GB/T 39725-2020 English PDFUS$1299.00 · In stock
Delivery: <= 9 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 39725-2020: Information security technology - Guide for health data security Status: Valid
Basic dataStandard ID: GB/T 39725-2020 (GB/T39725-2020)Description (Translated English): Information security technology - Guide for health data security Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.040 Word Count Estimation: 70,757 Date of Issue: 2020-12-14 Date of Implementation: 2021-07-01 Regulation (derived from): National Standard Announcement No. 28 of 2020 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 39725-2020: Information security technology - Guide for health data security---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.Information security technology - Guide for health data security ICS 35.040 L80 National Standards of People's Republic of China Information Security Technology Health and Medical Data Security Guidelines 2020-12-14 release 2021-07-01 implementation State Administration for Market Regulation Issued by the National Standardization Management Committee Table of contentsPreface Ⅲ Introduction Ⅳ 1 Scope 1 2 Normative references 1 3 Terms and definitions 1 4 Abbreviations 2 5 Security objective 3 6 Classification system 3 6.1 Data category scope 3 6.2 Data classification 4 6.3 Related role classification 4 6.4 Circulation usage scenario 5 6.5 Data open format 6 7 Use Disclosure Principle 6 8 Key points of safety measures 7 8.1 Key points of hierarchical safety measures 7 8.2 Key points of scenario security measures 8 8.3 Key points of open security measures 10 9 Safety Management Guide 10 9.1 Overview 10 9.2 Organization 11 9.3 Process 11 9.4 Emergency response 12 10 Safety Technical Guide 13 10.1 General safety technology 13 10.2 De-identification 13 11 Data security in typical scenarios 15 11.1 Doctor access to data security 15 11.2 Patient query data security 17 11.3 Clinical research data security 17 11.4 Data security for secondary use 23 11.5 Health sensor data security 24 11.6 Mobile Application Data Security 25 11.7 Commercial insurance docking security 27 11.8 Medical device data security 30 Appendix A (informative appendix) Scope of personal health and medical data 33 Appendix B (Informative Appendix) Health Information Related Standards 34 Appendix C (informative appendix) Examples of data use management methods 43 Appendix D (informative appendix) Example of data application approval 47 Appendix E (Informative Appendix) Data Processing Use Agreement Template 50 Appendix F (Informative Appendix) Health and Medical Data Security Checklist 55 Appendix G (informative appendix) Example of de-identification of health information data elements 60 References 62 Information Security Technology Health and Medical Data Security Guidelines1 ScopeThis standard specifies the security measures that health and medical data controllers can take when protecting health and medical data. This standard is suitable for guiding health and medical data controllers to protect health and medical data, and it can also be used for health care and network security. Relevant competent departments and third-party evaluation agencies and other organizations carry out the safety supervision, management and evaluation of health and medical data for reference.2 Normative referencesThe following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article Pieces. For undated references, the latest version (including all amendments) applies to this document. GB/T 22080-2016 Information Technology Security Technology Information Security Management System Requirements GB/T 22081-2016 Information Technology Security Technical Information Security Control Practice Guide GB/T 22239-2019 Information Security Technology Network Security Level Protection Basic Requirements GB/T 25069 Information Security Technical Terms GB/T 31168 Information Security Technology Cloud Computing Service Security Capability Requirements GB/T 35273 Information Security Technology Personal Information Security Specification GB/T 35274-2017 Information Security Technology Big Data Service Security Capability Requirements GB/T 37964-2019 Information Security Technology Guidelines for De-identification of Personal Information ISO 80001 integrates the application of network risk management for medical equipment (ApplicationofriskmanagementforIT-net- worksincorporatingmedicaldevices)3 Terms and definitionsThe following terms and definitions defined in GB/T 25069 apply to this document. 3.1 Personalhealthdata A related electronic device that can identify a specific natural person alone or in combination with other information or reflect the physical or mental health of a specific natural person data. Note. Personal health medical data relates to the individual's past, present or future physical or mental health status, medical care services received and medical care paid for For service fees, see Appendix A. 3.2 Healthdata Personal health and medical data and health and medical-related electronic data obtained after processing of personal health and medical data. Example. After processing the group health and medical data, the overall group analysis results, trend forecasts, disease prevention statistics, etc. are obtained. 3.3 Health serviceprofessional Persons who are authorized by the government or industry organizations to perform specific health and medical duties. It has the right to revoke the authorization at any time. d) The subject (or its authorized representative) has the right to access its personal health and medical data or request the disclosure of its data, and the controller should disclose according to its requirements. Reveal corresponding personal health and medical data. e) The subject has the right to review and obtain a copy of his personal health and medical data, and the controller should provide it, such as through file sharing or online Provided by inquiry. f) When the subject discovers that the subject's personal health and medical data held by the controller is inaccurate or incomplete, the controller should provide it with Methods of requesting corrections or additional information. g) The entity has the right to make historical backtracking inquiries on the use or disclosure of data by the controller or its processors, and the shortest backtracking period is six years. h) The entity has the right to require the controller to restrict the use or disclosure of its personal health care in the process of diagnosis, treatment, payment, health services, etc. Data, and restrictions on the disclosure of information to relevant persons, the controller is not obliged to agree to the above restriction requests; but once agreed, unless otherwise In the case of legal requirements and medical emergencies, the controller should comply with the agreed restrictions. i) The controller can use the treatment notes for treatment, and after the necessary de-identification processing, it can be used without personal authorization. Under circumstances, use or disclose treatment notes for internal training and academic seminars. j) The controller should formulate and implement reasonable strategies and procedures to limit the use and disclosure to a minimum. k) The controller should confirm that the processor’s security capabilities meet the security requirements and sign a data processing agreement before allowing the processor to enter For data processing, the processor should process the data in accordance with the requirements of the controller. Without the permission of the controller, the processor cannot introduce a third party Assist in processing data. l) Before the controller provides data to a third-party controller authorized by the government, it should obtain relevant documents stamped with the official seal of the government. Later, the responsibility for data security and the security of the transmission channel shall be borne by the third-party controller. m) The controller confirms the legality, legitimacy and necessity of the data use, and confirms that the user has the corresponding data security capabilities, and After the user has signed a data use agreement and promised to protect the personal health and medical data in the restricted data set, the user can be restricted The data set is used for scientific research, medical care business, public health and other purposes; users can only use it within the scope of the agreement Data and assume the responsibility for data security. After the use of the data is completed, it should be returned, completely destroyed, or carried out in accordance with the requirements of the controller. He handles. Without the permission of the controller, the user cannot disclose the data to a third party. n) If the controller collects and analyzes personal health and medical data and obtains health and medical related data that cannot identify the individual According to the data, the data is no longer personal information, but its use and disclosure should comply with other relevant national laws and regulations. o) If the controller needs to provide corresponding data overseas due to academic research needs, after performing the necessary de-identification processing, The Data Security Committee discusses, approves, and agrees that non-secret-related and non-important data within 250 items can be provided, otherwise it should be submitted Approval by relevant departments. p) Does not involve state secrets, important data, or other data that is prohibited or restricted from being provided abroad, with the authorization and consent of the subject, and the data According to the approval of the safety committee, the controller can provide personal health and medical data to overseas destinations, and the cumulative data volume should be controlled The rule is within 250, otherwise it should be submitted to relevant departments for approval. q) Controllers should not store health and medical data on servers outside the country, and do not host or rent servers outside the country. r) When the controller conducts external data cooperation development and utilization, it is advisable to adopt the open form of "data analysis platform" to disclose the use of data. Strict control.8 points of safety measures8.1 Key points of hierarchical safety measures Data can be classified according to the needs of data protection, and different security protection measures can be implemented for different levels of data. Rights management, identity authentication, and access control management. For example, the key points of data classification and security measures from the perspective of personal information security risk are as follows. Table 3 shows. Please refer to 11.1 for details of data classification and safety measures in the doctor's reading scenario. Data classification and safety measures in clinical research scenarios See 11.3 for details. Check and continue to improve. The controller can refer to Appendix C to establish data use management measures, refer to Appendix D to review and approve data applications, and refer to Appendix E and handling The manager (user) signs the data processing (use) agreement and conducts self-examination with reference to Appendix F. 9.2 Organization It is advisable to establish a complete organizational security system, and the organizational structure includes at least the Health and Medical Data Security Committee and the Health and Medical Data Security Work office to ensure that health and medical data security management is done well, and the corresponding document records are formed, including but not limited to. a) Establish a health and medical data security committee (referred to as the committee) to be fully responsible for the health and medical data security work, discuss and decide on health For major matters concerning health care data security, the committee should. 1) Including the senior management of the organization and the person in charge of each business; 2) Covering professionals related to information security, ethics, law, statistics, auditing, and confidentiality; 3) The highest person in charge of the organization serves as the chairman; 4) It can rely on the existing ethics committee, academic council, etc., without having to re-establish; 5) Coordinate the allocation of human, material, and financial resources necessary for health and medical data security, such as the principle of separation of permissions Then, equipped with security administrators, security auditors, system administrators, etc.; 6) Responsible for reviewing health and medical data security strategy, risk assessment plan, compliance assessment plan, risk treatment plan and emergency response Placement plan; 7) Responsible for reviewing data security related rules and regulations (e.g. data use approval process); 8) Responsible for reviewing de-identification strategies and procedures; 9) Regular work meetings are held, and it is recommended to hold at least once a month. b) Establish a health and medical data security work office, and designate a designated person (such as a data security officer) to be responsible for daily health and medical data security jobs. 1) Responsible for implementing the decisions of the Health and Medical Data Security Committee and reporting to the committee; 2) Responsible for formulating, maintaining and updating health and medical data security strategies, risk assessment plans, compliance assessment plans, and risk disposal methods Case and emergency response plan; 3) Responsible for establishing, maintaining and updating data security related rules and regulations; 4) Responsible for formulating, maintaining and updating data use approval process, as well as de-identification strategy and process; 5) Sort out business processes and related health and medical information systems and data, and conduct security risk analysis and compliance analysis, and propose Recommendations on health and medical data security; 6) Form and manage the metadata structure to form a data and system supply chain structure that conforms to the business process; 7) Responsible for data security education and training of personnel to ensure that relevant personnel have corresponding data security capabilities; 8) At least annually conduct a comprehensive self-inspection of health and medical data security and make suggestions for rectification; 9) Audit the use of health and medical data, and adjust and improve security measures in a timely manner; 10) Monitor and alert the health and medical data security status, and adjust and improve security measures in time. 9.3 Process 9.3.1 Planning The main tasks in the planning stage are as follows, and each task should be documented accordingly. a) Define the scope of health and medical data security work, determine work goals, and establish work plans; b) Establish a health and medical data security strategy and notify the whole organization; c) Establish rules and regulations related to health and medical data security and notify the whole organization; d) Establish a health and medical data security risk assessment plan and a compliance assessment plan; e) Sort out health and medical data related businesses and related systems and data; f) Identify health and medical data security risks and assess the impact; g) Identify health and medical data security compliance risk points and assess the impact; h) Establish a risk treatment plan for risks; if it involves data use disclosure, it should be handled in accordance with Chapter 7 "Use Disclosure Requirements"; If the network and system are secure, it should be handled in accordance with GB/T 22081-2016 and GB/T 22239-2019; basic security is involved Security and data services should be handled in accordance with GB/T 35274-2017; those involving cloud computing security should be handled in accordance with GB/T 31168 for disposal; i) Review and pass the risk treatment plan; j) Establish a data security emergency response plan. 9.3.2 Implementation The main tasks in the implementation phase are as follows, and each task should be documented accordingly. a) In the process of using and disclosing health and medical data, all links should strictly implement the established data security related regulations and security strategies And process; b) Implement a risk treatment plan, including the implementation of selected safety measures; c) Equipped with appropriate resources, including manpower, material resources, and funds, to support the development of safety work; d) Carry out necessary information security education and training; e) Implement effective management and control of information security work carried out and various resources invested in information security work; f) Take effective response measures to information security incidents. 9.3.3 Inspection The main tasks of the inspection phase are as follows, and each task should be documented accordingly. a) Monitor the work process related to health and medical data security, such as the implementation process of security measures; b) Regularly review the implementation effectiveness of the risk treatment plan, including evaluating the acceptability of the remaining risks after the implementation of the corresponding measures; c) Regularly check whether the use and disclosure of health and medical data meets Chapter 7 "Use Disclosure Requirements"; d) Regularly check whether safety technical work and de-identification work have been carried out in accordance with Chapter 10; e) The inspection process is incorporated into the internal management of the organization; f) Perform self-inspection according to the situation, or ask a third-party agency to conduct an inspection. 9.3.4 Improvement The main work in the improvement phase is as follows, and each work should be documented accordingly. a) Improve security measures based on monitoring or inspection results, including taking preventive measures, or adjustments that may affect the security of health and medical data Full content of business activities; b) Establish a rectification plan and implement it as planned. 9.4 Emergency treatment The main work of emergency response is as follows, and each work should be documented accordingly. a) Establish an emergency plan, including the conditions for starting the emergency plan, emergency handling procedures, system recovery procedures, incident reporting procedures, and afterwards Education and training. The network security emergency plan should be reviewed and revised regularly, and emergency drills should be organized at least once a year. b) Special data security emergency support teams and expert teams should be designated to ensure that security incidents are handled in a timely and effective manner. c) A disaster recovery plan should be formulated to ensure that the health and medical information system can recover from cyber security incidents in a timely manner, and establish security incidents Traceability mechanism. d) After a data security incident occurs, it should be handled according to the emergency plan; after the incident is handled Departments report the incident in writing, and the content should at least include. incident description, cause and impact analysis, handling methods and other information. e) A comprehensive assessment should be carried out based on the safety problems found in the detection and evaluation, monitoring and early warning and the disposal results, and the risk should be carried out again when necessary Identify and update the security policy. 10 Safety Technical Guide 10.1 General safety technology The controller should follow GB/T 22081-2016, GB/T 22239-2019, GB/T 31168 and GB/T 35274-2017, etc. Good data security management. a) Information systems and network facilities and cloud platforms that carry health and medical data should be provided with necessary security protection. ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 39725-2020_English be delivered?Answer: Upon your order, we will start to translate GB/T 39725-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 6 ~ 9 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 39725-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 39725-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
