Home Dr. Zhang Yan from the Third Research Institute of the MPS: Implementation of Cybersecurity Level Protection 2.0 in the Healthcare Industry

Dr. Zhang Yan from the Third Research Institute of the MPS: Implementation of Cybersecurity Level Protection 2.0 in the Healthcare Industry

Aug 23, 2019 08:00 CST Updated 08:00

On August 17, 2019, the Smart Healthcare Special Session of the Sangfor Innovation Conference 2019 was held in OCT, Shenzhen. Dr. Zhang Yan, Director of the Intelligent Interconnected Security Evaluation Laboratory at the Testing Center of the Third Research Institute of the Ministry of Public Security, delivered a presentation titled “Analysis of the Implementation of MLPS 2.0 in the Healthcare Industry.” VCBeat has compiled and edited the highlights from her talk.

   

图片1.png

Zhang Yan, The Third Research Institute of the Ministry of Public Security

 

Dr. Zhang Yan has extensive experience in scientific research and standardization related to information security. She has received numerous provincial and ministerial-level science and technology awards. As the editor-in-chief, she has published six books, including Principles and Applications of Next-Generation Security Isolation and Information Exchange Products, Principles and Applications of Firewall Products, and Principles and Applications of Network Intrusion Detection Systems. She has also contributed to the development of more than ten national and public security industry standards for information security, such as GB/T 36627-2018 Information Security Technology—Technical Guidelines for Testing and Evaluation of Classified Protection of Cybersecurity.


In May 2019, the State Administration for Market Regulation and the Standardization Administration of China officially released the national standards series on Classified Protection of Cybersecurity. The issuance of this series of standards holds significant guiding importance for safeguarding and promoting the development of informatization in the healthcare industry, as well as for enhancing the cybersecurity protection capabilities of medical institutions.

 

Enhancing Business System Capabilities Is Key to Ensuring Cybersecurity


The healthy development of the healthcare industry is directly related to people's livelihood. During the 13th Five-Year Plan period, the continuous development and promotion of medical information technology have gradually made network systems the business service support framework for the healthcare industry.

 

Once a network system fails or experiences an outage, it can have a devastating impact on the entire healthcare service system. If important business data, diagnostic and treatment data stored in the network system, or even patient privacy information from the 160 million-patient diagnostic database is leaked, it will cause immeasurable harm to patients.

 

Digitalization and networking are leading the direction of industry development, but they also give rise to potential security issues and risks, such as the risk of malicious remote control of devices, Bitcoin ransomware attacks, and personal data breaches. These security challenges pose new demands and requirements for the industry.

  

The number of cybersecurity incidents continues to rise, and the government’s emphasis on cybersecurity in the healthcare sector is also increasing. For instance, the “2019 Cybersecurity Observation Report for the Health and Medical Industry,” released by institutions such as the China Academy of Information and Communications Technology (CAICT), likewise disclosed several key manifestations of current concentrated cybersecurity risks:


First, issues such as botnets and worms are severe, and ransomware poses a serious threat to the normal operation of medical services;

Second, data breaches are occurring with high frequency, and application service software contains numerous security vulnerabilities;

Third, websites in the healthcare industry, along with government and educational institution websites, are key targets for attacks by foreign entities, andWebsite Defacement Techniques Are Highly Variable


Zhang Yan believes that,The high data value is one of the reasons why the healthcare industry has become a major target for cyberattacks, but the primary reason is that, driven by new technologies such as big data and the Internet of Things (IoT), traditional IT system security management frameworks can no longer cover actual application scenarios and scopes.

 

In addition to the aforementioned internal factors, terrorist organizations, hacker groups, cybercrime syndicates involved in the black market economy, and extreme individuals may also launch cyberattacks for personal or financial motives.

 

In fact, the root cause lies in the deficiencies of critical business systems in terms of cybersecurity infrastructure and security operations and maintenance (SecOps), which are the key factors enabling these internal and external threats to take effect.

 

"MLPS 2.0 is not merely a concept of standard version update."


At present, the cybersecurity landscape is severe, and the state is continuously improving relevant laws, regulations, policy frameworks, and standards in this domain. In addition to affirming the protection obligations and responsibilities of various stakeholders in cybersecurity, the Cybersecurity Law also clarifies certain fundamental systems related to national cybersecurity.

 

The Multi-Level Protection Scheme (MLPS) for cybersecurity is a system explicitly established and emphasized under the Cybersecurity Law of the People's Republic of China, which prioritizes the protection of critical information infrastructure based on classified security levels. The implementation of MLPS adheres to the core principle of applying tiered protection and tiered supervision to networks (including information networks, information systems, and data resources).

 

In fact, the Multi-Level Protection Scheme (MLPS) was established in 1994 through State Council Decree No. 147. With the introduction of the Cybersecurity Law, the MLPS entered its 2.0 phase.

 

The Level 2.0 Classified Protection stage represents a re-evaluation by the competent authorities, who have put forward new requirements in light of the current national and global cybersecurity landscape, the mandates for cybersecurity defense tasks, and technological advancements.

 

It should be clarified that,MLPS 2.0 is not merely a concept of standard version updates, but rather an enhancement of the entire system and its core framework.

 

>>>>

Five Changes, Three Unchanged


The connotative measures are more comprehensive.It further clarifies the work requirements for network classification and review, filing and audit, graded evaluation, security construction and rectification, and self-inspection, and incorporates measures closely related to cybersecurity, such as risk assessment and security monitoring, into the Multi-Level Protection Scheme (MLPS).


More Standardized Grading ProcessPhase 2.0 adopts the classification principles of clear grading, enhanced protection, and routine supervision, and defines the classification process as follows: determining the classification object, preliminary classification, expert review, approval by the competent authorities, and filing and examination with the public security organs.


Upgrade of the Classified Protection System.Building upon existing technical specifications, the competent authorities have continuously issued a series of policies, regulations, and updated standards to further refine the Multi-Level Protection Scheme (MLPS) system, encompassing policy, standards, assessment, technology, services, key technology research, and education. Centered on the MLPS framework, these authorities have established a national security protection system for critical information infrastructure that integrates security monitoring, notification and early warning, rapid response, situational awareness, security prevention, and precision countermeasures.


Expand the scope of classified protection objects.All critical information infrastructure, including basic information networks, key information systems, websites, big data centers, cloud computing platforms, the Internet of Things (IoT), industrial control systems, and public service platforms, shall be incorporated into the scope of classified protection.


ThePassive protection shifts to active protection.In terms of technical requirements, the Multi-Level Protection Scheme (MLPS) establishes control points across five security domains: security management center, physical environment, communication network, regional boundary, and computing environment. It also incorporates trusted verification into the MLPS framework to enable more precise protection.


In terms of management requirements, MLPS 2.0 has adjusted and consolidated certain control points, with particular emphasis on requirements such as external personnel access management and vulnerability risk management. In subsequent implementation, competent authorities will adopt the concept of granular classification of assessment conclusions to reflect the varying levels of security protection across different systems.


In addition to the aforementioned changes, MLPS 2.0 has not made any modifications in the following areas.


The five levels of MLPS remain unchanged.including User Autonomous Protection Level, System Audit Protection Level, Security Label Protection Level, Structured Protection Level, and Access Verification Protection Level.


The five key components of MLPS remain unchanged.Work continues to focus on the five key stages: classification, system registration, construction and rectification, graded assessment, and supervision and inspection.


The responsibilities of the entity for classified protection remain unchanged.The responsibilities of operating entities for classified protection, the security management responsibilities of superior supervisory authorities, the security assessment responsibilities of third-party evaluation agencies, and the duties of cybersecurity authorities regarding the filing acceptance and supervision/inspection of classified objects remain unchanged.

 

Cybersecurity Multi-Level Protection Scheme (MLPS) serves as the foundation for the protection of Critical Information Infrastructure (CII). CII constitutes the primary focus of MLPS protection requirements. Network operators shall determine the scope of CII among protected objects classified at Level 3 and above.


Zhang Yan stated that, in addition, critical information infrastructure must comply with the requirements of the Multi-Level Protection Scheme (MLPS) for cybersecurity, carrying out tasks such as classification and filing, level-based assessments, security construction and rectification, and security inspections.


Four Major Safety Issues Non-Compliant with Control Point Requirements


Based on an analysis of security incidents, Zhang Yan provided a detailed explanation of the current state of cybersecurity in the healthcare industry and highlighted non-compliant control points and security issues, in accordance with the requirements of MLPS 2.0.

 

1. Lack of security measures in the computing environment.Numerous non-compliance issues exist in areas such as access control, intrusion prevention, malicious code protection, data confidentiality, data backup and recovery, and personal information protection.


Among these, the Multi-Level Protection Scheme (MLPS) 2.0 introduces new requirements for personal information protection; healthcare industry systems are likewise permitted to collect and store only user personal information that is essential for business operations.


Second, there is a lack of network communication security measures.In terms of network architecture, there are issues such as insufficient business processing capacity of key devices, lack of network segmentation, and single-link design; in terms of communication transmission, measures to ensure the integrity of communication data are lacking.


3. Lack of security measures at regional boundaries.Regional boundaries emphasize requirements such as boundary protection and access control, including how key network nodes prevent attacks originating from the internet or from within the internal network. The absence of malicious code detection and audit mechanisms is also relatively common.


Finally, there is a lack of security measures in the Security Management Center.This is primarily manifested in the lack of operational monitoring measures for system management, non-compliant audit log storage, and the absence of measures for detecting and handling security incidents within the network.

 

Two Recommendations for Safety Precautions


Difficulties should be addressed promptly. In the healthcare industry, how can we strengthen security safeguards in alignment with MLPS 2.0? Zhang Yan offered two recommendations in this regard.


First, strengthen the integration of technology and management. Since security incidents often occur in scenarios involving management security or data interaction, technical measures are needed to address gaps in management. Additionally, management systems can provide multiple layers of protection for technical infrastructure.


Second, in accordance with the “one center, three protections” requirement of MLPS 2.0, implement the security requirements for all aspects of classified protection of network security, and maximize the protective capability of system security measures.


Furthermore, it is essential to strengthen defenses against Trojans and emerging cyberattacks, while enhancing daily operations and maintenance. This approach aims to meet the requirements of multiple control points, including dual-factor authentication, secure access, unified centralized management, and log auditing. By bolstering proactive defense measures and leveraging security services from specialized vendors, the overall cybersecurity posture of the healthcare industry can be significantly improved.