Internet hospitals operate within the internet environment, constantly facing malicious access and attacks from unknown individuals, making it difficult to ensure their own security. In July 2018, the National Health Commission and the National Administration of Traditional Chinese Medicine issued the "Administrative Measures for Internet Hospitals (Trial)," which stated that "the information systems of internet hospitals shall implement Level 3 classified protection of cybersecurity in accordance with relevant national laws, regulations, and provisions." This marked the first time in the healthcare industry that informatization development was tied to security construction, making compliance with the classified protection system a prerequisite for the launch of internet hospitals.
To address the disconnect between cybersecurity infrastructure development and business growth, this paper provides healthcare institutions with a framework for internet hospital cybersecurity planning from a cybersecurity perspective.VCBeat and Neusoft’s Cybersecurity Division jointly released the “Research Report on Security Architecture for Internet Hospitals,” which provides an in-depth analysis of the cybersecurity challenges and opportunities faced by internet hospital network operators, as well as security safeguards and technical standards for internet hospitals, based on the current state of security infrastructure in this sector.This article is an excerpt from the report. Scan the QR code below to download the full version for free.

1. As a new entity in the healthcare industry, internet hospitals have just undergone a new round of construction boom; as of April 30, 2020, a total of 497 internet hospitals had been established across China;
2. The Internet Hospital System comprises three components: the application layer, the support layer, and the platform layer. The application layer delivers services to end-users, the support layer provides the functional modules essential for supporting services, and the platform layer primarily offers infrastructure services. Currently, development of the platform layer lags behind.
3. The implementation of cybersecurity measures in healthcare institutions remains concerning. Only 52.57% of tertiary hospitals have passed the Level 3 Classified Protection assessment, while merely 24.92% of hospitals below the tertiary level have passed the Classified Protection assessment;
4. Level 3 Classified Protection of Cybersecurity serves as the first line of defense for internet hospitals, encompassing five key steps: classification and filing, planning and design, construction and rectification, compliance assessment, and operational management. The ongoing wave of internet hospital development will continue to drive demand for these services.
I. Levels of Internet Hospital Development
1.1. Overview of Internet Hospitals
1.2. Current Status of Internet Hospital Development
II. Overall Technical Architecture of Internet Hospitals
2.1 Internet Hospital Service System
2.2 Internet Hospital System Architecture
III. Cybersecurity Challenges and Opportunities for Internet Hospital Network Operators
3.1 Five Major Challenges Facing Security Construction in Internet Hospitals
3.2 Significant Opportunities Brought by the Security Construction of Internet Hospitals
IV. Security Assurance and Technical Standards for Internet Hospitals
4.1 Hospitals and Enterprises Jointly Assume Responsibilities for Cybersecurity Construction of Internet Hospitals
4.2 Classified Protection Construction Is the First Line of Defense for Internet Hospital Security
4.3 Business Security Is the Cornerstone of Internet Hospital Development
4.4 Cybersecurity Talent Is the Foundation of Cybersecurity in Healthcare Institutions
V. Neusoft NetEye Internet Hospital Security Best Practices
5.1 Leveraging Business Understanding to Support Cybersecurity System Planning for Internet Hospitals
5.2 Integrated Services Facilitate the Implementation of Cybersecurity Construction for Internet Hospitals
5.3 Professional Cybersecurity Products Facilitate the Implementation of Cybersecurity for Internet Hospitals
5.4 Cultivating and Supplying Cybersecurity Talent to Support the Development of Cybersecurity in the Healthcare Industry
Internet hospitals represent a new application of the internet within the healthcare industry. They encompass a variety of health and medical services, including health education, medical information queries, electronic health records, disease risk assessment, online disease consultation, e-prescriptions, remote consultations, and remote treatment and rehabilitation, all delivered via the internet as the carrier and technological means. The internet hospital serves as the carrier and platform for internet-based healthcare. As a new entity in the healthcare industry, the internet hospital was born with the DNA of three major sources of innovation. By leveraging technologies such as the internet, artificial intelligence, and big data, internet hospitals have constructed an entirely new model of medical service delivery. This model empowers healthcare regulators, healthcare institutions, physicians, healthcare enterprises, and patients with new capabilities, reconstructs the healthcare value network, and attempts to resolve the “impossible triangle” of healthcare.
In accordance with relevant national policies, internet hospitals primarily operate under two models: hospital-led internet hospitals and enterprise platform-based internet hospitals. The former is predominantly represented by tertiary Grade A hospitals, which mainly utilize their own physicians to conduct online diagnosis and treatment activities. The latter is represented by digital health companies such as WeDoctor, Haodf Online, and Chunyu Doctor; these platforms rely on offline physical medical institutions and engage physicians registered at their affiliated institutions as well as other medical facilities to provide online diagnosis and treatment services.
As a novel innovation in the healthcare industry, internet hospitals have effectively facilitated the flow of medical resources, empowered primary care capabilities, improved the implementation efficiency of tiered diagnosis and treatment, and alleviated the challenge of imbalanced distribution of medical resources.
Figure 1: Service Standards for Internet Hospitals

Source: VCBeat
Key Advantages of Internet Hospitals:
1) Strengthen the value chain of medical resources and promote the development of tiered diagnosis and treatment.
Transitioning diagnosis and treatment from offline to online settings expands the scope of medical services and business operations, facilitates rational patient flow management, and enables precise matching between doctors and patients. This approach promotes the circulation of high-quality medical resources and enhances hospital brand equity. Meanwhile, it provides technical support and training to primary care physicians, thereby strengthening their capacity for initial diagnosis and treatment at the grassroots level.
2) Facilitate patient access to medical care and reduce healthcare expenditures.
By optimizing medical service processes and breaking through temporal and spatial constraints, time spent on queueing for registration and waiting for consultations can be reduced, thereby improving diagnostic and treatment efficiency. This is particularly beneficial in rural and remote areas, enabling patients to access convenient medical care “at their doorstep” and truly consult renowned specialists without leaving home. Such an approach helps alleviate the contradiction between the uneven distribution of medical resources across regions and the surging demand for healthcare services.
3) Increase physicians' income, broaden channels for multi-site practice, and promote the mobility of physician resources.
Alleviates physicians' work pressure, compensates for the shortage of medical resources, effectively improves physicians' work efficiency, builds physicians' personal brands, and maximizes their professional value.
4) Boost the informatization of hospital construction and accelerate the sharing of medical big data.
By leveraging cloud platforms and mobile smart devices, patient health data and historical medical records are acquired to enable health monitoring and medical record sharing, thereby facilitating the breakdown of information barriers and asymmetry between hospitals.
5) It can reduce the likelihood of doctor-patient disputes.
The internet enables full-process traceability, making service delivery more transparent. Strengthening online communication between doctors and patients not only improves the doctor-patient relationship but also expands the hospital’s patient base, generating a positive word-of-mouth effect.
Data as of April 30, 2020. Information on 497 internet hospitals was collected from multiple public sources. Based on the sponsoring entity, internet hospitals are categorized into those led by physical hospitals and those led by enterprises. Among the 497 internet hospitals, 415 are led by physical hospitals, accounting for 83.5%.
Figure 2: Classification of Internet Hospitals by Dominant Model

Source: VCBeat
Given the disparities in medical resources, clinical capabilities, and health informatics infrastructure across China, there are significant variations in the development of internet hospitals among different regions.
Figure 3: Overall Regional Distribution of Internet Hospitals

Source: VCBeat
As shown in the figure above, internet hospitals are currently primarily distributed in the eastern and southern coastal provinces of China. These regions benefit from a concentration of high-quality medical resources, a high level of healthcare informatization, and a solid foundational infrastructure. Notably, provinces such as Shandong, Jiangsu, Anhui, Zhejiang, Fujian, and Guangdong have been designated by the National Health Commission as demonstration provinces for “Internet + Healthcare.” The regions with the highest number of internet hospitals were also among the earliest to explore this industry. Currently, Shandong Province has established 133 internet hospitals.
Figure 4: Types of 497 Internet Hospitals

Source: VCBeat
In terms of the current types of internet hospitals, general hospitals and traditional Chinese medicine (TCM) hospitals dominate, while specialized hospitals exhibit diverse forms. General hospitals, with their comprehensive range of departments, can meet patients' varied medical needs. Although TCM hospitals cannot perform pulse diagnosis online, they are still able to issue online prescriptions. Maternal and child health hospitals, children's hospitals, and obstetrics and gynecology hospitals also account for a significant proportion. Among other specialized hospitals, those focusing on chronic diseases or specialties with strong consumer demand, such as dentistry and ophthalmology, are predominant. These hospitals are capable of meeting patients' multi-level needs, including medical care, health management, and consumer healthcare services.
Figure 6: Establishment of Internet Hospitals Since 2019

Source: VCBeat
It can be seen that the number of newly established entities has shown an overall upward trend, with the first peak occurring in April 2019. Following the release of the “Guiding Opinions on Improving Price Formation and Medical Insurance Reimbursement Policies for ‘Internet Plus’ Healthcare Services” by the National Healthcare Security Administration in August, a second peak was reached in December.
By 2020, the highest number of internet hospitals established in a single month was recorded in February, with 65 new facilities. This likely represents the peak monthly construction volume since the emergence of internet hospitals. February coincided with the height of the COVID-19 pandemic, where urgent needs for epidemic prevention and control drove the rapid development of internet hospitals. During the outbreak, existing internet hospitals swiftly launched online services for fever clinics, follow-up consultations for chronic diseases, and pneumonia-related inquiries. Additionally, numerous new internet hospitals received emergency approval and went live. As the epidemic stabilized, the growth rate of internet hospitals slowed starting in March 2020, returning to pre-pandemic levels by April.
During the pandemic, internet hospitals met the medication needs of a large number of patients with chronic diseases by providing online follow-up consultations, prescription services, and drug delivery, with some services eligible for reimbursement under basic medical insurance. However, the development of internet hospitals should not rely solely on pandemic prevention and control measures. Although the industry effectively conducted user education and cultivated usage habits during this period, it remains uncertain whether the appeal of online consultations to patients will be sustained in the post-pandemic era.
The development of internet hospitals primarily follows two models: one led by medical institutions and the other by enterprises. Due to differences in resources and strategic priorities, the medical institution-led model focuses more on integrating information systems between traditional healthcare facilities and internet hospitals, thereby extending the reach of medical services. In contrast, the enterprise-led model emphasizes connecting internet hospitals with third-party entities, such as pharmacies, pharmaceutical procurement platforms, and commercial insurance providers, to maximize their commercial value. From a holistic perspective, the development of internet hospitals should address current challenges facing the healthcare industry by leveraging internet technologies to resolve some of these issues. Therefore, the construction of an overall service system should achieve at least the following outcomes:
First, drive the transition of healthcare institutions from “medical care” to “health.”
The promulgation of the "Healthy China 2030" Planning Outline marks a shift in China’s healthcare system from a disease-treatment focus to a health-oriented model. Currently, the landscape of medical institutions remains predominantly treatment-centric, with notable deficiencies in the prevention, rehabilitation, and health management of chronic and common diseases. Internet hospitals represent a crucial measure for ensuring supply-side structural reform. Medical institutions need to leverage the internet as a tool to collaborate with third-party service providers, such as pharmaceutical suppliers and pharmacies, to facilitate drug delivery; integrate with payment institutions to enable intelligent online payments; connect with rehabilitation facilities to address patients’ post-operative recovery needs; and incorporate wearable devices for resident health monitoring and management. Through these new methods of resource allocation, internet platforms can achieve more optimized and intelligent consultation processes and service models.
Second, Achieving Intelligent Matching of Patient Needs with Medical Resources
Current smart hospital initiatives are largely driven by the perspective of healthcare institution informatization, aiming to improve diagnostic and treatment efficiency. However, this represents merely informatization, not true intelligence. By leveraging internet hospitals as a foundation and utilizing technologies such as 5G, the Internet of Things (IoT), and “Internet+,” it is possible to achieve intelligent matching between patient needs and medical resources. Only in this way can the hospital management standards accumulated by healthcare institutions be transformed into the foundation for truly smart and intelligent hospitals.
Third, promote the implementation of medical consortiums and medical communities.
By leveraging internet hospitals to connect provincial-level institutions with local clinics, village health stations, and community health service centers, a medical consortium is established. Furthermore, the deployment of advanced medical equipment and imaging diagnostic resources to the grassroots level, coupled with the standardization of service protocols, enhances the diagnostic and treatment capabilities of primary healthcare institutions. This approach aims to retain patients at the primary care level, extend high-quality medical resources to the grassroots, ensure medication accessibility for local residents, implement standardized management and health education, and ultimately minimize healthcare costs.
Figure 7: Internet Hospital Service System

Source: Neusoft Corporation, VCBeat
It can be seen that internet hospitals should constitute a service system encompassing the government, central hospitals, primary healthcare institutions, third-party independent organizations, and insurance companies, providing medical and health management services to residents.
Aiming to establish an internet hospital service system, the construction of an internet hospital system should be comprehensive and systematic, primarily encompassing the following two aspects:
Internet Hospital System Development
The Internet Hospital System comprises three components: the application layer, the support layer, and the platform layer.
The application layer provides services to end users, primarily comprising patient apps, physician apps, web browsers, and application services based on WeChat and Alipay.
The support layer provides the functional modules essential for delivering support services, primarily comprising three service tiers: basic services for internet hospitals, value-added services for internet hospitals, and resource-sharing services for internet medical groups, thereby enabling the following functions.
1) Deliver internet hospital services with a core focus on the user experience of both in-hospital and out-of-hospital patients. Leveraging “end-to-end” mobile-enabled services, we aim to enhance patients’ consultation experience, alleviate queue-related burdens, reduce average waiting times, and provide greater access to information on medical resources.
2) Establish an integrated information-sharing diagnostic and treatment service that bridges in-hospital and out-of-hospital settings, as well as online and offline channels; rationally migrate physicians’ diagnostic services, pharmacists’ consultations, and medication review services to online platforms, thereby unleashing diverse medical resources—including clinical, med-tech, and pharmaceutical personnel—to enhance the value and capacity of hospital services and expand their service reach.
3) Establish a shared medical resource service system. Reintegrate and optimize the utilization of cross-institutional diagnostic and treatment resources. Enhance the utilization rate of diagnostic and treatment resources across medical institutions and improve patient access to convenient healthcare services through an open service platform.
The platform layer primarily provides infrastructure services for multi-dimensional applications of internet hospitals, ensures consistency of data between offline and online diagnosis and treatment operations, and offers technical support for the normal operation of internet-based medical services. It mainly includes: self-service platform, appointment scheduling platform, cloud consultation workspace, follow-up service platform, pharmaceutical logistics and distribution platform, health management platform, hospital payment platform, online service platform, medical resource sharing platform, and medical resource collaboration platform, totaling 10 foundational platforms.
Construction of Healthcare Information Integration Platform
The informatization of medical institutions began in the 1990s. After nearly 30 years of development, large-scale medical institutions now have hospital information systems with dozens of functional modules. These information systems were constructed at different stages, with initial efforts focusing solely on data collection rather than data sharing and utilization. As the number of subsystems increased, the interconnections between systems formed a mesh-like structure, resulting in significant data redundancy across different systems. Surveys indicate that while over 70% of hospitals have achieved medical informatization, fewer than 3% have realized intra-hospital data interoperability. To meet the demand for integrating internet hospital services with intranet data, it is essential to consolidate internal information; otherwise, the connections between internal and external network systems will become increasingly complex, exacerbating the mesh-like structure among systems and further blurring the boundaries between internal and external networks. An information integration platform for medical institutions can be built based on technologies such as ESB (Enterprise Service Bus), SOA (Service-Oriented Architecture), and XML to achieve interconnectivity among various subsystems, eliminate information silos, and enable comprehensive data sharing within the hospital’s information systems. Furthermore, leveraging this integration platform to bridge internal and external network data will support the expansion of internet hospital services.
Figure 8: System Architecture of Internet Hospitals

Source: Neusoft Group, VCBeat
Challenge 1: Internet hospitals will further increase the security risks faced by hospitals
Since 2011, China has issued a series of documents, including the Guiding Opinions on Information Security Level Protection in the Health Industry (Wei Ban Fa [2011] No. 85), the Notice on Issuing the Key Points of Core Systems for Medical Quality and Safety (Guo Wei Yi Fa [2018] No. 8), and the Notice on Issuing the Standards and Specifications for Hospital Information Construction Nationwide (Trial), to promote cybersecurity construction in medical institutions with a focus on level protection. Meanwhile, requirements for cybersecurity construction in medical institutions have also been stipulated in various evaluation standards, such as the Grading Evaluation Methods and Standards for Functional Application Levels of Electronic Medical Record Systems (Revised Draft for Comments), the National Medical and Health Information Hospital Information Interconnectivity Standardization Maturity Assessment Scheme (2017 Edition), and the National Medical and Health Information Regional Health Information Interconnectivity Standardization Maturity Assessment Scheme (2017 Edition).
However, the current state of cybersecurity implementation in China’s healthcare institutions remains far from satisfactory. Only 52.57% of tertiary hospitals have passed the Level 3 assessment of the Multi-Level Protection Scheme (MLPS), while merely 24.92% of hospitals below the tertiary level have passed MLPS assessments (including Levels 2 and 3). The majority of healthcare institutions, particularly those below the tertiary level, have yet to initiate cybersecurity multi-level protection initiatives.
Figure 9: Implementation of Hospital Classified Protection

Source: CHIMA "2018-2019" Annual Survey Report on the Status of Hospital Informationization in China
Surveys conducted among the Centers for Disease Control and Prevention, Health Inspection Institutes, Health and Family Planning Commissions, Medical Associations, public hospitals, and private hospitals revealed that healthcare institutions’ inherent cybersecurity protection capabilities remain weak, and they continue to face severe cybersecurity risks. Cybersecurity risks are relatively more severe in regions such as Qinghai Province, Hainan Province, Inner Mongolia Autonomous Region, Tibet Autonomous Region, and Ningxia Hui Autonomous Region, while Shandong Province and Sichuan Province exhibit lower cybersecurity risks.
Internet hospitals operate within the internet environment, constantly facing malicious access and attacks from unknown actors. Furthermore, during the process of connecting with multiple external institutions, malicious traffic can easily infiltrate internet hospital systems, making it difficult to ensure their security. Secondly, to meet the demand for interoperability and sharing of medical information between online and offline services in internet hospitals, traditionally relatively closed internal medical information networks are being integrated with the external internet. As originally grid-connected internal hospital systems link up with internet hospitals, the boundary between internal and external networks becomes increasingly blurred. Consequently, the risks of network intrusion and information leakage within internal networks will significantly increase. Given the current inadequacies in cybersecurity protection capabilities among healthcare institutions, they are unable to adequately address the security risks brought about by digitalization, leading to a further escalation in overall cybersecurity risks for these institutions.
Challenge 2: Shortage of Cybersecurity Talent Limits the Effectiveness of Internet Hospital Security Systems
The core principle of cybersecurity construction is “those who manage are responsible.” Entities providing internet-based medical and health services must assume corresponding responsibilities. Therefore, implementing a security responsibility system is a fundamental principle in the development of internet hospitals. Although the responsibilities of third-party platforms are emphasized in the cybersecurity construction of internet hospitals, internet hospitals rely on physical medical institutions, and the primary entity bearing liability remains the physical medical institution. Thus, the key to cybersecurity construction for internet hospitals lies in clarifying the responsibilities borne by physical medical institutions and enterprises under three development models—public medical institution-led, resource integration, and internet enterprise-led—and selecting appropriate cybersecurity measures based on deployment methods such as on-premises and cloud deployments.
Cybersecurity initiatives in the healthcare industry are not nascent; the vast majority of hospitals have already deployed core cybersecurity solutions, such as firewalls and internet access behavior management systems. Therefore, in developing cybersecurity infrastructure for internet hospitals, it is essential to conduct rational security planning and maximize the reuse rate of existing security products. This approach will not only reduce costs but also prevent the operational burden on IT staff caused by redundant products and overlapping management protocols.
Figure 11: Current Status of Hospital Cybersecurity Construction

Source: CHIMA “2018-2019” Annual Survey Report on the Status of Hospital Informatization in China
The vast majority of healthcare service providers, in their push to develop internet hospitals, have adopted a “build it and abandon it” mindset. They fail to take a long-term strategic view to help medical institutions properly plan the network architecture and security systems required for internal-external network connectivity, as well as to address the security risks that will arise from the future development of internet hospitals. Most cybersecurity vendors lack an understanding of hospital operations and tend to approach internet hospital security construction solely from the perspective of cybersecurity professionals. This results in a mismatch between security measures and actual business needs, rendering many cybersecurity controls ineffective or unimplementable.
Based on the above three points, professional cybersecurity talent is key to building cybersecurity for medical institutions, especially after the establishment of internet hospitals. Only professional cybersecurity personnel can help medical institutions reasonably plan for internet hospital cybersecurity. However, according to surveys, more than 50% of tertiary hospitals have only 7–15 staff members in their information centers, while nearly 80% of secondary hospitals have fewer than six. Hospital information centers are responsible for informatization construction as well as the maintenance of application systems and hardware. Under such staffing ratios, the workload of information center personnel is already extremely heavy. In a context where business operations are prioritized over security, the number of personnel truly dedicated to cybersecurity construction within hospital information centers is exceedingly small.
Figure 12: Disparities in the Number of Staff in the Information Departments of Tiered Hospitals

Data Source: CHIMA “2018–2019” Annual Survey Report on the Status of Hospital Informatization in China
By June 2019, the scale of demand for cybersecurity talent in the job market had reached 24.6 times that of January 2016, representing a threefold increase compared to July 2018—a growth rate that can only be described as staggering. Amid an overall shortage of cybersecurity professionals, more practitioners are flocking to first-tier cities such as Beijing and Shanghai, as well as to private enterprises offering higher compensation. Under these circumstances, it is already challenging for healthcare institutions to recruit specialized cybersecurity talent. Furthermore, cybersecurity professionals require extended training periods to gain a thorough understanding of hospital operations. Consequently, healthcare institutions currently struggle to meet the aforementioned demand for cybersecurity talent, ultimately undermining the effectiveness of their cybersecurity infrastructure development.
Challenge 3: Insufficient investment in cybersecurity funds limits the implementation of internet hospital security
In recent years, the healthcare industry has seen significant development in its informatization efforts. However, compared to other sectors such as finance and government, healthcare informatization remains relatively lagging. Core systems like Hospital Information Systems (HIS) and Electronic Medical Records (EMR), patient satisfaction-enhancing solutions such as smart wards, and efficiency-boosting tools for physicians including self-service kiosks, remain critical informatization initiatives that medical institutions urgently need to implement. For the vast majority of medical institutions, particularly hospitals below the tertiary level, funding for informatization primarily comes from fiscal subsidies. These funds are already stretched thin when allocated to systems aimed at improving operational efficiency, leaving negligible resources for cybersecurity construction. Furthermore, according to the 2020 departmental budget released by the National Health Commission, the overall budget for public hospitals is projected to decrease by 40%. Under such financial constraints, it becomes even more challenging to advance cybersecurity initiatives that do not yield direct economic benefits for medical institutions. The primary obstacle to cybersecurity development in healthcare institutions remains the lack of adequate financial support for informatization.
Figure 13: Major Obstacles to Hospital Information Technology Infrastructure Development

Data source: CHIMA “2018–2019” Annual Survey Report on the Status of Hospital Informatics in China
Challenge 4: Urgent Need for Emerging Technologies to Address New Challenges in Hospitals’ Internet Transformation
Online consultations, appointment scheduling, and academic sharing services offered by internet hospitals all require robust system stability as a foundation. Consequently, most medical institutions thoroughly consider application system performance during the initial stages of building their internet hospital platforms. Many even opt to deploy these systems in enterprise-provided cloud environments to facilitate scalable performance expansion. However, regarding network infrastructure, internet hospitals operate within an unpredictable internet environment, akin to navigating complex urban traffic. No one can precisely ascertain traffic conditions or make accurate predictions; choosing the wrong route often results in congestion. To address this challenge, internet hospitals typically enhance network stability by increasing bandwidth or employing dedicated lines and Multiprotocol Label Switching (MPLS). This approach imposes substantial network construction costs on medical institutions. Furthermore, as the scope and content of services provided by internet hospitals continue to expand, scaling up network bandwidth often requires considerable time. Some medical institutions have adopted cloud computing and Software-as-a-Service (SaaS) solutions, which inherently possess internet-native characteristics. Nevertheless, MPLS and other dedicated-line networking and deployment methods hinder their large-scale application in cloud computing and SaaS environments and are entirely incompatible with mobile applications.
The persistent difficulty in securing appointments at key medical institutions has long been a challenge. Measures such as online appointment registration, on-site self-service kiosks, and 24-hour consultation and registration hotlines have significantly alleviated this issue. However, ticket scalpers remain active in outpatient lobbies of medical institutions, illegally reselling appointment slots despite repeated crackdowns. The fundamental purpose of building internet hospitals is to enable online medical consultations. Scalpers exploit others’ identity documents or forge identification information to register for appointments on internet hospital platforms. When appointments are released, they use specialized equipment to swiftly “snap up” and hoard slots, which are then resold. This practice directly undermines the accessibility of internet hospitals for patients, thereby hindering their broader adoption and promotion.
Changes in residents’ lifestyle habits are a gradual process and cannot be achieved overnight. The fundamental driver of internet hospital development is the shift of patients from physical hospitals to internet-based platforms. Therefore, enhancing the usability of information systems, safeguarding residents’ rights and interests, and building public confidence in online medical services are urgent priorities for the current stage of internet hospital development. Failure to address these issues will erode user trust, undermine national efforts to promote the construction of internet hospitals, and ultimately hinder the integrated development of the internet hospital industry.
Challenge 5: Data breaches triggered by data sharing will face administrative penalties
Internet hospitals have migrated all diagnosis and treatment-related information, including physician notes, prescriptions, and test results, which were originally circulated within hospital premises, to the internet environment. This has led to more centralized and accessible patient data. Internet hospitals share data with third-party entities such as insurance institutions, pharmaceutical companies, health management centers, and logistics providers, resulting in the circulation of patient data across these organizations. Since patient data involves privacy and personal interests, any leakage not only undermines patients’ trust in internet hospitals but also severely damages the reputation of affiliated physical hospitals, potentially leading to regulatory penalties. As the operators of the internet hospital network, the underlying physical hospitals and enterprises collect and control patient data, bearing the responsibility for data protection. However, due to the complexity of medical data, implementing technical measures such as de-identification and encryption is challenging, and there is a lack of clear standards for hierarchical and classified management, making data security management a significant hurdle in the cybersecurity infrastructure of internet hospitals. In the face of an uncontrollable internet environment and multi-institutional data sharing, risks such as loss of patient identity authentication information, improper data custody by third-party institutions, and cyberattacks on internet hospital systems can all lead to patient data breaches. Clarifying the responsibilities of various parties and defining liability for data breaches further complicates data management. From a legislative perspective, China has yet to enact unified laws and regulations for protecting private information; provisions safeguarding patients’ medical information and personal privacy are fragmented and lack substantive legislation, posing significant challenges to the information security of internet healthcare.
In July 2018, the National Health Commission and the National Administration of Traditional Chinese Medicine issued the "Administrative Measures for Internet Hospitals (Trial)," which stipulated that "the information systems of internet hospitals shall implement Level 3 Classified Protection of Cybersecurity in accordance with relevant national laws, regulations, and provisions." This marked the first time in the healthcare industry that informatization development was explicitly linked with security construction, making compliance with the Classified Protection system a prerequisite for the launch of internet hospitals. This approach resolved the longstanding dilemma where business operations preceded security measures. As internet hospitals are built in accordance with the Classified Protection requirements, the level of security protection for hospital external network environments will also be significantly enhanced.
Internet hospitals shift diagnostic and treatment activities, originally conducted within hospital premises, to an online environment, thereby liberating patients and physicians from traditional healthcare delivery models. To facilitate the migration of clinical services to the internet, traditional Hospital Information Systems (HIS) must break away from the erstwhile “siloed” development model and overcome the information “islands” created by the isolation between internal and external networks. Given that internet hospital systems are interconnected with on-premise hospital systems, certain regions have imposed security requirements on the core internal network systems of the physical hospitals establishing internet hospitals, further promoting the enhancement of internal network security within hospitals. For instance, some regions have introduced additional regulations for the establishment of internet hospitals, mandating that the core internal network systems of medical institutions operating internet hospitals comply with Level 3 of the Classified Protection of Cybersecurity (MLPS 2.0) standards.
It is evident that internet hospitals have significantly promoted the overall cybersecurity infrastructure of hospitals. The overall level of cybersecurity in China’s healthcare industry is expected to be comprehensively improved during the development of internet hospitals.
The construction of cybersecurity for internet hospitals requires shared responsibility between medical institutions and enterprises. However, the overall cybersecurity management of internet hospitals must be controlled by the medical institutions themselves. Therefore, in building cybersecurity for internet hospitals, medical institutions should play a guiding role in cybersecurity, combined with high-quality products and services from enterprises. Only through this collaboration can effective implementation be achieved.
In accordance with the principle of “whoever manages is responsible,” regardless of who owns the internet hospital system, as long as the physical medical institution is one of the network operators of the internet hospital (i.e., the internet hospital relies on it for its existence), the physical medical institution shall bear the cybersecurity responsibilities for its internet hospital. In the development of internet hospitals, there are scenarios where enterprises provide infrastructure (e.g., telecom operators providing infrastructure) or supply the internet hospital system (e.g., Ningxia Yinchuan Internet Hospital, Tianjin Weiyi Internet Hospital), or where enterprises directly acquire private hospitals to independently launch internet hospitals (e.g., DXY, Alibaba Health Online Hospital). Therefore, in implementing the Classified Protection of Cybersecurity (MLPS) for internet hospitals, it is essential to emphasize the responsibilities of enterprises. Based on common models of internet hospital development and in accordance with the requirements for Level 3 Classified Protection, this document clarifies the cybersecurity construction responsibilities of both medical institutions and enterprises under different models for achieving Level 3 compliance.
1) Resource Integration Model
**Resource Integration Model:** The enterprise provides the internet hospital application system, while the physical hospital accesses the internet hospital platform solely through business terminals. Under this model, the enterprise’s platform and application systems providing the internet hospital services must pass the Level 3 Classified Protection of Cybersecurity assessment. The physical hospital shall undertake the following cybersecurity construction tasks based on its specific deployment scenario:
① Cybersecurity Construction Responsibilities for Medical Institutions: Including security of business terminals for internet hospitals, security of interactions between internet hospitals and core intranet systems, and communication security between business terminals and internet hospitals.
② Corporate Cybersecurity Construction Responsibilities: The enterprise’s construction of a cloud computing platform encompasses facilities, hardware, the resource abstraction control layer, virtualized computing resources, software platforms, and application software. The enterprise bears full responsibility for all security infrastructure on the cloud platform side and shall implement Level 3 Classified Protection of Cybersecurity in accordance with the SaaS model.
2) Healthcare Institution-Led Model
① Leverage infrastructure provided by third-party institutions: including the physical environment of medical institutions and cloud platforms
② Utilizing the existing server rooms of medical institutions: including responsibilities for cybersecurity construction in medical institutions
All security construction components in the compliance framework of internet hospitals shall be borne by the physical hospital. Implementation must adhere to the Level 3 protection requirements specified in the General Requirements section of GB/T 22239-2019 Information Security Technology—Baseline for Classified Protection of Cybersecurity. This includes technical aspects such as secure physical environment, secure communication network, secure zone boundary, secure computing environment, and security management center, as well as managerial aspects such as the security management organization.
3) Internet Company-Led Model
Under the internet enterprise-led model, physical medical institutions responsible for operating internet hospitals—including those acquired by internet enterprises or public medical institutions serving as their hosts—must implement Level 3 Classified Protection of Cybersecurity. Specific implementation measures may refer to those under the resource integration model. In contrast, medical institutions that merely connect to the internet hospital platform act solely as users of the internet hospital system and do not assume operational responsibilities; therefore, they are not required to comply with Level 3 Classified Protection requirements.
Clarify the Timeline for the Construction of Classified Protection for Internet Hospitals
The construction of the Multi-Level Protection Scheme (MLPS) involves five key steps: classification and filing, planning and design, implementation and rectification, MLPS assessment, and operational management. These steps encompass a series of tasks, including the preparation and submission of classification documentation, cybersecurity surveys and planning, bidding processes, and the preparation and approval of MLPS assessment materials. Notably, the "Regulations on Cybersecurity Multi-Level Protection (Draft for Comments)" has shortened the review period for classification and filing materials from the original 30 working days to within 10 working days. However, due to the extensive scope of work involved in MLPS construction, it still requires at least one to three months to complete. Therefore, to avoid delays in the launch of internet hospitals caused by MLPS construction, related work should commence during the project initiation phase and proceed synchronously with the development of the internet hospital’s information system. Hospitals with limited information center staff and a weak foundation in cybersecurity infrastructure should, at a minimum, complete the classification and filing process in advance.
Figure 14: Schematic Diagram of the Steps for Classified Protection Construction

Source: Neusoft Group, VCBeat
Building a Robust Security Defense for Classified Protection Through a Risk-Centric Approach
Conduct risk assessment for the internet hospital environment in accordance with GB/T 20984—2007 Information Security Technology—Specification for Information Security Risk Assessment. Strengthen the security of the internet hospital by focusing on key risks. First, enhance technical protection at network boundaries by implementing basic security measures such as boundary access control, intrusion prevention, and virus detection to ensure there are no new blind spots at internet boundaries. Second, strengthen data security technical protections by employing technologies such as data loss prevention, database auditing, and data masking to ensure the confidentiality and integrity of medical data during storage, extraction, analysis, and dissemination. Additionally, clear definitions of access control permissions for medical data at different stages must be established.
Figure 15: Construction of Security Defense Lines for Classified Protection

Internet hospitals can implement protective measures from both technical and managerial perspectives, based on the security risks they face, to improve their cybersecurity protection systems.
1) Technical Measures
① Measures Corresponding to the Technical Requirements of the General Provisions for Classified Protection
Table 1: Corresponding Measures for the Technical Requirements of the Classified Protection General Requirements

② Technical Measures Corresponding to the Extended Requirements for Classified Protection of Cloud Computing
Table 2: Technical Measures Corresponding to the Cloud Extension Requirements of Classified Protection

2) Management Measures
Currently, the management measures required in the construction of hospital classified protection are mostly generic policies, without differentiation based on the criticality of systems. Therefore, for physical medical institutions that have completed the classified protection construction for their core intranet systems, all management policies can be fully reused. For physical medical institutions that have not yet undergone classified protection construction, although under different implementation models the management policies need only focus on the responsibilities borne by the physical hospital, due to the interrelated nature of these management policies, it is difficult to clearly delineate them. Hence, it is advisable for physical hospitals to implement management policies in accordance with the requirements specified in the classified protection management framework.
Table 3: Requirements for Classified Protection Management

The Multi-Level Protection Scheme (MLPS) is the fundamental standard for China’s non-classified domains. It constitutes a systematic framework that offers greater guidance and comprehensiveness. However, due to its emphasis on universal applicability, the MLPS did not initially account for security risks specific to particular industries or specialized scenarios. Therefore, cybersecurity development for internet hospitals must build upon MLPS compliance by identifying security risks from a business perspective. On the basis of establishing a comprehensive security protection system, additional safeguards tailored to internet hospital operations should be implemented. Only by addressing the concerns of medical institutions, residents, and third-party entities involved in the development of internet hospitals can we ensure the stable and smooth operation of internet hospital services.
Minimizing the Impact of Internet Hospitals on Intranet Security
Amidst a complex threat landscape, 60% of cybersecurity incidents in the healthcare industry stem from the same misconception: that isolation equates to security. In light of the interaction requirements between internet hospitals and core intranet systems, mere isolation is no longer sufficient to safeguard hospital systems. Security for interactions between the intranet and the internet should be implemented from the following two aspects:
1) Reduce External Risks
The key to minimizing the impact of internet hospitals on intranet security is to map out the connection points between the internet hospital and the intranet. By keeping these connection points within a secure scope, the security of the medical institution's intranet can be significantly enhanced. At present, it still takes time to establish a hospital integration information platform; therefore, the current interaction between internet hospitals and core in-hospital systems is still implemented by deploying front-end processors, which serve as bridges connecting the internal and external networks. Furthermore, some business terminals in medical institutions are not isolated between the internal and external networks, allowing certain business terminals to access both the internet hospital and the intranet.
Therefore, efforts to mitigate the impact of internet hospitals on intranet security should primarily focus on two aspects: front-end processors and business terminals. First, the security of front-end processors and business terminals must be ensured through measures such as host hardening and virus detection. Second, since the interaction between front-end processors and the intranet involves data transmission, it is essential to strengthen traffic security protection. Based on business transmission requirements, data ferrying should be implemented using unidirectional or bidirectional network gap devices (data diodes), while viruses are filtered through equipment such as anti-virus gateways. Regarding the interaction between business terminals and the intranet, which mainly involves access behaviors, this is a security aspect often overlooked by medical institutions. In 2018, when medical institutions were attacked by ransomware, the vast majority of cases began with terminal devices being compromised first, followed by attacks launched against systems via open ports. Therefore, ports exposed to the internet and business terminals from core intranet systems should be restricted, and high-risk ports such as port 445 should be closed.
2) Enhance personal protective capabilities
As internet hospital services continue to expand, the boundary between intranets and the public internet is becoming increasingly blurred. Point-specific security measures can only provide temporary solutions. It is essential to implement classified protection for core hospital systems, establish a comprehensive intranet security framework, and comprehensively enhance the security capabilities of these core systems.
Ensure the availability of the Internet hospital for users
1) Combining Multiple Technologies to Address the Long-Standing Issue of “Scalpers Snatching Appointments” in Healthcare Institutions
The root cause of “scalpers snatching appointment slots” lies in the severe inequity in the distribution of medical resources in China. Currently, healthcare institutions are attempting to address this issue primarily through measures such as implementing tiered diagnosis and treatment systems and improving hospital operational efficiency. However, comprehensive progress will still require considerable time. As people’s quality of life improves, the gap between the medical resources available at large hospitals and patient demand will become increasingly pronounced. Therefore, while expanding medical resources, healthcare institutions are effectively combating “scalper slot-snatching” by employing technical measures such as randomized release of appointment slots, strengthening CAPTCHA complexity, and designing behavioral recognition systems.
Random Release of Appointment Slots refers to the practice where appointment slots cancelled by patients are not immediately returned to the resource pool. Instead, they are released back into the pool after a random time interval through specific technical measures, making them available for other patients to book. This randomized release mechanism prevents scalpers from easily rebooking cancelled slots using their buyers’ accounts, thereby significantly increasing the success rate of legitimate patient appointments. However, randomly released slots are not always secured by patients who genuinely need them; conversely, scalpers may exploit automated scripts to continuously monitor slot availability, thereby imposing additional load on website servers.
Strengthen CAPTCHA security by increasing its length to at least eight characters and applying distortion and noise interference. Chinese characters may be incorporated when necessary to prevent automated bots from recognizing the CAPTCHA, thereby forcing manual identification and input. However, overly complex CAPTCHAs undoubtedly increase the difficulty of online appointment registration for elderly users or those unfamiliar with internet operations.
Under the online appointment system, ticket scalpers primarily exploit loopholes such as appointment cancellations, account binding, and slot-snatching mechanisms to secure appointments through technical means. In response, hospital administration and IT departments have developed countermeasures that leverage big data technologies to identify normal user behavior and block or restrict anomalous activities across dimensions such as single-account management, appointment slot allocation, and cancellation management. For instance, limits are imposed on the number of appointments a single user can make within a specified time frame. However, the accuracy of machine learning models directly affects the precision of these blocking and restriction measures. Unusual but legitimate actions by individual users—such as repeated booking attempts due to unfamiliarity with online procedures—may inadvertently be flagged and blocked.
2) SD-WAN Provides Technical Support for the Business Continuity of Internet Hospitals
Wide Area Networks (WANs) are characterized by significant fluctuations and high randomness in network status. With the rapid development of the internet hospital ecosystem, the volume of various internet hospital services is set to increase substantially, leading to continuous expansion in service offerings and connectivity boundaries. Critical business operations require the selection of reliable transmission paths to minimize latency and packet loss rates. By leveraging SD-WAN, internet hospital services can achieve differentiated levels of Quality of Service (QoS) over the WAN, enabling on-demand allocation of network resources, elastic networking, as well as network slicing and layering. Given the ongoing evolution of internet hospital operations, the diversity of these services underscores the critical importance of SD-WAN technology in the construction and development of internet hospitals.
SD-WAN is Internet-based; although it features intelligent scheduling across multiple points of presence (POPs), there remains a risk of packet loss or increased latency during peak hours. Therefore, replacing dedicated leased lines with SD-WAN still carries certain risks. However, the Administrative Measures for Internet Hospitals stipulate that an internet hospital’s network must be served by at least two broadband network providers, thereby addressing this issue. Meanwhile, SD-WAN enhances scenarios such as intelligent load balancing and seamless failover, making network disaster recovery for internet hospitals more automated.
Addressing Personal Health Data Security Issues
The security protection of internet hospitals fundamentally centers on safeguarding data, particularly sensitive information involving patient privacy and critical details such as laboratory test results and physicians’ notes. Therefore, it is essential to strengthen the construction of information security systems for internet hospitals to ensure data security and prevent the leakage of medical and health data. Currently, internet hospitals in China are in the early stages of development. While ensuring the privacy and security of medical information, we should adhere to the principle of encouraging development and seek a balance between “privacy protection” and “open utilization” while sharing data. It is recommended to build an information security assurance system for internet hospitals from two dimensions: institutional frameworks and information technology.
1) Institutional Development
It is necessary to establish information security standards for internet hospitals and a tiered classification review system for medical data, thereby regulating the entire lifecycle of medical data, including its collection, transmission, storage, application, and transfer. The classification of medical data should be based on the level of importance and risk, as well as the potential harm and impact on the subjects of personal health and medical data. According to the "Guidelines for Health and Medical Data Security," health and medical data can be categorized into personal attribute data, health status data, medical application data, medical payment data, health resource data, and public health data.
2) IT Support
Data Transmission: Comprehensively utilize technologies such as identity authentication and transmission encryption to ensure the security of data transmission.
Data Storage: Utilizing technical measures such as data auditing, data encryption, authorization management, access control, and identity authentication for security assessment,
Real-time monitoring, proactive defense, and comprehensive auditing across five dimensions ensure data storage security and prevent the leakage of patients' private data.
Data Sharing: Reference may be made to the "Information Security Technology—Guidelines for De-identification of Personal Information" to de-identify shared data. De-identified data applied in controlled public sharing or domain-specific public sharing (environments under the complete control of the controller) should be governed by data use agreements that specify the purpose, method, duration, security safeguards, and other relevant terms. The de-identification strategy should be implemented from the perspective of ensuring no harm to individuals, thereby addressing the balance between data usability and data security.
Table 4: De-identification of Shared Data

Source: Guidelines for Health and Medical Data Security
Cybersecurity Talent Development
Any standardized enterprise management inevitably requires the introduction of processes, and this applies equally to the operations and maintenance (O&M) management of healthcare institutions. Operations based solely on personal experience and judgment often conceal significant risks of failure. The information centers of healthcare institutions must strengthen process management. Any critical operation must be strictly executed in accordance with established procedures. Establishing a process-oriented culture is a crucial component of the standardized management of data centers. The three most important categories of processes in data centers are Standard Operating Procedures (SOPs), Methods of Procedure (MOPs), and Emergency Operating Procedures (EOPs).
Meanwhile, the infrastructure of data centers in medical institutions involves multiple disciplines, including electrical power, HVAC, low-voltage systems, fire protection, and building engineering. Since the configuration and specific operational procedures of each data center vary, the information centers of medical institutions must acquire extensive professional knowledge for data center operations and maintenance. Therefore, regular training and learning should become an integral part of the management of hospital O&M teams.
Cybersecurity Talent Acquisition
Cultivating cybersecurity talent involves unique challenges. From a learning perspective, offensive and defensive cybersecurity operations are asymmetric. Individuals with formal academic training generally receive education focused on defense, with limited exposure to offensive techniques. Defensive strategies developed without an understanding of attack methodologies risk becoming purely theoretical. Therefore, while healthcare institutions cultivate their own cybersecurity personnel, they should also prioritize the recruitment of experienced professionals. Appropriately leveraging security services provided by specialized vendors can help address the shortage of in-house security expertise. This approach minimizes the risks of operational disruptions and increased management costs resulting from cybersecurity incidents.
The fundamental purpose of cybersecurity infrastructure is to support business operations and ensure their stable functioning. Guided by the philosophy of "business-driven security," Neusoft NetEye integrates its extensive experience in the healthcare industry with its expertise in cybersecurity, thereby merging security measures with business processes to provide guidance for building cybersecurity frameworks for internet hospitals. This approach addresses the disconnect between cybersecurity implementation and business development, offering healthcare institutions strategic planning perspectives for internet hospital cybersecurity from a security standpoint, and empowering cybersecurity professionals in the healthcare sector.
Neusoft NetEye believes that the following points must be mastered during the cybersecurity planning process for internet hospitals:
1) The fundamental aspects of informatization construction for internet hospitals encompass three key areas: the development of new internet hospital systems, the integration of data between internal and external networks, and the establishment of network infrastructure for participating institutions.
2) From the perspectives of stakeholders in the development of internet hospitals (including physical hospitals, patients, third-party institutions, and health commissions) as well as attack and defense technologies, the fundamental challenges facing cybersecurity in internet hospitals primarily include compliance with classified protection standards, operational stability of accessing institutions, responsibility for medical data security, operational stability of hospital intranets, operational stability for patients, and the broader social impact of digital transformation.
3) The cybersecurity framework for internet hospitals should provide comprehensive protective measures centered on four key areas: data, applications, personnel, and infrastructure. By strategically deploying and integrating security controls, the system should establish robust capabilities to mitigate both internal and external threats. The ultimate objective is to achieve security compliance and effective attack prevention, thereby addressing the security challenges arising from digital transformation.
Figure 16: Cybersecurity Planning Process for Internet Hospitals

Source: Neusoft Group, VCBeat
Achieving Level 3 of the Classified Protection of Cybersecurity (MLPS 2.0) is a prerequisite for the launch of an internet hospital. The implementation of MLPS compliance is a systematic undertaking comprising five key stages: classification and filing, planning and design, construction and remediation, graded assessment, and operational management. This process involves specific tasks such as documentation preparation, data center retrofitting, product deployment, and the implementation of management policies. Due to constraints in personnel and other resources, most hospitals find it challenging to complete these requirements independently. Leveraging years of experience in MLPS compliance, Neusoft NetEye provides specialized services to assist hospitals in achieving Level 3 MLPS certification for their internet hospitals.
Neusoft NetEye provides integrated Classified Protection construction services for healthcare institutions, capable of completing 10 tasks and assisting with 2 additional tasks across the five stages, thereby comprehensively supporting Classified Protection initiatives. It assists hospitals in determining the objects and levels of classification from the perspectives of information security and business continuity, adopts a phased and batched approach to planning, and delivers precise consulting, planning, and on-site services to network operators. Across all five phases, leveraging professional personnel (CIIP-A, CISP, and Classified Protection engineers), integration capabilities (Classified Protection construction qualifications, integration qualifications, and experience in Classified Protection integration), and the Classified Protection ecosystem (security partners and assessment agencies), it provides network operators with efficient integration, implementation, and assurance services.
Figure 20: Neusoft NetEye Integrated Classified Protection Construction Services

Cybersecurity products are an indispensable component in the implementation of the cybersecurity framework for internet hospitals. Stable and reliable security solutions ensure smooth business operations and reduce the operational burden on maintenance personnel. Since 1996, Neusoft NetEye has been engaged in the research, development, and manufacturing of cybersecurity products, establishing a comprehensive production mechanism that encompasses R&D, functional testing, performance testing, and pre-shipment burn-in testing. It provides all-around, reliable cybersecurity products to support the security infrastructure of internet hospitals, helping clients build and enhance their security protection systems.
Neusoft NetEye’s Comprehensive Cybersecurity Products Support Compliant Development of Internet Hospitals
Neusoft NetEye’s cybersecurity product portfolio comprises three major categories—access control, auditing, and management—and also includes cloud security solutions. It basically covers all the network security products required for Level 3 Classified Protection compliance, thereby providing support from a network security perspective for the compliant development of internet hospitals.
Figure 22: Neusoft NetEye Cybersecurity Products

Due to variations in patient volume and service offerings across medical institutions, cybersecurity needs differ accordingly. To meet the diverse requirements of various healthcare organizations and scenarios, Neusoft NetEye recommends different models of its cybersecurity products.
1) Internet Boundary Protection for Tertiary Hospitals
High data traffic volume and complex data types are the primary characteristics of internet hospital operations in tertiary hospitals. Therefore, the main requirement for tertiary hospitals is to implement high-performance, high-accuracy boundary protection measures for their internet hospitals. The Neusoft NetEye Anti-Virus Gateway establishes a virus signature database containing over 15 million entries based on virus signatures. It can perform in-depth inspection of various data flowing into the internet hospital from physical hospitals, medical services, and third-party medical institutions, effectively addressing hard-to-detect attacks such as multi-form viruses and malware evasion techniques. Meanwhile, the Neusoft NetEye Anti-Virus Gateway integrates firewall and VPN functionalities, enabling a single product to meet multiple needs. It establishes access control policies tailored to different access requirements and provides dedicated secure operation and maintenance channels for remote O&M personnel, thereby creating comprehensive and controllable access paths to prevent security risks arising from unauthorized access and excessive device exposure.
2) Internet Boundary Protection for Primary Healthcare Institutions
Township health centers and village clinics, as primary healthcare institutions, typically lack independent server rooms and have simple operational requirements with small data volumes. To address this situation, Neusoft NetEye has proposed a desktop-level integrated security gateway specifically customized for small and medium-sized users. Due to its compact size, it is better suited to the physical environments of primary healthcare institutions. Meanwhile, the Neusoft NetEye desktop-level integrated gateway provides all the functions of traditional integrated gateways, including access control, intrusion prevention, antivirus protection, URL filtering, and VPN. By deploying the Neusoft NetEye desktop-level integrated security gateway, primary healthcare institutions can establish network perimeter protections. This solution also creates a dedicated secure channel for accessing internet hospitals, thereby mitigating security risks associated with general internet access.
3) Protection for Interactions Between Healthcare Institutions' Intranets and Internet Hospitals
Neusoft NetEye Security Isolation and Information Transmission System (Gap) achieves a degree of "physical isolation" by completely stripping away the TCP/IP protocol stack. It transfers raw data to internal systems via storage media using a "ferrying" mechanism. This protective approach effectively filters out attacks carried over TCP/IP protocols, such as Teardrop attacks and TCP session hijacking, during data synchronization. It also performs preliminary inspection and identification of malicious activities embedded within normal business traffic. Meanwhile, the Neusoft NetEye Security Isolation and Information Transmission System maintains a latency of under 1 millisecond, meeting the real-time data transmission requirements for internet hospitals and physical hospitals.The Neusoft NetEye Next-Generation Firewall provides security protection across network layers L2–L7 through policy configuration. It restricts in-hospital access behaviors based on user groups and policy groups, and comprehensively controls interactions between external core systems (Internet Hospital Systems) and internal core systems (HIS, PACS, EMR). By limiting access behaviors, servers expose only necessary ports and services while closing high-risk ports and services exposed in the network environment. This shields against malicious access from unauthorized external personnel and blocks security risks arising from unauthorized internal operations, ensuring effective control over network usage.
Neusoft NetEye’s Emerging Cybersecurity Technologies Power the Digital Transformation of Healthcare
Internet hospitals are a key initiative for physical medical institutions to transition to the internet. During this transformation, internet hospitals will face new cybersecurity challenges. Neusoft NetEye applies advanced technologies such as machine learning and SD-WAN to its cybersecurity products, helping medical institutions address the new challenges arising from the business transformation of internet hospitals.
1) Integration of cybersecurity and SD-WAN to establish stable and reliable internet connectivity
The primary reason healthcare institutions choose MPLS and dedicated lines is to ensure the stability of link communications, while the secondary reason is to guarantee data security during transmission. Since SD-WAN technology alone can only ensure communication stability, Neusoft NetEye has integrated SD-WAN with security protection features on top of traditional firewalls, proposing a comprehensive solution. This solution leverages SD-WAN technology to ensure high availability and Quality of Service (QoS) for critical business applications in internet hospitals. It selects links based on priority SLAs or link quality metrics and restores traffic to the desired link once SLA stability is achieved. By utilizing firewalls equipped with SD-WAN capabilities, the solution encrypts transmission links and filters traffic, thereby ensuring both boundary security for internet hospitals and business stability. In scenarios involving two service providers, SD-WAN technology offers greater stability than MPLS. In terms of security, VPN encryption is more secure than MPLS. Therefore, products that integrate SD-WAN with network security can better replace MPLS technology. Neusoft NetEye has tested key functions and performance metrics of its SD-WAN products, including remote zero-touch deployment, WAN link failure and failover, dynamic link selection for QoS assurance, link saturation and congestion management, as well as link selection criteria and application-based routing. The results rank among the best in the market, aiming to provide stable and reliable internet connectivity for internet hospital communications.
Figure 23: Convergence of Cybersecurity and SD-WAN

2) Address the issue of scalpers snapping up appointment slots to improve patient satisfaction
The fundamental challenge in combating ticket scalping for appointment registrations lies in the diverse methods employed by scalpers, including manual booking, automated bots, and identity theft, which render single-technique solutions ineffective. Leveraging its extensive software development experience across various industries and years of expertise in business risk control, Neusoft has developed the Neusoft NetEye Business Security Gateway. By integrating CAPTCHA, device fingerprinting, real-time risk decision-making, and behavioral analysis technologies, this solution analyzes user access data for online registration at internet hospitals, effectively addressing the persistent issue of ticket scalping.
Figure 24: Addressing the Issue of Scalpers Snatching Appointments at Internet Hospitals

Human-Machine Recognition
When users access the Internet Hospital, a verification method based on "JS Challenge" is employed. A specific JavaScript response, parsable by the browser, is sent to the user's client. Users who successfully pass the "challenge" will carry a specific Cookie value. The online real-time model determines whether to allow the request based on this Cookie information. Requests that fail the challenge are identified as bot activity and blocked, while those that pass are recognized as normal user behavior and allowed. This approach effectively addresses the issue of malicious software engaging in account squatting or credential stuffing.
Figure 25: Human-Machine Recognition System

Device Fingerprint
Traditional security protection devices and measures typically implement access control and blocking policies based on IP addresses, resulting in an extremely high false-positive rate. For instance, the internet egress for a residential community usually consists of a few fixed IP addresses. If a single user within the community triggers a security rule and their IP is blocked by the target website, it will directly prevent the entire community from accessing the site. (The same principle applies to 4G mobile network egress points.)
To more accurately identify internet users and prevent false positives, device fingerprinting technology is introduced. This technology integrates JavaScript scripts on the website side to collect non-sensitive device characteristic information from terminal devices, such as hardware, network, and browser details. This data is then submitted to the server, where a specific hash algorithm generates a globally unique device fingerprint identifier for each terminal device. This identifier is written into the user's cookie and persists throughout the entire session lifecycle, thereby enabling service authentication and behavior tracking for visitors.
Once a user associated with a specific device fingerprint triggers security rules, the session linked to that device fingerprint will be immediately blocked, while the IP address remains unblocked. This approach prevents disruption to other users sharing the same outbound IP address. As one of the key technologies in the risk control product suite, device fingerprinting serves as a critical dimension for risk identification, enabling precise user identity verification and effectively addressing risks such as account theft, unauthorized inquiries, and fraud in internet hospitals.
Figure 26: Fingerprint Recognition Risk Control Technology

Behavior Analysis
The core of behavior recognition lies in profiling internet users. By combining unsupervised and supervised learning, we have developed a risk scoring system and decision-making framework based on multi-layer dynamic models, thereby focusing design efforts on the genuine motivations and behaviors of real users. This approach effectively identifies malicious activities such as automated bot-driven account snatching.
Figure 27: Principle of Behavior Recognition

Implementation of Decisions
The Real-Time Decision System is a business risk prevention and control product based on multiple technologies, including device fingerprinting, rule engines, metric-based strategies, risk data, and machine learning. It supports rapid private deployment, helping customers quickly establish their own business security frameworks to address various risks such as impersonation, unauthorized use, fraud, cheating, spam, and web crawling.
Real-Time Decision Engine is a powerful intelligent decision-making system that supports multi-tiered decision analysis, including real-time decision-making, near-line analysis, and offline mining. It can respond in milliseconds, leveraging policies and real-time computing to synchronously identify risks, directly block malicious threats, or confirm suspected risks through secondary verification.
Near-line analysis enables near-line computing at the T+ seconds and minutes level, calculates various features, provides metric parameters for real-time decision-making, monitors security status from multiple dimensions, and triggers timely alerts upon detecting anomalies.
Offline mining leverages various offline data mining and modeling techniques to provide the foundation and capabilities for real-time decision-making and offline handling, such as feature mining, model platform training, user risk profiling, and device risk profiling.
Figure 28: Real-Time Decision-Making System

Neusoft Group invested in the establishment of three IT universities in Dalian, Nanhai, and Chengdu between 2000 and 2003, building an interactive ecosystem for industry, academia, and research to bridge the gap between specialized education and practical industry needs. In 2008, it established an IT Talent Practical Training Center. Currently, distributed training bases have been set up in Shenyang, Dalian, Nanjing, Chengdu, and Wuxi. Through a competency-oriented approach to software talent development, Neusoft helps students transform their knowledge into behavioral competencies, technical skills, and engineering practice capabilities. This initiative not only cultivates high-quality professionals for the industry but also creates a vital channel for the large-scale supply of entry-level talent to Neusoft itself.
Currently, Neusoft’s Schools of Information Technology, established across three locations, have cultivated a large number of practical, internationalized, and personalized IT application-oriented talents for economic and industrial development through continuous exploration and practice in educational and teaching reforms. Meanwhile, leveraging the training advantages of its own talent practical training centers, Neusoft has undertaken a series of skill training programs for students from provincial universities. Through “quasi-employment” opportunities during their studies, students have adapted to society in advance and launched promising careers. This has also laid a solid foundation for Neusoft, its clients, and partners to sustainably acquire professional talent.
Establish an Information Security major, adopting a trinity model of “position-oriented, skills-based, and quality-founded” to cultivate students’ capabilities in applying information security technologies and analyzing and implementing information security measures. Students will develop strong operational skills, master general anti-hacking and antivirus techniques, acquire the fundamental qualities required for secure information system design and the development of information security software and hardware products, and stay abreast of developmental trends in the discipline of information security as well as its interdisciplinary applications. This approach aims to enhance students’ analytical and problem-solving abilities in the field of information security, with particular emphasis on practical hands-on competence, thereby nurturing highly skilled, application-oriented professionals with sound scientific literacy and professional ethics. The program seeks to supply cybersecurity talent to meet market demands.
The above is an excerpt of the key highlights from the report. Please scan the QR code below to obtain the full report for free.
