Home Cybersecurity Vulnerabilities and Protection Strategies in the Era of Internet Hospitals

Cybersecurity Vulnerabilities and Protection Strategies in the Era of Internet Hospitals

Oct 22, 2018 08:00 CST Updated 08:00
Release TimeFile NameIssuing Authority
April"National Standards and Specifications for Hospital Information Construction (Trial)"National Health Commission
“Opinions on Promoting the Development of ‘Internet Plus Healthcare’”General Office of the State Council
August"Notice on Further Promoting the Construction of Information Systems in Medical Institutions with Electronic Medical Records as the Core"Bureau of Medical Administration and Hospital Management, National Health Commission
September"Measures for the Administration of Internet Hospitals (Trial)"National Health Commission and National Administration of Traditional Chinese Medicine
“Measures for the Administration of Internet-based Diagnosis and Treatment (Trial)”
《Specifications for the Management of Telemedicine Services (Trial)》
“Notice on Issuing the Administrative Measures for Standards, Security, and Services of National Health and Medical Big Data (Trial)”National Health Commission


In 2018, the frequent issuance of major policies and standards in medical informatics and internet healthcare laid the foundation for hospitals to enter their next stage of development. However, whether it involves hospital information system construction, internet hospitals, or telemedicine, data security remains an indispensable concern. The advent of the cloud era has made it particularly critical for hospitals to ensure the security of their information systems and data.


What is the current state of the information security market in the healthcare industry? What are the prevailing vulnerabilities in hospital information security? How should hospitals address information security challenges posed by innovative digital health products and the escalating threat of ransomware? These questions will be explored in depth in this article.


What Is the Root Cause of the Lack of Vitality in the Medical Information Security Market?


The table below is derived by VCBeat based on the security requirements outlined in the 2018 "Standards and Specifications for Hospital Information Construction in China (Trial)" and relevant data from the "Survey Report on the Status of Hospital Informatization in China (2017–2018)" released by the Chinese Hospital Information Management Association (CHIMA). After cross-validating these two sources, VCBeat has arrived at the currentInformation Security Construction in Tertiary HospitalsSituation: 


Security Requirements of the 2018 “Standards and Specifications for Hospital Information Technology Construction in China (Trial)”Survey Report on the Status of Hospital Informatization in China (2017–2018)
Data Center SecurityFirewallWeb Application Firewall (WAF)FirewallApplication Rate: 89.73%
Database Firewall
Network Firewall
Security Audit DeviceCybersecurity Audit\
Database Audit
Operations Audit
Host Security Audit
Vulnerability ScannerVulnerability ScanApplication Rate: 23.95%
System Hardening DeviceVulnerability Scanning Device
Web Vulnerability Scanner
Data Hardening DeviceNetwork Data Loss Prevention (DLP) Device\
Data Leak Prevention Storage Device
Database Encryption ApplianceData EncryptionApplication Rate: 11.03%
Email Encryption Device
Intrusion Prevention DeviceIntrusion Prevention SystemIntrusion Monitoring DeviceApplication Rate: 46.77%
Intrusion Detection Device
Network Access Control DeviceNetwork Access ControlApplication Rate: 39.92%
Antivirus Gateway DeviceAntivirus Wall DeviceApplication Rate: 50.57%
Cybersecurity Intrusion PreventionNetwork Antivirus SoftwareApplication Rate: 85.55%
Host Intrusion Prevention
Host Malicious Code Prevention
Web Page Tamper-Proofing
Identity Authentication SystemUnified Identity ManagementDomain User Management ModeApplication Rate: 47.53%
Electronic Certification ServicesElectronic Signature (Public Key Infrastructure)Application Rate: 14.83%
User Identity AuthenticationIdentity AuthenticationApplication Rate: 16.73%
Personal Privacy Protection\
Network Device Identity Authentication
Host Identity Authentication
Access Control SystemInternet Behavior ManagementInternet Behavior ManagementApplication Rate: 57.41%
Virtualization Security Protection\
Safety Management SystemDocument Security Management
Log Audit SystemDatabase Behavior AuditApplication Rate: 32.70%
Asset Risk Management\
Unified Security Management
Terminal SecurityAuthentication DeviceElectronic Information AuthenticationElectronic Signature (Public Key Infrastructure)Application rate: 20.53%
Biometric AuthenticationBiometric Recognition TechnologyApplication Rate: 4.56%
Media Safety DevicesSecure USB Drive\
Mobile Storage Media
Client Management SystemClient Terminal Authentication
Virtual Private Network Client Management
Terminal Security Management SystemDesktop Endpoint Security Management
Mobile Terminal Security Management
Management of Removable Storage Media
CybersecurityStructural Safety EquipmentUnidirectional Security GatewayNetwork Gap DeviceApplication rate: 50.57%
Bidirectional Network Gap
Communication Encryption DeviceVirtual Private Network DeviceVPN DeviceApplication Rate: 50.95%
Encryption Machine Device\
Network Optimization EquipmentWAN Acceleration Device
Link Load Balancer
Flow Control
Cybersecurity ManagementSecurity Policy Management
Network Device Management
Disaster Recovery BackupBasic Infrastructure Disaster RecoveryLocal Backup Server RoomMain Server Dual-System Hot StandbyApplication Rate: 77.95%
Off-site Backup Data Center
Backup Network Disaster RecoveryBackup Network Link
Spare Network Equipment
Data Backup and RecoveryLocal Data BackupDatabase Mirroring BackupApplication rate: 55.51%
Local Data RecoveryData Disaster RecoveryApplication Rate: 62.74%
Offsite Data BackupCentralized Storage for Offsite Image BackupsApplication Rate: 29.28%
Remote Data Recovery\
Application Disaster RecoveryHigh Availability for Local ApplicationsApplication System-Level Disaster RecoveryApplication Rate: 50.95%
Local Application Recovery
Offsite Application Disaster Recovery
Remote Application Recovery


As can be seen from the table, the current information security construction in tertiary hospitals is mainly concentrated onFirewall, Antivirus, VPN/Air Gap, and Disaster Recovery BackupThese four aspects; the areas with relatively poor development mainly includeSecurity Audit, Identity Authentication, Privacy Protection, Endpoint Security, and Network Security


Regarding the current state of the information security market in the healthcare industry, Cao Xiaojun, Deputy Director of the Data Center at Guangzhou Women and Children’s Medical Center, offered his perspective. He believes that the fundamental reason for the market’s limited size is the relatively lagging state of security infrastructure within the healthcare sector. The industry lacks a comprehensive security plan or overarching construction strategy. Moreover, most hospitals’ security investments are driven primarily by compliance requirements. For instance, purchasing a few firewalls and endpoint management software, coupled with administrative policies, is often sufficient to meet the Multi-Level Protection Scheme (MLPS) standards; few institutions genuinely commit to holistic security design. This situation has resulted in a lack of vitality across the entire healthcare information security market.


Furthermore, the domestic healthcare industry currently prioritizes business development needs and lacks a reserve of professional cybersecurity talent, which also constitutes a significant challenge.


An industry insider revealed that, on one hand, the hospital’s information technology department holds a relatively weak position, with informatization initiatives largely dependent on the awareness and priorities of hospital leadership. For most hospitals, the scale of network equipment is modest, typically operating in a pure intranet environment. Current efforts are primarily focused on improving basic network infrastructure, while cybersecurity construction lags behind. Furthermore, as healthcare institutions are partially funded by government fiscal appropriations, many hospitals face budget constraints, resulting in a relatively low priority for cybersecurity investments.


Regarding the current output value scale of China's medical information security market, a relevant official from NSFOCUS, as a representative of domestic information security enterprises, analyzed the following two reasons:


First, there is a scarcity of supporting policies and standards related to information security. Prior to the formal implementation of the Cybersecurity Law, domestic requirements for the security of personal private information were virtually nonexistent. As the healthcare sector involves the most extensive handling of personal private data, the absence of clear legal and regulatory mandates and specific industry standards has made it difficult for medical institutions at all levels to recognize the profound impact of information security on their operations, resulting in minimal proactive investment in security measures.


Second, information or cybersecurity lacks tangible value perception in driving the actual business operations of the healthcare industry. For instance, a Grade A tertiary hospital may invest tens of millions of yuan annually in IT. However, hospital decision-makers tend to prioritize investments in clinical care, research, and medical technology domains due to business development considerations. The reason is that the impact of these IT investments on business advancement and support is visibly apparent, whereas the value of information security is difficult to perceive. Metrics such as the number of security attacks mitigated, vulnerabilities resolved, or data leakage incidents prevented are not directly presented to decision-makers.


For this reason, over the past two years, major cybersecurity vendors have been prioritizing investments in security operations and the visualization of efficacy.


The Emergence of Internet Hospitals in Clusters,How to Ensure TheirInformation Security?


How to Ensure Information Security in Internet Hospitals? Before answering this question, it is essential to first clarify its definition and specific requirements.


The concept of the Internet Hospital was proposed to address the imbalance in professional medical resources and the poor experience of medical services inherent in the traditional healthcare system. To tackle these two core issues, Internet Hospitals leverage the internet as a powerful platform for resource sharing, utilizing technologies such as cloud computing and big data to supplement traditional medical practices in terms of both operational models and service capabilities.


The Administrative Measures for Internet Hospitals stipulate that Internet Hospitals, which enable remote access via the internet, involve critical system data exchange with physical medical institutions. Furthermore, in accordance with relevant national laws and regulations, the information systems of Internet Hospitals must implement Level 3 Classified Protection of Cybersecurity. Therefore, in addition to meeting requirements for internet connectivity and virtual private networks, hospitals must also comply with data security standards.


Fundamentally, the core objective of information security for internet hospitals remains unchanged: it continues to prioritize the protection of data, particularly health-related data such as clinical medical records, by ensuring security across all stages, including transmission, processing, sharing, and storage. Therefore, meeting these security requirements cannot be achieved through a single security product. Hospitals must fully integrate their specific technical scenarios and select security solutions that provide adequate risk control across all relevant dimensions.


For instance, at the transmission layer, internet boundaries require measures such as access control, intrusion prevention, virus detection and protection, and web application security. In data exchange scenarios, hospitals need to consider data masking, data encryption, data loss prevention (DLP), and database auditing or protection. Therefore, there is no single best security product; only security solutions that are best suited to specific business needs.


Regarding the highly anticipated information security infrastructure for internet hospitals, a leading expert from Anhua Jinhe, a well-known domestic data security vendor and head of its healthcare division, believes that while dedicated internet lines and VPNs can address some external access security issues, business data systems are directly exposed for operational purposes. Services such as telemedicine, medical insurance inquiries, and appointment scheduling require direct access to business data; therefore, it is essential to strengthen both data-level access security and internal network access security.


For example, in terms of database security, measures such as database auditing, database firewalls, database encryption, and data masking can be adopted to enhance security. Overall, security infrastructure can be built based on the concept of a proactive defense system, which involves four lines of defense:


First Line of Defense: Inspection and Early Warning. Conduct inspection and analysis of database threats using database vulnerability scanning products, and provide security recommendations.

 

Second Line of Defense: Proactive Defense. Prevent unauthorized operations and external attack-induced damage through identity verification, operation approval, and process management provided by database security O&M products; meanwhile, strengthen internal protection to prevent misuse of superuser privileges.

 

Third Line of Defense: Baseline Defense.

Threshold Control: Prevent bulk malicious access, issue alerts and enforce controls for large-scale medical data breaches, and prevent bulk queries of medical data;

Database Encryption Products: Preventing Data Breaches and "Data Exfiltration" of Doctor-Patient Information;

Database De-identification Solution: Privacy Protection for Medical Data to Prevent Leakage of Real Data to Third Parties.

 

Fourth Line of Defense: Post-Incident Investigation. Database audit products can be used to distinguish between external threats and insider attacks, enabling accountability tracing for security incidents.


Regarding the security issues of Internet hospital apps, NSFOCUS believes that they should be viewed holistically from three levels: the application server side, network communication, and users.


From the server-side perspective, mobile application security is not fundamentally different from traditional web security; existing WAF-based protection products remain applicable and can defend against attacks originating from mobile apps. Security for network communications primarily focuses on data confidentiality and integrity, which hospitals can address through SSL or HTTPS.


For enterprise-level users such as hospitals, securing mobile devices and addressing security vulnerabilities through traditional security products is virtually impossible. This is because mandating each mobile user to install designated security software would severely degrade the user experience. Consequently, an increasing number of healthcare institutions now conduct systematic security assessments, including both black-box and white-box testing, before launching their mobile applications. Based on the findings from these tests and evaluations, security vendors can guide developers in promptly remediating identified vulnerabilities, thereby thoroughly resolving security issues within the apps.


Director Cao’s view aligns with that of NSFOCUS. He believes that adopting SSL VPN (with SM cryptographic algorithms) is a preferable solution for remote mobile access. For data resource sharing and business collaboration between internet hospitals and medical institutions in remote areas, primary healthcare facilities, as well as between general practitioners and specialists, it is advisable to deploy security all-in-one appliances locally at primary healthcare institutions to establish secure VPN networking and enable encrypted data transmission.


VPNs and Firewalls: Two Top Choices Favored by Hospitals


According to Tencent’s recently released Healthcare Industry Security Index Report, firewalls and VPN devices are currently the preferred cybersecurity solutions in the healthcare sector.


According to the head of NSFOCUS, there are two primary reasons for this outcome. First, these two product categories have a broader scope of application; firewalls are required for logical isolation in virtually any environment with a network perimeter. Second, VPNs currently represent the most cost-effective and stable dedicated network solution, making them essential for any scenario requiring remote access to internal networks, thereby creating a massive base of demand.


On the other hand, healthcare users generally lack a profound understanding of cybersecurity. Particularly in grassroots medical institutions, due to their small network scale and limited volume of information data, there is a prevailing belief that overall network security can be ensured simply by deploying firewalls for perimeter protection and VPNs for securing communication data.


However, regardless of the size of a healthcare institution, the critical importance of safeguarding sensitive data—such as patient privacy information and clinical data—is self-evident. In addition to firewalls and VPNs, protecting such data requires implementing defense-in-depth strategies at the network perimeter. This includes deploying intrusion prevention systems (IPS), virus filtering, Web Application Firewalls (WAF) for web applications, and database firewalls along with security auditing mechanisms for database protection. These measures must be carefully considered and implemented.


Regarding the current status of VPN usage in hospitals, a representative from Anhua Jinhe shared their perspective after communicating with the director of the information department at a tertiary hospital: VPNs are used for remote maintenance on one hand, and their other primary purpose is regional networking. However, regional networking currently leans more towards dedicated lines; only when conditions are insufficient do hospitals opt for VPNs. For instance, many hospitals connect to municipal and provincial health commissions via dedicated lines, while those unable to meet the requirements must rely on VPNs for connectivity.


Furthermore, in practical implementation, hospitals must consider not only the access security of internet connectivity but also the security of their data platforms. If user VPN accounts are compromised or network perimeters are breached, core data will be directly exposed to attackers. Therefore, while enforcing admission control for access, it is equally essential to employ specialized data security measures to safeguard core data.


Director Cao also expressed agreement, stating that the development of hospital intranets and telemedicine is particularly important in the current construction of hospital security. Therefore, firewalls and VPNs naturally become essential requirements or primary considerations. However, with the development of new technologies such as big data, cloud computing, mobile internet, and the Internet of Things (IoT), security technologies also need to evolve and be updated.


Director Cao recommends that hospitals implement a systematic approach to security construction, encompassing a technical security framework, a management framework, and an operational (service) framework, with these three components reinforcing each other. In terms of strategy, hospitals can adopt an architecture featuring integrated security and multi-layered protection, such as deploying unified security appliances to alleviate the burden of device operation and maintenance. Furthermore, hospitals should promptly strengthen their capabilities in endpoint security, network perimeter security, cloud security, security services, and security management policies.


What Are the Best Practices for Safeguarding Hospital Data Security?


In accordance with the security requirements of the 2018 "National Standards and Specifications for Hospital Information Construction (Trial)," data security protection in tertiary hospitals primarily includes the following eight major measures:


1. Firewall

2. Security Audit Devices

3. System Hardening Devices

4. Data Hardening Device

5. Intrusion Prevention Devices

6. Identity Authentication System

7. Access Control System

8. Safety Management System


Regarding the weak identity authentication links in the current construction of tertiary hospitals, a representative from NSFOCUS stated that most of these hospitals currently use 4A products, such as bastion hosts, to address the issue of unified authentication within the hospital. By integrating the four processes of account management, authentication, authorization, and auditing, they resolve issues related to data access permissions.


Authentication methods can be selected by hospitals based on the data and systems being accessed, allowing them to choose an appropriate level of security. For core Hospital Information System (HIS) data, multi-person, multi-factor authentication may be employed, where two or more individuals each hold a portion of the cryptographic key, combined with static passwords, SMS tokens, CA certificates, fingerprints, or other biometric recognition technologies to achieve strong authentication. For hospital medical staff, only static password authentication is required to ensure operational efficiency.


In the interpretation of the 2018 edition of the "Specifications for the Application and Management of Electronic Medical Records (Trial)," Wang Tao, Director of the Information Center at Beijing Tiantan Hospital, Capital Medical University, outlined two major risks associated with existing digital signatures in the protection of electronic medical record data:


1. The specificity of signature content: Currently, no standards have been issued for the content of electronic medical record signatures. As a result, Certificate Authorities (CAs) do not verify whether the content submitted for signing contains any issues during the signing process, thereby creating the possibility of patient identity substitution.


2. Integrity of Signature Content. Due to the high volume of signatures generated by hospitals, the Certificate Authority (CA) is unable to detect during signature verification whether each submission contains adverse information.


To address the aforementioned two risks, Director Wang believes that a solution involving signatures combined with timestamps can be implemented. This approach ensures that the personnel involved in each operation and the corresponding timestamps are both queryable and traceable.


However, according to Director Cao, current mainstream authentication methods have not been truly implemented in hospitals. For instance, CA (Certificate Authority) authentication, which is the most widely used method within hospital intranets, can enable two-factor authentication and enhance security. Nevertheless, due to its cumbersome user experience and existing compatibility issues, it has seen limited adoption in healthcare settings.


For data querying, traceability, and management, hospitals can adopt measures such as log auditing, bastion hosts, and database auditing to achieve a certain level of data protection. However, with big data, unstructured data presents certain challenges. Furthermore, the deployment across multiple devices complicates hospital management and operations. Therefore, Director Cao believes that hospitals should adopt a software-defined security model for deployment in the realm of new security technologies.


In the face of increasingly rampant ransomware attacks,The hospital shouldHow to Respond


On January 15, 2018, Hancock Health in Greenfield, Indiana, suffered a ransomware attack, prompting technicians to shut down the entire network. Shortly after the ransomware notice appeared on hospital computer screens, the hackers brazenly declared that they would hold a certain number of systems “hostage” until the technicians paid the Bitcoin ransom.


In response, the health system’s IT team immediately shut down all networks, including those in physicians’ offices and health centers, to isolate the virus. Relevant technical personnel stated that the hackers were attempting to disrupt hospital operations by using “digital padlocks” to restrict staff access to certain system functionalities.


Raj Samani, Chief Scientist at McAfee, stated, “In terms of ransomware, the healthcare industry likely suffers the greatest losses. The explosive growth of ransomware also originated in the healthcare sector. Hackers are expected to shift from traditional forms of ransomware toward more cyber-disruption and service-interruption attacks.”


According to VCBeat, ransomware and cryptojacking malware are particularly potent because they typically leverage remote attack vectors such as EternalBlue, enabling self-propagation. Consequently, an intriguing phenomenon has emerged: intranet environments, ostensibly isolated from the external internet, are actually more frequently compromised and experience more widespread viral outbreaks. This is because purely internal production environments exhibit lower security awareness and crisis sensitivity compared to systems directly exposed to the internet. As a result, cyberattacks and viral infections become almost inevitable.


Regarding the response to ransomware, Director Cao believes that security incidents are not a distant threat. Security construction should not merely aim to meet compliance requirements, as many hospitals have passed the Level 3 Classified Protection assessment yet still fall victim to ransomware attacks. This is because, with the evolution of security technologies, traditional defense mechanisms are gradually becoming ineffective against emerging threats and viruses. Therefore, it is essential to strengthen monitoring and response capabilities.


Regarding the risks posed by ransomware and cryptocurrency mining malware, Director Cao believes that a four-phase protective measure can be adopted:


Phase 1: Strengthen endpoint security infrastructure, including system patch management, security baseline management, and antivirus software for hosts (PCs/servers). Next-generation endpoint security systems, such as EDR solutions, can be deployed to leverage artificial intelligence and big data technologies for protection against ransomware variants and unknown threats.


Phase II: Enhance capabilities for monitoring network-wide traffic risks and achieving security visibility. Leveraging the integrated security awareness platform, risk visualization within the network is realized through traffic analysis. For instance, in the event of a virus infection, management can be conducted by displaying host-level risks across the entire network.


Phase III: Deploy next-generation firewall (NGFW) appliances at the network perimeter. These appliances must support integrated capabilities, including intrusion prevention systems (IPS), botnet detection, and antivirus (AV) protection. Furthermore, they should enable linkage with the security awareness platform, allowing the platform to push blocking policies to the firewalls upon threat detection.


Phase 4: Strengthen enterprise-wide emergency response and drill capabilities by procuring professional third-party security services to enable rapid incident response, as well as prevention and emergency handling of ransomware.


Despite Policy Support, Medical Information Security Remains a Long-Term Endeavor


Industry-specific policies and standards in the healthcare sector, coupled with the formal implementation of the Cybersecurity Law over the past two years—as well as related regulations, ordinances, and standards concerning personal information protection and the security of critical information infrastructure—have played a significantly positive role in shaping the overall cybersecurity environment for the healthcare industry. The introduction of detailed industry policies and standards has promoted normalization and standardization across all levels, from top-level design to concrete implementation, fostering a unified understanding of common issues and consistent approaches to resolving them. This development is highly beneficial for both hospitals and cybersecurity vendors.


Hospital users now have an authoritative reference for information network security in specialized business areas. Security vendors can also expand and leverage their core competencies across different dimensions and domains within the same broader direction to better address industry needs. This creates a win-win outcome for both the industry and its users.


Although the industry outlook is highly promising, Director Cao also offered some recommendations:


Although nearly all cybersecurity firms are actively studying and interpreting these security standards and policies, and developing practical healthcare security solutions based on their own security practices, it is important to recognize that translating policy standards into concrete implementation will take time. In the short term, the impact on hospitals’ informatization construction will not be significant, as this is a long-term process.


Special Acknowledgments:

Deputy Director of the Data Center, Guangzhou Women and Children's Medical Center, Cao Xiaojun

NSFOCUS

Anhua Jinhe