the perspective of personal information security risk are as follows.
Table 3 shows. Please refer to 11.1 for details of data classification and safety measures in the doctor's reading scenario. Data classification and safety measures in clinical research scenarios
See 11.3 for details.
Check and continue to improve.
The controller can refer to Appendix C to establish data use management measures, refer to Appendix D to review and approve data applications, and refer to Appendix E and handling
The manager (user) signs the data processing (use) agreement and conducts self-examination with reference to Appendix F.
9.2 Organization
It is advisable to establish a complete organizational security system, and the organizational structure includes at least the Health and Medical Data Security Committee and the Health and Medical Data Security
Work office to ensure that health and medical data security management is done well, and the corresponding document records are formed, including but not limited to.
a) Establish a health and medical data security committee (referred to as the committee) to be fully responsible for the health and medical data security work, discuss and decide on health
For major matters concerning health care data security, the committee should.
1) Including the senior management of the organization and the person in charge of each business;
2) Covering professionals related to information security, ethics, law, statistics, auditing, and confidentiality;
3) The highest person in charge of the organization serves as the chairman;
4) It can rely on the existing ethics committee, academic council, etc., without having to re-establish;
5) Coordinate the allocation of human, material, and financial resources necessary for health and medical data security, such as the principle of separation of permissions
Then, equipped with security administrators, security auditors, system administrators, etc.;
6) Responsible for reviewing health and medical data security strategy, risk assessment plan, compliance assessment plan, risk treatment plan and emergency response
Placement plan;
7) Responsible for reviewing data security related rules and regulations (e.g. data use approval process);
8) Responsible for reviewing de-identification strategies and procedures;
9) Regular work meetings are held, and it is recommended to hold at least once a month.
b) Establish a health and medical data security work office, and designate a designated person (such as a data security officer) to be responsible for daily health and medical data security
jobs.
1) Responsible for implementing the decisions of the Health and Medical Data Security Committee and reporting to the committee;
2) Responsible for formulating, maintaining and updating health and medical data security strategies, risk assessment plans, compliance assessment plans, and risk disposal methods
Case and emergency response plan;
3) Responsible for establishing, maintaining and updating data security related rules and regulations;
4) Responsible for formulating, maintaining and updating data use approval process, as well as de-identification strategy and process;
5) Sort out business processes and related health and medical information systems and data, and conduct security risk analysis and compliance analysis, and propose
Recommendations on health and medical data security;
6) Form and manage the metadata structure to form a data and system supply chain structure that conforms to the business process;
7) Responsible for data security education and training of personnel to ensure that relevant personnel have corresponding data security capabilities;
8) At least annually conduct a comprehensive self-inspection of health and medical data security and make suggestions for rectification;
9) Audit the use of health and medical data, and adjust and improve security measures in a timely manner;
10) Monitor and alert the health and medical data security status, and adjust and improve security measures in time.
9.3 Process
9.3.1 Planning
The main tasks in the planning stage are as follows, and each task should be documented accordingly.
a) Define the scope of health and medical data security work, determine work goals, and establish work plans;
b) Establish a health and medical data security strategy and notify the whole organization;
c) Establish rules and regulations related to health and medical data security and notify the whole organization;
d) Establish a health and medical data security risk assessment plan and a compliance assessment plan;
e) Sort out health and medical data related businesses and related systems and data;
f) Identify health and medical data security risks and assess the impact;
g) Identify health and medical data security compliance risk points and assess the impact;
h) Establish a risk treatment plan for risks; if it involves data use disclosure, it should be handled in accordance with Chapter 7 "Use Disclosure Requirements";
If the network and system are secure, it should be handled in accordance with GB/T 22081-2016 and GB/T 22239-2019; basic security is involved
Security and data services should be handled in accordance with GB/T 35274-2017; those involving cloud computing security should be handled in accordance with
GB/T 31168 for disposal;
i) Review and pass the risk treatment plan;
j) Establish a data security emergency response plan.
9.3.2 Implementation
The main tasks in the implementation phase are as follows, and each task should be documented accordingly.
a) In the process of using and disclosing health and medical data, all links should strictly implement the established data security related regulations and security strategies
And process;
b) Implement a risk treatment plan, including the implementation of selected safety measures;
c) Equipped with appropriate resources, including manpower, material resources, and funds, to support the development of safety work;
d) Carry out necessary information security education and training;
e) Implement effective management and control of information security work carried out and various resources invested in information security work;
f) Take effective response measures to information security incidents.
9.3.3 Inspection
The main tasks of the inspection phase are as follows, and each task should be documented accordingly.
a) Monitor the work process related to health and medical data security, such as the implementation process of security measures;
b) Regularly review the implementation effectiveness of the risk treatment plan, including evaluating the acceptability of the remaining risks after the implementation of the corresponding measures;
c) Regularly check whether the use and disclosure of health and medical data meets Chapter 7 "Use Disclosure Requirements";
d) Regularly check whether safety technical work and de-identification work have been carried out in accordance with Chapter 10;
e) The inspection process is incorporated into the internal management of the organization;
f) Perform self-inspection according to the situation, or ask a third-party agency to conduct an inspection.
9.3.4 Improvement
The main work in the improvement phase is as follows, and each work should be documented accordingly.
a) Improve security measures based on monitoring or inspection results, including taking preventive measures, or adjustments that may affect the security of health and medical data
Full content of business activities;
b) Establish a rectification plan and implement it as planned.
9.4 Emergency treatment
The main work of emergency response is as follows, and each work should be documented accordingly.
a) Establish an emergency plan, including the conditions for starting the emergency plan, emergency handling procedures, system recovery procedures, incident reporting procedures, and afterwards
Education and training. The network security emergency plan should be reviewed and revised regularly, and emergency drills should be organized at least once a year.
b) Special data security emergency support teams and expert teams should be designated to ensure that security incidents are handled in a timely and effective manner.
c) A disaster recovery plan should be formulated to ensure that the health and medical information system can recover from cyber security incidents in a timely manner, and establish security incidents
Traceability mechanism.
d) After a data security incident occurs, it should be handled according to the emergency plan; after the incident is handled
Departments report the incident in writing, and the content should at least include. incident description, cause and impact analysis, handling methods and other information.
e) A comprehensive assessment should be carried out based on the safety problems found in the detection and evaluation, monitoring and early warning and the disposal results, and the risk should be carried out again when necessary
Identify and update the security policy.
10 Safety Technical Guide
10.1 General safety technology
The controller should follow GB/T 22081-2016, GB/T 22239-2019, GB/T 31168 and GB/T 35274-2017, etc.
Good data security management.
a) Information systems and network facilities and cloud platforms that carry health and medical data should be provided with necessary security protection.
b) It should be aimed at various activities in the data life cycle, including data collection, data transmission, data storage, data processing, data exchange,
Implement data security measures such as data destruction to reduce security risks and ensure data security.
c) It is advisable to adopt the necessary security for data platforms and applications around the characteristics of each stage of the system life cycle such as planning, development, deployment, and operation and maintenance.
Measures to establish a secure data management infrastructure, reduce the security risks of data platform and application operation, and ensure business continuity.
d) It is advisable to categorize and manage health and medical data, formulate and implement reasonable strategies and procedures, and limit the use and disclosure to the most
Low limit.
e) Security measures such as identity authentication, access control, security audit, intrusion prevention, malicious code prevention, and media usage management should be implemented.
f) It is necessary to ensure that data quality meets business needs, and implement security measures such as backup and restoration and remaining information protection.
g) Encryption technology should be used to ensure the integrity, confidentiality and traceability of data in the process of collection, transmission and storage; use media to transmit
If it is transported, the media should be controlled.
h) When storing personal biometric information, it is advisable to use technical measures to process it before storing, for example, only store personal biometric information
Summary.
i) The use of cryptographic technology should meet the relevant requirements of national cryptographic management.
j) It should meet the relevant general requirements of important data management, critical information infrastructure security management and other policies.
10.2 De-identification
The controller should carry out de-identification work in accordance with GB/T 37964-2019, and the de-identified data should be used for controlled public sharing or
The territory is publicly shared (an environment under the full control of the controller), and it is advisable to agree on the purpose, method, period and security of the data through the data use agreement
Measures etc. The de-identification strategy, process and results should be approved by the Data Security Committee. Data is used in clinical research and pharmaceutical/medical research and development
When, the relevant requirements are as follows.
a) It is advisable to remove the information that can uniquely identify the individual in the personal attribute data or the information that will have a significant impact on the individual after disclosure.
Such as. name; ID card/driver's license number; phone number, fax, email; medical insurance number, medical record file number, account; health
Object identification information (information irrelevant to the purpose of application, such as fingerprints, voice, etc.); photos; hobbies, beliefs, etc.
b) The information in personal attribute data that can be indirectly linked to individuals should be processed by generalization, conversion, etc., for example.
1) Unit, address, zip code and other information, if unit information or combined with other information covers more than 20,000 people
If the address information includes province (municipalities directly under the Central Government), city (county), street (township) or other information
After the combination, the population covered by the combination is more than 20,000, which can be retained, otherwise the street (township) should be removed to ensure that the combination covers the people
The group is more than 20,000; if the zip code information or the combination of other information covers more than 20,000, it can be retained, no
It is advisable to set the low zip code to '0' to ensure that more than 20,000 people can be covered.
2) Generalize the specific age, for example, give an age range. For example. 38 years old can be converted into 30~40 years old,
Ensure that there are more than 20,000 people meeting the same age requirements in the same area.
3) Birthday and all other date information, such as. admission time, discharge time, can only be specific to the year, or time drift
deal with.
11.2 Patient query data security
11.2.1 Overview
It is suitable for the scenario where patients query their own health and medical data online. The patient assumes the main role.
11.2.2 Key safety measures
11.2.2.1 Identification
Patients inquire their health and medical data through the online system. For the first registration, they need to associate a real-name mobile phone and pass the real-name mobile phone and mobile phone inspection.
Certificate code login. Considering the need for children to query information in place of elderly parents, the account can be bound to the child's mobile phone (upload a scanned copy of the ID card or household register)
It can be verified or authenticated by the system background), the guardian replaces the minor to query information and other situations, and imitate the processing.
After registration, individuals need to set up an account and password. The system should have c...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 39725-2020_English be delivered?Answer: Upon your order, we will start to translate GB/T 39725-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 6 ~ 9 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 39725-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 39725-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|