Home Security-Centric Development: Key Certifications Powering Safe and Trusted Healthcare IT Services

Security-Centric Development: Key Certifications Powering Safe and Trusted Healthcare IT Services

Jan 17, 2020 08:00 CST Updated 08:00

With the widespread application of the internet, big data, and cloud computing in healthcare informatization, information security has garnered increasing attention. It is no exaggeration to state that security has become the cornerstone of healthcare informatization. For healthcare IT enterprises, a key challenge lies in demonstrating that their services are secure, reliable, and trustworthy. VCBeat (WeChat ID: Vcbeat) has compiled an overview of the major certifications currently relevant to information security, hoping to provide a useful reference.

 

What Is Information Security Certification, and How Important Is It?


Information Security Management System (ISMS) is an integral part of an enterprise’s overall management system. It encompasses a series of management activities—establishing, implementing, operating, monitoring, reviewing, maintaining, and continually improving information security—based on risk assessment. The ISMS can be applied to the management and development of enterprise information security, safeguarding comprehensive information security across the organization through a structured management system.

 

The preparatory work for enterprise certification of an Information Security Management System (ISMS) is extremely complex, often leaving organizations feeling as though they have been “stripped to the bone.” Nevertheless, obtaining ISMS certification indeed yields more benefits than drawbacks for enterprises.

 

Generally speaking, obtaining certification for an Information Security Management System (ISMS) can bring four key benefits to an enterprise: Internally, it significantly enhances the organization’s information security management capabilities, raises employee awareness of information security, and effectively prevents and controls information security risks. For customers, it serves as a nationally recognized, objective third-party certification, fostering trust and confidence in the products and services provided by the certified enterprise. For partners, it demonstrates alignment with international information security standards, enabling mutual recognition of information security management proficiency when collaborating with other certified entities. For the industry, it sets a benchmark within the information security sector, showcasing the enterprise’s management capabilities while enhancing its brand image and industry competitiveness.

 

For an enterprise, obtaining information security certification is akin to a novice martial artist undergoing arduous secluded training before finally being recognized as a master.

 

Information security is becoming increasingly important. What has been its developmental trajectory?



1.jpg


Against this backdrop, the National Healthcare Security Administration has accelerated the advancement of medical insurance informatization and standardization in recent years. In 2019, it designated “continuously promoting standardization and informatization development” as a key annual priority, underscoring the current critical importance of the security of “personal health and disease data.” “Ensuring data security” has been elevated to an unprecedented level of priority.

 

When it comes to information security, the first standard to consider is ISO 27001. This is the primary standard within the ISO 27000 series for certification, analogous to ISO 9001 in the ISO 9000 series.

 

It is no exaggeration to say that ISO 27001 is the most authoritative, stringent, and widely accepted and applied management system certification standard in the field of information security internationally. Achieving ISO 27001 certification indicates that an organization has established a scientific and effective information security management system as a safeguard, enabling it to provide users with reliable information services.

 

In addition, ISO 27017 and ISO 27018 are currently the most common international standards for cloud services.


2.jpg

 

In recent years, healthcare informatization has not only become a key development direction for the healthcare industry but also a priority in China’s 13th Five-Year Plan for national cybersecurity and informatization. This niche sector features both established giants, such as Neusoft Corporation and Winning Health Technology Group, and cross-industry newcomers like Ping An HealthCloud, a subsidiary of Ping An Group. Reportedly, as an emerging player, Ping An HealthCloud had already obtained the ISO 27017 and ISO 27018 international security system certifications issued by SGS (SGS-CSTC Standards Technical Services Co., Ltd.) by the end of last year.

 

“Combined with the ISO 27001 certification for international information security management systems obtained in the first half of this year, we (Ping An Medical Healthcare Technology) have now secured the three key pillars of information security assurance, with our development and operations capabilities reaching internationally recognized standards.” Ping An Medical Healthcare Technology expresses strong confidence in its information security capabilities.

 

VCBeat believes that the aforementioned certifications not only enable Ping An Health Technology to meet the requirements for corporate bidding and daily information security management, but also enhance its recognition among foreign investment institutions, offering a valuable reference for other information technology enterprises.

 

Start with development, follow up with operations and maintenance, safeguard with intellectual property rights—information security must not become a "castle in the air."


There is no doubt that all security is built upon the foundation of development. Without a robust and mature software development system, so-called security is nothing but an illusion, akin to castles in the air.

 

For example, CMMI (Capability Maturity Model Integration) is an internationally recognized authoritative standard for assessing the maturity of enterprise software R&D capabilities and project management standards. It is widely regarded as a passport for software companies entering the global market. Last October, Ping An Medical Technology achieved its highest-level CMMI Level 5 certification, becoming the first subsidiary under Ping An Group to obtain this qualification.

 

Meanwhile, the company also obtained Level 3 Certification for Software Security Development in its early stages, introduced the Scaled Agile Framework (SAFe) 4.0, and successfully passed the ITSS Operation and Maintenance Level 3 Certification, thereby covering nearly all certification standards in relevant fields. In terms of intellectual property, Ping An HealthCare Technology has accumulated nearly 1,000 patent applications and close to 100 software copyrights, legally safeguarding the legitimate rights and interests of the IT systems covered by its information security management system.

 

The attainment of these key certifications, the agile transformation of its R&D processes, and the assurance of intellectual property rights signify that it has reached an internationally leading level in organizational capabilities for software development, technological R&D capabilities, project management capabilities, and solution delivery capabilities.

 

Industry Leader: Information Security Drives Ping An Health Insurance Technology to Continuous Success


It is precisely because of its robust foundational safeguards for information security, which minimize the risks of data breaches and system vulnerabilities to the lowest possible level, that Ping An HealthCare Technology has gained recognition from government ministries and a broader customer base in the market.

 

VCBeat has learned that Ping An Health Insurance Technology alone gained recognition from medical insurance bureaus at all levels within just the past year. In May 2019, Ping An Health Insurance Technology won the bid for the construction procurement project of the Macro-Decision Big Data Application Subsystem and the Operation Monitoring Subsystem under the National Healthcare Security Administration’s Medical Security Information Platform. This initiative provides specialized and systematic support to the National Healthcare Security Administration in scientific decision-making and refined management, assisting in establishing a closed-loop management system encompassing “decision planning, policy implementation, operation monitoring, and analysis feedback.” Subsequently, the company successively won bids for projects such as the Qingdao Medical Insurance Bureau’s Medical Insurance Supervision Service Project and the Shandong Provincial Medical Insurance Bureau’s Intelligent Supervision System Information Platform Project, marking a series of notable achievements.

 

“By the end of 2019, our market coverage had extended to nearly 30 provinces and over 200 cities across China, serving a public user base of 800 million,” said a relevant official from Ping An Medical Healthcare Technology.

 

Meanwhile, the achievements of Ping An HealthCare Technology have also been recognized by professional media. At the VCBeat “Top 100 Future Healthcare Companies of 2019” forum held at the end of last year, Ping An HealthCare Technology once again topped the “2019 Top 100 Future Healthcare Companies – China Digital Healthcare List,” after having ranked first on the “2018 Top 100 Future Healthcare Companies – China Healthcare List” in 2018, and was honored with the title of “Innovative Company of the Year.”

 

Final Remarks


In recent years, there has been a frequent rollout of major policies and standards in the fields of healthcare informatization and internet-based healthcare. While these innovations have brought significant convenience, issues related to system security and data security remain unavoidable for hospital information system construction, internet hospitals, and telemedicine alike. The advent of the cloud era has made it even more critical for healthcare-related institutions to safeguard the security of their information systems and data.

 

We believe that capable enterprises should continuously pursue cutting-edge IT technologies, such as artificial intelligence, blockchain, and cloud computing, which represent advanced productive forces. Meanwhile, enterprises should also adhere to high-standard relevant certifications and prioritize the practical implementation of information security management. Only in this way can enterprises truly empower the healthcare informatization industry.