Home Healthcare Data Security: A High-Growth Niche Fueled by 12 Policies in 18 Months

Healthcare Data Security: A High-Growth Niche Fueled by 12 Policies in 18 Months

Jul 25, 2021 08:00 CST Updated 08:00

Prior to July 2021, discussions on health and medical data security typically elicited responses such as “this is important,” yet when it came to practical implementation, there was a prevailing sense that it was not particularly urgent. However, several major events that occurred in quick succession during the second half of 2021 are poised to significantly shift this mindset, propelling health and medical data security into the spotlight.


First, on June 10, 2021, the 29th Session of the Standing Committee of the 13th National People’s Congress of China adopted the Data Security Law of the People’s Republic of China, which came into effect on September 1, 2021. This law will serve as a crucial legal foundation for China’s big data strategy and become an important cornerstone in the fields of data security assurance and digital economy development.


Subsequently, the well-known incident involving Didi Chuxing’s U.S. listing triggering regulatory scrutiny occurred, marking the first publicly disclosed cybersecurity review case since the promulgation of the Cybersecurity Review Measures in April 2020. As a result, numerous technology companies that had planned to list in the United States in the near term temporarily suspended their IPO plans.


For instance, LinkDoc Technology, a healthcare technology company that focuses on the oncology sector and provides a big-data platform for cancer patients while serving medical institutions and pharmaceutical companies, announced on July 8 that it had postponed its planned Nasdaq listing in the United States, which was originally scheduled for the following day. The proposed listing date has been delayed. Prior to this, on July 1, the company had just updated its prospectus, and on July 6, it formally filed an updated IPO application with the U.S. Securities and Exchange Commission (SEC).


On July 1, nearly coinciding with Didi’s U.S. listing, the “Information Security Technology—Guidelines for Health and Medical Data Security” (GB/T 39725-2020, hereinafter referred to as the “Security Guidelines”) officially came into effect.


The aftershocks triggered by this series of events continue to reverberate. On July 10, the Cyberspace Administration of China (CAC) released the “Measures for Cybersecurity Review (Revised Draft for Public Comment),” which requires operators controlling personal information of more than one million users to file for a cybersecurity review with the Office of the Cybersecurity Review when seeking overseas listings. Furthermore, most of the newly added provisions in the draft aim to mitigate potential risks associated with cross-border data transfers, with a particular emphasis on ensuring the security of data held by relevant market entities pursuing overseas listings.


In recent years, relevant authorities have recognized the hidden risks in health and medical data security and have gradually promoted the development of regulatory standards to improve top-level design. According to statistics from VCBeat, since 2020, relevant authorities have successively issued 12 policies and standards related to health and medical data security, with an intensity that has drawn significant attention. In the foreseeable future, this trend is expected to intensify rather than diminish.


Undoubtedly, as regulatory oversight intensifies, industries including healthcare will reassess data security and adjust its priority in their strategic plans over the coming period. VCBeat (WeChat ID: VCBeat) will also launch a series of articles to analyze current data security issues in healthcare.


Consistently Ranking at the Bottom, Without Exception! The State of Healthcare Data Security Is Far from Optimistic


“The current state of health and medical data security is not optimistic!” Zhu Suisong, Director of the Information Department at Union Shenzhen Hospital of Huazhong University of Science and Technology, believes that with the advancement of informatization in the health and medical field in recent years, as well as the development of new technologies such as 5G, big data, artificial intelligence, and the Internet of Things, the application and openness of health and medical data are gradually deepening. This has also led to increasing security challenges for health and medical data throughout all stages of their lifecycle.


As for what constitutes healthcare data, various departments previously had their own differing interpretations. The newly released “Security Guidelines” provide a clear definition: “including personal healthcare data and healthcare-related electronic data derived from the processing of personal healthcare data.”


“Personal health and medical data” refers to “relevant electronic data that, either alone or in combination with other information, can identify a specific natural person or reflect the physical or mental health of a specific natural person.” “Health and medical-related electronic data derived from the processing of personal health and medical data” includes aggregate population analysis results, trend forecasts, disease prevention and control statistics, and more. In other words, health and medical data are categorized into two aspects: “individual” and “population.”


Overall, health and medical data can be categorized into personal attribute data, health status data, medical application data, medical payment data, health resource data, and public health data.


1.jpg

Screenshot from “Information Security Technology—Guidelines for Health and Medical Data Security”

 

It is evident that health and medical data possess inherent authenticity and privacy. At the micro level, such data encompass individual physical health status and medical consultation records; at the macro level, they include information on disease transmission and regional population health. The security of health and medical data is critical to patient safety, personal information protection, public interest, and national security.


Generally, due to the fundamental professional ethics of healthcare personnel, medical institutions that hold vast amounts of health and medical data do not proactively disclose such information. However, concerns regarding the security of health and medical data are not unfounded. After all, whether in China or abroad, the track record of medical institutions in data security has been lackluster.


According to statistics from Tencent Smart Security’s “Special Report on Ransomware in the Healthcare Industry,” 247 Grade A tertiary hospitals across China detected ransomware during the 2017 WannaCry outbreak. This ransomware can spread in a worm-like manner by exploiting the EternalBlue vulnerability. Consequently, once WannaCry infiltrates the internal network of a healthcare institution, it can rapidly propagate throughout the network.


However, ironically, Microsoft had officially released a patch to fix the EternalBlue vulnerability a full year before the incident occurred.


By February 2018, a hospital in Central China suffered a ransomware attack that forcibly encrypted all data files on its servers, causing the hospital’s information systems to crash and disrupting all clinical and administrative operations. The attackers demanded that the hospital pay a ransom of one Bitcoin per infected endpoint within six hours, equivalent to more than RMB 66,000 per endpoint for decryption. In a similar incident, reports indicated that the information system of a hospital in East China had also been compromised, with the attackers demanding a ransom in Ethereum valued at RMB 200 million.


Of course, the situation abroad is hardly any better. In September 2020, University Hospital Düsseldorf in Germany suffered a ransomware attack that encrypted 30 of its servers and caused the hospital’s information systems to collapse. However, judging by the ransom demands, the hackers actually intended to extort Heinrich Heine University, to which the hospital is affiliated, rather than the hospital itself.


Police immediately contacted the hacker and informed them that their ransom target was a hospital, where lives were at stake, rather than a university. The “conscientious” hacker subsequently withdrew the ransom demand and provided the digital key to decrypt the data. However, the incident had already led to a tragedy: due to the hospital’s system outage, a patient who had been rushed to the facility in critical condition had to be transferred to another hospital in Wuppertal, approximately 32 kilometers away. Owing to the delay in treatment, the unfortunate patient died.


IBM Security’s “Cost of a Data Breach Report 2020” surveyed 17 industries across 17 countries and regions,In 2020, the healthcare industry had the highest average total cost of data breaches, reaching $7.13 million—nearly double the overall average of $3.86 million across all industries.


2.jpg

Average Total Cost of Data Breaches by Industry (in million USD), data from the "Cost of a Data Breach Report 2020," chart by VCBeat


3.jpg

Percentage Change in Average Total Cost by Industry, 2019–2020; Data from the “Cost of a Data Breach Report 2020”; Graphic by VCBeat

 

What is even more embarrassing is that since 2015, the cost of data breaches in the healthcare industry has consistently ranked first.The average total cost in 2020 increased by another 10% compared to the industry’s 2019 level.


4.jpg

Average Time to Detect and Contain Data Breaches by Industry (in Days); Data Source: Cost of a Data Breach Report 2020; Chart by VCBeat

 

The healthcare industry also performed the worst in terms of the average time to detect and contain data breaches, taking an average of 236 days to detect a breach and another 93 days to contain it. In contrast, the financial sector, which performed the best, required a combined total of only 233 days (177 days to detect and 56 days to contain).


In other words, while the financial sector has already addressed data breaches, the healthcare industry has not even detected such incidents.


5.jpg

Number of Data Breach Incidents by Industry, data sourced from the 2021 DBIR, chart by VCBeat


In Verizon’s “2021 Data Breach Investigations Report” (2021 DBIR), the healthcare industry also performed poorly.The investigation recorded 472 confirmed data breach incidents, ranking among the top three industries for data breaches.. In terms of the types of data breaches, 36% were delivery errors, consistent with trends in previous years.Although not malicious in nature, this represents how basic human error continues to plague the industry.


In addition, some medical information breaches have also been reported in the arts and entertainment sectors. Further data analysis suggests that these incidents may be linked to related sports activities. This also indicates that one should not assume non-healthcare institutions are free from holding medical data or exempt from the obligation to protect health-related medical data.


Why Are Healthcare Data Security Risks Increasing Sharply?


So, why does the healthcare industry face such significant risks in data security? The reason is simple: money!According to Verizon’s “2021 Data Breach Investigations Report,” 61% of threats in the healthcare industry originated from external sources, and 91% of breach motivations were financial.


Overall, data risks in the healthcare sector are primarily categorized into data unavailability risks and data breach risks.


First is the risk of data unavailability. Compared with other institutions, hospital information systems are unique in that the vast majority of their data consists of information required for urgent use. If ransomware encrypts this data, rendering it inaccessible, or causes system failures, the impact on operations can be severe—directly disrupting patients’ normal access to medical care and even endangering their lives. Therefore, healthcare organizations typically strive to restore normal operations as quickly as possible, making them more likely to pay the ransom.


Secondly, there is the risk of data breaches. Health and medical data are highly sensitive, encompassing a vast amount of personally identifiable information such as names, addresses, contact details, Social Security numbers, and bank account information. These data can fetch high prices on the black market and may be exploited for identity theft, illegal acquisition of prescription medications, or insurance fraud.


Once the health privacy of public figures is compromised, it can have severe negative impacts on their personal and professional lives. Consequently, such health and medical data often become targets for hackers, who may demand ransoms or sell the information to paparazzi for profit. Just recently, hair transplant photos of a top-tier celebrity singer were leaked and made public, making them the latest victim of health data breaches. This scenario has been recurring in recent years.


Furthermore, the widespread availability of medical data for third-party development and testing increases the risk of personal privacy breaches. In the emerging biotechnology industry, which involves high-value biological data such as national human genetic resources and gene editing, any data leakage would have severe consequences.


Currently, health and medical data security risks centered on hospitals are severe. The industry generally attributes this to the following key factors.


First, hospital information systems are not isolated entities. As the interconnectivity of information systems and the in-depth application and mining of health and medical data advance, hospitals that are insufficiently prepared are facing increasing external security threats, with the risks of hacker intrusions and cyberattacks becoming further exacerbated.


Second, compared with the emphasis on medical quality and safety, hospitals have relatively weak security awareness and imperfect management systems. Most hospitals lack dedicated information security management organizations and comprehensive, standardized management frameworks, which seriously lag behind the pace of informatization development.


For example, most hospitals lack clear demarcation between their internal and external networks and fail to implement adequate network isolation measures. Meanwhile, they have not deployed terminal security management and auditing systems, allowing non-compliant devices to access the internal network at any time. This results in an inability to trace the source of security incidents involving endpoints after they occur.


Third, the security measures of the hospital information system are inadequate. For instance, the core Hospital Information System (HIS) lacks effective security safeguards and audit mechanisms; the hospital’s web portal is missing essential security protections, leaving it vulnerable to SQL injection attacks and drive-by download infections (webpage trojanization).


Fourth, patient information, diagnosis and treatment records, and other health-related medical data in the healthcare industry hold significant commercial value and are increasingly targeted by gray-market illicit networks.


Fifth, hospitals are becoming increasingly reliant on various information systems. For instance, the Hospital Information System (HIS) facilitates comprehensive management of patient flow, material flow, and financial flow across all hospital departments. Every stage of patient care is directly linked to this system; therefore, any failure in core information systems would have far-reaching consequences.


Chen Lei, Director of Solutions for the Healthcare Division at Sangfor Technologies, mentioned in an interview with VCBeat that most healthcare clients are actually unaware of their specific pain points. Currently, there is insufficient understanding and awareness of data security within the healthcare industry. In many cases, hospitals do not even have a clear picture of their actual data assets, let alone their data security status.


Meanwhile, most institutions lack overall planning during construction; many adopt a reactive, event-driven approach to addressing isolated aspects of data security, leaving them constantly scrambling to cope. Furthermore, data security initiatives are heavily influenced by the intensity of regulatory policies. In the current landscape, where policies and promotion efforts have not yet been refined to a sufficient level of industry-specific detail, this also contributes to a "period of uncertainty" in the implementation process.


For this very reason, the security of health and medical data is becoming increasingly severe, reaching a critical juncture.


Over the Past 18 Months, 12 Consecutive Policy Releases Have Gradually Strengthened Top-Level Planning for Health and Medical Data Security


Data security has long been a priority for the Chinese government. As early as February 1994, the State Council promulgated the Regulations on the Security Protection of Computer Information Systems, marking the first establishment of a nationwide classified protection system for computer information system security.


As the saying goes, “Legislation and standards must precede industry development.” Since entering the 21st century, China has been improving the top-level design for health and medical data security, with significantly intensified efforts in recent years.


In May 2007, the Ministry of Public Security issued the Administrative Measures for Classified Protection of Information Security. Subsequently, the General Administration of Quality Supervision, Inspection and Quarantine and the Standardization Administration of China successively formulated and issued national standards such as the Baseline for Classified Protection of Information System Security (GB/T 22239-2008), marking the formal implementation of the Classified Protection System, commonly known as MLPS 1.0. MLPS 1.0 has been widely applied across various industries and has played a crucial role in advancing informatization in China.


In the healthcare sector, in December 2011, the former Ministry of Health issued the "Guiding Opinions on the Implementation of Classified Protection for Information Security in the Health Industry." It required the health industry to carry out classification work in accordance with the "Guidelines for Grading Information System Security under the Classified Protection Scheme for Information Security Technology," and explicitly stipulated that the security protection level for critical health information systems should, in principle, be no lower than Level 3.


On April 15, 2014, the major strategic concept of “Holistic National Security,” encompassing information security, was first introduced at the inaugural plenary session of the Central National Security Commission. The National Security Law promulgated in 2015 explicitly incorporated data security into the scope of national security. Since then, China has rapidly rolled out policies in the field of health and medical data security.


To align internet security supervision and protection with the technical requirements of the new era, the Cybersecurity Law was enacted in June 2017 as China’s first comprehensive legislation in the field of cybersecurity. By incorporating “cybersecurity” into China’s top-level design through legislative means, the law has established higher standards and requirements for the nation’s cybersecurity development and laid the legal foundation for subsequent updates to the Classified Protection Standards.


Since its establishment in 2018, the National Health Commission (NHC) has continuously strengthened the healthcare industry’s emphasis on data security through various policies. In April 2018, the NHC issued the Standards and Specifications for Hospital Information Construction in China (Trial), which set forth requirements for data center security, endpoint security, network security, and disaster recovery backup for hospitals at Level II and above.


In 2018, the National Health Commission successively issued the “Administrative Measures for Standards, Security, and Services of National Health and Medical Big Data (Trial)” and the “Administrative Measures for Internet Hospitals (Trial),” explicitly stipulating that platforms hosting health and medical big data as well as platforms operating internet hospitals must pass cybersecurity classified protection assessments at the prescribed levels.


As the first standard exclusively dedicated to the security of health and medical data, the Guidelines for Information Security in Health and Medical Care draw upon international legislation and standards, particularly the U.S. HIPAA Act, ISO 27799, and NIST SP 800-66. These guidelines address the integrated sharing and open application of health and medical data, ensuring that while such data serves individual and national interests, personal information security is safeguarded and the needs of the national public interest are met.


Since 2020, the implementation of relevant regulations and standards has been characterized by high intensity.Over the past 18 months from 2020 to date, policy documents have been issued consecutively for the 12th time.


6.jpg

Major Policies and Standards for Health and Medical Data Security in China

 

Lu Guanglin, President of Tianpeng Tianyuan Big Data, believes that the successive introduction of policies and regulations demonstrates the state’s high regard for data security in the healthcare industry. Whether it pertains to the informatization construction of hospitals and primary healthcare institutions, the rapidly developing “Internet + Healthcare” and “medical big data” sectors, or the development of traditional medical information systems designed to benefit and facilitate public access, as well as the implementation of the nation’s first foundational and comprehensive law in the field of health and hygiene, all emphasize the critical importance of effectively implementing cybersecurity and data security measures for health and medical information.


These policies have played a significant role in strengthening data security and enhancing cybersecurity levels within the healthcare industry, leading to continuously improving security awareness among medical institutions and their personnel. Taking the implementation of classified cybersecurity protection in medical institutions as an example, according to the “Survey on Hospital Informatization in China (2019–2020)” conducted by CHIMA, more than 50% of the 1,017 participating hospitals had registered systems for Level 2 and Level 3 cybersecurity protection.


Meanwhile, according to VCBeat’s understanding of medical staff at several leading Grade A tertiary hospitals in a municipality directly under the central government, hospitals currently place significant emphasis on security. They not only conduct regular training and drills on data security but also implement corresponding safeguards for potential channels through which medical staff might inadvertently disclose confidential information.


For instance, USB ports have been removed from the hardware of healthcare workers’ workstations, preventing data copying via removable storage devices. Access permissions are strictly controlled; any request to duplicate data requires multi-level approval up to senior management. In comparison, military hospitals impose even stricter security requirements and have implemented rigorous controls since earlier years.


Data Security Veto: MLPS 2.0 to Further Strengthen Health and Medical Data Security


However, the Multi-Level Protection Scheme (MLPS) 1.0 was established quite some time ago, resulting in a lack of classification and protection standards for emerging technologies and applications, such as cloud computing and the Internet of Things (IoT). Furthermore, beyond the traditional five-step process, mechanisms for risk assessment, security monitoring, and notification and early warning remain inadequate. Finally, the overall framework encompassing policies, standards, evaluation, technology, and services is still imperfect.


This has made it increasingly difficult for MLPS 1.0 to meet the current landscape characterized by the widespread adoption of mobile internet, cloud computing, big data, industrial internet, artificial intelligence, and the Internet of Things (IoT) on a global scale.


Consequently, relevant authorities began updating the existing Classified Protection standards. In May 2019, the State Administration for Market Regulation and the Standardization Administration of China released the "Information Security Technology—Baseline for Classified Protection of Cybersecurity (GB/T 22239-2019)," which came into effect in December 2019, marking China’s entry into the era of Classified Protection 2.0.


7.jpg

Key Differences Between MLPS 2.0 and MLPS 1.0


Compared with MLPS 1.0, the requirements of MLPS 2.0 are more detailed: the scope of covered systems is broader, expanding from the original basic information networks and information systems to include network infrastructure, information systems, big data centers, cloud computing platforms, the Internet of Things (IoT), industrial control systems, mobile internet, and smart devices.


The "Tertiary Hospital Accreditation Standards (2020 Edition)" released at the end of 2020 implements a "one-vote veto" system for safety.As stated in the prerequisites of Part I, “the occurrence of large-scale medical data breaches or other major cybersecurity incidents resulting in serious consequences” will lead to a direct one-year postponement of the accreditation review. During the postponement period, the hospital’s original accreditation level shall be revoked, and it shall be managed as “unrated.” For hospitals, failing to prioritize security will result in extremely severe consequences.


Meanwhile, the review criteria also stipulate the requirement to “implement the Cybersecurity Law, enforce the national classified protection system for information security, and carry out graded management of information systems in accordance with their protection levels.” This is by no means redundant. In fact, under current circumstances, most hospitals treat compliance with the classified protection system as merely meeting the minimum threshold for approval, thereby contravening the original intent of the classified protection framework.


As previously mentioned, in the CHIMA “2019–2020 Survey on the Status of Hospital Informatics in China”Over 50% of hospitals have filed for Level 2 and Level 3 cybersecurity protection. However, among them, the majority have only one system that has completed filing for both Level 2 and Level 3 classified protection.


For both Level 3 and Level 2 classified protection filings, the highest proportion of hospitals had only one system approved, at 21.34% and 19.76%, respectively. When combined with the proportion of hospitals that failed to pass, this indicates that only about 30% of hospitals had multiple systems successfully filed.


8.jpg

Current Status of Hospital Classified Protection Filing; Data Source: “Survey on the Informatization Status of Chinese Hospitals, 2019–2020”; Graphic by VCBeat


In accordance with the new requirements, tertiary hospitals should fully implement the National Classified Protection System for Information Security and carry out hierarchical management of information systems based on their protection levels. Hospitals that have not undertaken classified protection work, or those that have only passed the classified protection assessment for a single core system, clearly have inadequate cybersecurity measures.


On the one hand, some hospitals aim to cut costs. For instance, according to VCBeat, on July 21, 2021, the Maoming Maternal and Child Health Hospital in Guangdong Province launched a tender for its Level 2.0 Classified Protection construction project, with a budget of RMB 2.0763 million—a significant sum for most hospitals.


Chen Lei, Director of Solutions for Sangfor Technologies’ Healthcare Division, stated that achieving compliance with the Multi-Level Protection Scheme (MLPS) requires certain financial support; however, some hospitals provide insufficient backing for cybersecurity initiatives and face tight budget approval processes. Furthermore, while MLPS compliance necessitates the procurement of numerous security devices, hospitals often remain uncertain whether these devices truly deliver their intended security value after assessment.


On the other hand, some hospitals have been misled by vendors into bundling multiple systems into a single Hospital Information System (HIS) to pass compliance testing. This “shortcut” is inadvisable. First, most hospital information systems operate as relatively independent business systems. Second, the original intent of the Multi-Level Protection Scheme (MLPS) is to implement tiered management based on system classification, with focused protection for core systems; consolidating all systems into one is clearly inappropriate.


Zhu Suisong, Director of the Information Department at Union Shenzhen Hospital of Huazhong University of Science and Technology, holds that MLPS (Multi-Level Protection Scheme) compliance is not merely about passing inspections but rather about strengthening an organization’s own cybersecurity. In addition to mandating MLPS certification for critical systems, a tiered management approach should be adopted for different systems.


Chen Lei, Director of Solutions for the Healthcare Division at Sangfor Technologies, also believes that the purpose of advancing MLPS (Multi-Level Protection Scheme) assessments is not merely to achieve compliance. Instead, it is essential to build a security system oriented toward practical, real-world defense. “Currently, data-service-oriented applications are becoming increasingly prevalent in the construction of smart hospitals. The scope of core business systems continues to evolve and expand, from basic Hospital Information Systems (HIS) and Electronic Medical Records (EMR) to Clinical Data Centers and Research Data Centers. From a security perspective, the future direction lies in developing practical, operation-focused security systems that can adapt to changes in industry-specific business operations.”


Policies Still Need Improvement; Technology Is Equally Important


Overall, although the situation regarding medical and health data security remains relatively severe, it is moving in a controllable direction with the legislation and standard-setting efforts in recent years.


Of course, under the currently enacted laws, regulations, and standards framework, the top-level design for health and medical data security still suffers from overlapping jurisdictions and regulatory gaps, as well as insufficiently detailed supporting institutional rules.


Regarding the currently high-profile health and medical big data, Lu Guanglin, President of Tianpeng Tianyuan Big Data, stated that applications of health and medical big data have emerged in recent years, while laws and regulations are still in the process of catching up. In the absence of clear legal and regulatory frameworks, applicable principles serve as reference standards, such as the Personal Information Protection Law and the Administrative Measures for Multi-Level Protection of Information Security (Trial).


“Currently, certain standards and specifications have been established within the industry, associations, and academic communities. For instance, the Guangzhou Standard Promotion Association has released the Technical Specifications for De-identification of Health and Medical Data in Guangdong Province. I believe that these standards and specifications will evolve into national standards after being refined through practical application,” he added.


Chen Lei, Director of Solutions for the Healthcare Business Unit at Sangfor Technologies, also noted that the top-level design for data security currently lacks sufficient industry-specific adaptation. The foundation of data security lies in data classification and grading, which differs significantly from traditional cybersecurity and requires a strong integration of technical capabilities with industry-specific adaptations. From the perspective of individual hospitals, practices regarding data usage, management, and workflows vary considerably. Therefore, detailed standards need to be further refined.


Meanwhile, security technology will play an increasingly important role and drive industry development. The classification within the security sector is highly granular; based on the scope of product protection, cybersecurity products can be categorized into endpoint security, perimeter security, and cloud security. Each of these domains further comprises multiple sub-segments.


According to the definition provided by Anquan Niu, cybersecurity is subdivided into 14 primary categories and 106 secondary subfields, encompassing a total of 347 domestic Chinese security companies. These enterprises quietly safeguard our security on an unseen frontline. So, what are the prospects for the health and medical data security industry? Which emerging products and technologies have demonstrated promising exploration experience within the healthcare sector? Moving forward, VCBeat will continue to focus on health and medical data security and will release a series of articles on this topic—stay tuned. We also welcome readers to provide relevant topics and leads.


References

IBM Security: “Cost of a Data Breach Report 2020”

Verizon:2021 Data Breach Investigations Report

H3C.com: "Hospital Classified Protection Solution"

Tencent Smart Security: "Special Report on Ransomware in the Healthcare Industry"

National Industrial Information Security Development Research Center: "White Paper on Data Security"

Anhua Jinhe and Others: "White Paper on Data Security Governance 3.0"

China Academy of Information and Communications Technology: "Cybersecurity Monitoring Report on Digital Healthcare"

CHIMA: “Survey on the Status of Hospital Informatization in China (2019-2020)”

Caixin: “LinkDoc Delays U.S. IPO; Lawyers Urge Attention to Protection and Use of Medical Data”

Caixin Eleven: "China Enters a New Phase of Internet Regulation"

Leiphone: “HIS System of a Public Hospital in Shanghai Hacked, Ransom of 200 Million ‘Ethereum’ Demanded”

Securityweek.com:German Hospital Hacked, Patient Taken to Another City Dies

Aqniu: "Panoramic View of China's Cybersecurity Industry (March 2021, 8th Edition)"