If one word were to describe the medical data security industry in 2021, “Year of Rule of Law” would be high on the list.
On July 1, the release of the “Information Security Technology—Guidelines for Health and Medical Data Security” provided healthcare data controllers with a ready-made reference for implementing security measures for health and medical data. On September 1, the Data Security Law and the Regulations on the Security Protection of Critical Information Infrastructure officially came into effect. The Personal Information Protection Law followed suit, officially commencing its protection of personal privacy on November 1.
Even by simply aggregating these policies, we can clearly discern the industry’s direction in the new data era: companies that previously relied on exploiting personal privacy data are facing unprecedentedly stringent regulation, while the tightening of regulatory oversight serves as a direct boon to the broader medical security industry, including data security.
The unique attributes of the healthcare industry make data security protection a “necessity.” As the guardians of healthcare institutions, how do medical security service providers view the opportunities and challenges brought by new regulations?
The intensity of data security policy releases in 2021 indicates that relevant national authorities have recognized the significant risks associated with data security and have implemented improvements at both the top-level design and practical operational levels.
At the top-level design, the Personal Information Protection Law draws on foreign personal information protection legislation represented by the EU’s GDPR and the US’s CCPA. It is a law aimed at establishing a protection system across society as a whole, emphasizing the lawful and compliant use of personal information.
In order to deter lawbreakers, 《The Personal Information Protection Law establishes tiered administrative penalties for illegal processing of personal information, depending on the specific circumstances. Among these,For serious violations, a fine of up to RMB 50 million or 5% of the previous year’s turnover may be imposed, and relevant responsible personnel may be subject to industry bans.
The “Information Security Technology—Security Guidelines for Health and Medical Data,” which officially came into effect on July 1, 2021, is highly practical. It provides detailed provisions on medical data classification, principles for use and disclosure, security measures, security management guidelines, and security technical guidelines. Furthermore, it analyzes data security in eight representative healthcare data application scenarios, highlighting common issues associated with clinical research data, health data, mobile application data, and medical device data. By addressing the integrated sharing and open application of health and medical data, the Guidelines ensure that while data serves individual and national interests, personal information security and the public interest of the state are also safeguarded.
In response to this round of “policy bombardment,”Hu Dahai, Director of Solutions at Meichuang Technology, believes that as the nation vigorously develops the data market and fully unleashes the value of data, the overarching principle is to balance development with security. Therefore, strengthening legislative oversight of data security and imposing stricter regulatory constraints on the market are not intended to completely restrict data circulation; rather, they will better foster the cultivation of the data factor market.
“Under the premise of ensuring secure circulation and protecting personal privacy, the flow of health and medical data can create immense value for society. Data security legislation and regulations, particularly classified and tiered data management, can better promote the open sharing of health and medical data and foster the healthy development of China’s digital economy,” added Hu Dahai.
From the perspective of the full data lifecycle, the following security risks exist for data:

During the data transmission phase, potential data security threats may arise in scenarios such as system data interfaces, third-party operations and maintenance, open sharing of clinical data, intra-hospital data access, and patient-initiated data operations. In the context of system data interface calls, factors such as the uniqueness of data transmitted via interfaces, the integrity of data against tampering during transmission, and the consistency of data between the calling and called parties can all impact data security.
During the data storage phase,Data leaks and misuse have become a major disaster, representing the primary risks currently facing medical data.Medical data, due to its authenticity and immense informational value, has become a highly coveted target for criminals, facing dual threats from insider actors and external hackers.
From Hu Dahai’s perspective, many data security incidents are not new risks; they are fundamentally issues of authorization for medical data use—in other words, a “human” problem.This is precisely what makes the healthcare industry unique. Verizon, a U.S. telecommunications company, once released a Data Breach Investigations Report. The report showed that in data breach incidents across other industries, internal threats accounted for an average of 30%, while external threats reached 70%; only in the healthcare industry did internal threats exceed 60%, far higher than in other sectors.
Insider data breaches are primarily driven by three factors: first, economic incentives, such as tax evasion or fraudulently opening credit lines using stolen information; second, curiosity or entertainment-seeking motives leading to the unauthorized access of celebrities’ and their families’ private information; and third, the mere accessibility of such information.
Chen Lei, Deputy General Manager of the Healthcare Division at Sangfor Technologies, believes that risk monitoring and leak traceability are also critical components in the data sharing process.
First, the risk monitoring phase of the data exchange process must effectively carry out sensitive data discovery, identification of sensitive-related behaviors, visualization of data flows, and security risk monitoring, leveraging technical means to achieve comprehensive visibility and full awareness of the data landscape.
Second, in the process of tracing data leaks, the lack of accountability mechanisms directly impacts data sharing and exchange. The key to accountability lies in traceability technology, whose core is the algorithmic model for leak detection. By leveraging big data analytics and machine learning to analyze the characteristics of leaked data, the system generates similarity matching results for potential leakers, thereby precisely identifying the source of the leak.
The COVID-19 pandemic has compelled the healthcare industry to accelerate its digital transformation and achieve substantive change, including the top-down restructuring of the overall disease control system through the integration of new technologies, the accelerated development of unified medical digitalization platforms, the establishment of smart healthcare empowered by internet technologies, and the further improvement of public health management and emergency response systems across society.
Data is the foundation of user business, and data security is the cornerstone of successful digital transformation in healthcare platforms. There is still a long way to go to achieve robust data security.
First, industry development should be guided by standards.Chen Lei believes that, for the healthcare industry, which is heavily characterized by its sector-specific attributes,The establishment of top-level standards will promote the standardization of data security construction and fundamentally address the challenges of industry-specific data security.
Moreover, the application of data requires hospitals, physicians, patients, administrators, and other stakeholders to implement appropriate management measures. It also calls for software vendors, hardware suppliers, medical device manufacturers, and pharmaceutical suppliers to gradually break down silos, establish unified standards, and jointly work towards unlocking the value of data.
Hu Dahai also pointed out that to achieve the "free" circulation of health and medical data, it is necessary to directly address challenges such as data ownership confirmation and standardized data pricing. Efforts should be accelerated to improve standards related to health and medical data, promote the effective implementation of classified and tiered data management, and enhance security management capabilities across all stages, including data collection, processing, and flow. This will establish robust risk prevention barriers, ensuring that health and medical data can be effectively utilized and deliver value in areas such as health management, "Internet Plus" healthcare, and remote diagnosis and treatment.
Second, implement classified and graded data management ahead of data protection.Chen Lei added that data security is a prerequisite for the effective application of data, and data de-identification constitutes a key area within data security. “HoweverPrior to the protection, application, and invocation of data, it is essential to implement data classification and tiered management.。”
The same applies to healthcare data. By establishing classification and grading standards based on the importance of medical data, it is possible to implement immediate tag-based management upon data generation and apply critical markers to sensitive data, thereby laying the technical foundation for subsequent data de-identification. Fundamentally, medical data de-identification requires a multidimensional approach that integrates medical information, patient information, and other perspectives. Furthermore, by front-loading security capabilities—through measures such as data classification, grading, and tag-based management—a solid foundation is established for downstream processes like data de-identification.
“Traditional tiered classification models rely too heavily on manual labor, and technical challenges such as automated classification need to be addressed,” Chen Lei explained. He highlighted the use of big data technologies for effective data governance, de-identification, and leak tracing, as well as blockchain technologies to enhance intrinsic data security. In the future, the industry must rapidly overcome key challenges related to the integration of emerging technologies (such as AI) and improving the efficiency of data tiered classification.
Third, ensuring data security and reliability, as well as unlocking the value of data, are inseparable from innovation in the field of technology.Hu Dahai believes that to achieve effective data sharing or free flow across various sectors, including healthcare, out-of-hospital health management, drug research and development, and medical insurance payment,Leveraging security technologies such as data masking, data watermarking, and privacy-preserving computation represents some of the more robust technical options currently available.
Data masking involves real-time privacy data shielding for database access by different users and applications, helping healthcare organizations effectively protect critical data assets. Data masking processes are categorized into static masking and dynamic masking.
Data watermarking can directly tag key records of data flow into data attributes, while combining encryption and other methods to protect the tag information within the attributes. This effectively records data-related behaviors and processes, providing the most direct basis for traceability and localization in the event of a data risk incident.
Privacy-preserving computation safeguards the data security of data providers while fully realizing the value of data mining, achieving a state where data is “usable but not visible.” Leveraging this technical characteristic of “data usability without visibility,” and driven by robust demand for integrated data computing, it empowers the trading and circulation of data elements. Meanwhile, in accordance with the requirements of the Data Security Law and the Personal Information Protection Law, timely data security assessments must be conducted during the sharing of health and medical data; cross-border data sharing further requires assessment and approval from relevant regulatory authorities.
Fourth, strengthen internal controls against data leakage at the source.As the saying goes, “Data security relies 30% on technology and 70% on management.” The most vulnerable point of a fortress is not its exterior but its interior, and the same holds true for data security. If the data security awareness of internal personnel is likened to the most critical plank in the “wooden bucket” representing an organization’s cybersecurity, then its length determines the ultimate level of data security the organization can achieve. Healthcare institutions can minimize the harm caused by data breaches by establishing multi-level workflow approval mechanisms, sensitive data leakage monitoring and management systems, and emergency response protocols for data security incidents.
Overall, as the fifth major factor of production following land, labor, capital, and technology, the unique status and value of data are driving industries to re-examine data security issues. However, safeguarding data security is not an overnight endeavor; it requires sustained attention and practice from society as a whole.