Home China's National Health Commission Releases Interim Measures for Standardization, Security, and Service Management of Health Medical Big Data

China's National Health Commission Releases Interim Measures for Standardization, Security, and Service Management of Health Medical Big Data

Sep 13, 2018 12:32 CST Updated 12:32

On September 13, VCBeat (WeChat Official Account: vcbeat) learned that the National Health Commission had officially issued the “Notice on Issuing the Administrative Measures for Standards, Security, and Services of National Health and Medical Big Data (Trial)” (hereinafter referred to as the “Notice”).


The “Notice” states that, in order to strengthen the management of health and medical big data services, promote the development of “Internet + Healthcare,” and fully leverage the role of health and medical big data as an important foundational strategic resource for the country, the National Health Commission has researched and formulated the “Administrative Measures for Standards, Security, and Services of National Health and Medical Big Data (Trial)” (hereinafter referred to as the “Trial Measures”), in accordance with relevant laws and regulations.


The interpretation draft summarizes the following key points:


>>>>

I. Drafting Direction of the Trial Measures


The Trial Measures fully summarize the pilot experiences of the health and medical big data centers in the five provinces of Fujian, Jiangsu, Shandong, Anhui, and Guizhou.


During the drafting of the Trial Measures, a people-centered approach was upheld, with emphasis placed on the utilization and service delivery of health and medical big data. Conditions were created to standardize the use of such data, while service offerings were expanded and enriched to better meet the public’s health and medical needs.


Adhere to the principle of co-construction and sharing, encourage collaboration between the government and social forces, and promote a favorable landscape characterized by multi-party support, lawful openness, public convenience and benefit, and robust development, thereby fully unleashing the dividends of data. Adhere to the principle of security and controllability, properly balance the relationship between application development and security assurance, highlight the enhancement of technical security support capabilities, and safeguard personal privacy and information security.


“The Trial Measures” further clarify the responsibilities, rights, and interests of health administrative departments at all levels, medical and health institutions of all types and levels, relevant application entities, and individuals in the standardization management, security management, and service management of health and medical big data. These measures are of great significance for coordinating standardization management, implementing security responsibilities, and regulating data service management.


>>>>

II. Core of the Trial Measures


The Trial Measures clarify the definition, connotation, and extension of health and medical big data, as well as the purpose, basis, scope of application, guiding principles, and overall approach for formulating the measures. They define the boundaries and responsibilities of health administrative departments at all levels, and specify the responsibilities, rights, and interests of medical and health institutions at all levels and types, as well as their corresponding application units. Furthermore, the Measures establish regulations in three key areas.


First, standardization management: clarify the principles for carrying out standardization management of health and medical big data, as well as the responsibilities of health administrative departments at all levels. Advocate multi-party participation in standardization management, improve the standardization management platform for health and medical big data, and establish regulations on standardization management processes, incentive and constraint mechanisms, application effectiveness evaluation, development, and application.


Second, regarding security management, the scope of security management for health and medical big data is defined. Sound security management systems, operational procedures, and technical specifications are to be established and improved. The “top leader” responsibility system is to be implemented, and a talent development mechanism for health and medical big data security management is to be established. Storage requirements based on hierarchical classification and domain segmentation are specified. Clear requirements are put forward for key aspects, including classified protection of cybersecurity, security of critical information infrastructure, data security safeguards, full-process traceability of data flows, data security monitoring and early warning, and the queryability and traceability of data breach incidents.


Third, service management: clarify the responsibilities of relevant parties and establish principles and guidelines for managing health and medical big data services. Implement a management system characterized by “unified hierarchical authorization, classified application management, and alignment of authority with responsibility.” Define the functional roles of responsible entities across all stages of health and medical big data—including generation, collection, storage, use, transmission, sharing, exchange, and destruction—and strengthen the sharing and exchange of such data.


Meanwhile, in terms of management and supervision, the routine supervisory responsibilities of health administrative departments have been emphasized. All medical and health institutions at various levels and of all types are required to connect to the corresponding regional national health information platforms and provide regulatory access ports to the health administrative departments. Regular security monitoring and assessments of the application of health and medical big data shall be conducted, and a system for accountability in the security management of health and medical big data shall be established.


>>>>

III. Standard Management of the Trial Measures


Standards constitute the foundational institutional framework for informatization development. In accordance with the basic principles of “policy guidance, strengthened oversight, categorized guidance, and hierarchical management,” the Trial Measures strengthen the standardization management of health and medical big data.


The Trial Measures stipulate that the procedures and requirements for the drafting, review, and issuance of standards for health and medical big data shall be implemented in accordance with relevant national and industry regulations. Meanwhile, specific measures have been proposed in light of the actual conditions of the health sector. Regarding standard development, multi-party collaboration is advocated, with active encouragement extended to medical and health institutions, research institutes, industry societies and associations, social organizations, and relevant enterprises to participate in the formulation of standards for health and medical big data. With respect to standard implementation, health administrative departments at all levels are responsible for strengthening guidance and oversight over the implementation of these standards, fully mobilizing and leveraging the enthusiasm and initiative of market entities—including medical and health institutions at all levels and types, as well as related enterprises—in the application and implementation of the standards.


Attached is the original text of the "Trial Measures":


No. 23 [2018] of the National Health Commission Planning Document

To the Health and Family Planning Commissions of all provinces, autonomous regions, municipalities directly under the Central Government, and the Xinjiang Production and Construction Corps; to all departments and bureaus within the Commission; to units directly affiliated with or linked to the Commission; and to the National Administration of Traditional Chinese Medicine:

To strengthen the management of health and medical big data services, promote the development of “Internet + Healthcare,” and fully leverage the role of health and medical big data as a critical foundational strategic resource for the nation, our Commission has formulated the Administrative Measures for Standards, Security, and Services of National Health and Medical Big Data (Trial) (available for download from the official website of the National Health Commission) in accordance with relevant laws and regulations. These Measures are hereby issued to you for strict compliance.

National Health Commission

July 12, 2018

(Disclosure Method: Voluntary Disclosure)


Measures for the Standardization, Security, and Service Management of National Health and Medical Big Data

(Trial)

Chapter I General Provisions

Article 1 To strengthen the management of health and medical big data services, promote the development of “Internet + Healthcare,” and fully leverage the role of health and medical big data as a key national strategic foundational resource, these Measures are formulated in accordance with the Cybersecurity Law of the People’s Republic of China and other laws and regulations, as well as the spirit of documents including the State Council’s Outline for Promoting Big Data Development, the General Office of the State Council’s Guiding Opinions on Promoting and Regulating the Application and Development of Health and Medical Big Data, and the General Office of the State Council’s Opinions on Promoting the Development of “Internet + Healthcare,” focusing on standards, security, and service management for health and medical big data.

Article 2 Health and medical data generated by citizens of the People's Republic of China within its territory shall be regulated, managed, developed, and utilized in accordance with the requirements of national strategic security and the protection of people’s lives and health, while safeguarding citizens’ right to know, right to use, and personal privacy.

Article 3 Adhere to the principles of being people-oriented, innovation-driven, standardized and orderly, safe and controllable, open and integrated, and co-constructed and shared; strengthen the standardization, security, and service management of health and medical big data; promote the application of health and medical big data for public benefit; and foster the development of the health and medical big data industry.

Article 4 The term “healthcare big data” as used in these Measures refers to data related to healthcare that are generated during the processes of disease prevention and control, health management, and other related activities.

Article 5 These Measures shall apply to the management of health and medical big data involving health administrative departments at or above the county level (including traditional Chinese medicine authorities, hereinafter the same), medical and health institutions at all levels and of all types, relevant entities, and individuals.

Article 6 The National Health Commission (including the National Administration of Traditional Chinese Medicine, as hereinafter referred to) shall, in conjunction with relevant departments, be responsible for the overall planning, guidance, evaluation, and supervision of the standardization, security, and service management of national health and medical big data. Health administrative departments at or above the county level shall, in conjunction with relevant departments, be responsible for the management of health and medical big data within their respective administrative areas, and shall serve as the regulatory authorities for the security and application management of such data within their respective administrative areas.

Healthcare institutions at all levels and of all types, as well as relevant enterprises and public institutions, are the entities responsible for the security and application management of health and medical big data.

Chapter 2 Standard Management

Article 7 The standardization management of health and medical big data shall adhere to the principles of policy guidance, strengthened supervision, categorized guidance, and hierarchical management.

Article 8 The National Health Commission is responsible for overall planning and organizing the formulation of national standards for health and medical big data, supervising, guiding, and evaluating the application of such standards. Based on existing foundational and general big data standards, it shall organize the development of a framework plan for the health and medical big data standard system, and be responsible for formulating and implementing the annual work plan for health and medical big data standards. Provincial-level health administrative departments (including provincial-level traditional Chinese medicine authorities) are responsible for supervising, guiding, and evaluating the application of health and medical big data standards within their respective regions. In accordance with the national framework plan for the health and medical big data standard system and in light of local conditions, they shall guide and oversee the implementation of the health and medical big data standard system within their respective provinces.

Article 9 The National Health Commission encourages medical and health institutions, scientific research and educational entities, relevant enterprises or industry associations, social organizations, and others to participate in the formulation of standards for health and medical big data. Citizens, legal persons, or other organizations may propose projects for the establishment or revision of such standards and submit corresponding project proposals for standard development.

Article 10 The National Health Commission shall be responsible for the unified organization and implementation, select the most qualified entities and individuals to draft standards for health and medical big data, advocate a multi-party collaborative mechanism, and establish a working group composed of relevant entities to participate in the drafting of such standards.

Article 11 The procedures and requirements for the drafting, review, and publication of standards for health and medical big data shall be implemented in accordance with relevant national and industry regulations.

Article 12 The health administrative departments shall strengthen guidance and supervision over the implementation of standards for health and medical big data, fully leverage the enthusiasm and initiative of market entities—including medical and health institutions at all levels and types, as well as relevant enterprises—in the application and implementation of such standards, and establish a long-term management mechanism to incentivize and promote the application and implementation of these standards.

Article 13 The health administrative departments shall establish corresponding incentive and constraint mechanisms for the production and procurement of standardized products related to health and medical big data. These departments shall actively promote the development of standards, specifications, and evaluation work for health and medical big data, and link the evaluation results with the accreditation and assessment of healthcare institutions.

Article 14 The National Health Commission shall strengthen the development of standard systems and institutional frameworks for technologies, products, and service models related to health and medical big data, organize assessments of the effectiveness of the application of health and medical big data standards, and, based on the assessment results, organize the revision or abolition of relevant standards.

Article 15 The National Health Commission shall dynamically manage the development and application of health and medical big data standards based on the Health Standards Management Platform, and conduct dynamic monitoring of the application of such standards by medical and health institutions at all levels and of various types, as well as by enterprises and public institutions.

Chapter 3 Safety Management

Article 16 Security management of health and medical big data refers to the security and management measures implemented across multiple stages, including data collection, storage, mining, application, operation, and transmission. It encompasses the management of rights and responsibilities related to national strategic security, public life and health safety, and personal information security.

Article 17 Responsible entities shall establish and improve relevant security management systems, operational procedures, and technical specifications; implement the “top leader” responsibility system; strengthen the construction of security assurance systems; enhance overall management and coordination oversight; and ensure the security of health and medical big data.

The security, management, and use of health and medical big data involving state secrets shall be conducted in accordance with relevant national confidentiality regulations. Responsible entities shall establish and improve systems for the management and use of health and medical big data involving state secrets, and implement strict controls over processes including creation, review, registration, copying, transmission, and destruction.

Article 18 Responsible entities shall adopt measures such as data classification, backup of important data, and encryption authentication to safeguard the security of big health and medical data. Responsible entities shall establish a reliable mechanism for disaster recovery and data backup, conduct regular backup and recovery testing, ensure timely, complete, and accurate data restoration, and achieve long-term preservation and archival management of historical data.

Article 19 Responsible entities shall, in accordance with the requirements of the National Classified Protection System for Cybersecurity, establish a trusted cybersecurity environment, strengthen the construction of security assurance systems for health and medical big data-related systems, enhance the security protection capabilities of critical information infrastructure and important information systems, and ensure that the critical information infrastructure and core systems for health and medical big data are secure and controllable. Health and medical big data centers and related information systems shall carry out activities such as classification, filing, and assessment.

Article 20 Providers of products and services for health and medical big data-related systems shall comply with the national cybersecurity review system, shall not interrupt or disguiseously interrupt reasonable technical support and services, and shall provide secure and convenient conditions for the interaction, sharing, and operation of health and medical big data across different systems.

Article 21 Responsible entities shall use health and medical big data information in accordance with laws and regulations, provide secure channels for information inquiry and reproduction, and ensure the protection of citizens' privacy and data security.

Article 22 Responsible entities shall, in accordance with the requirements of the Cybersecurity Law of the People's Republic of China, strictly regulate data access and usage permissions for users at different levels, and ensure that data is used within the authorized scope. No entity or individual may exploit or release health and medical big data without authorization or beyond the authorized scope, nor shall they obtain such data by illegal means.

Article 23 Responsible entities shall establish strict electronic real-name authentication and data access controls, standardize audit trail management for the processes of data ingestion, usage, and destruction, ensure that access to big health and medical data is manageable and controllable with full-process traceability in service management, and guarantee that such activities are queryable and traceable, enabling any data breach incidents or risks to be traced back to the relevant responsible entities and individuals.

Article 24 Establish and improve the talent development mechanism for health and medical big data security management, ensuring that relevant practitioners possess the knowledge and skills required for health and medical big data security management.

Article 25 Responsible entities shall establish security monitoring and early warning systems for health and medical big data, set up coordinated mechanisms for cybersecurity incident reporting and emergency response, conduct research on data security standards and technical specifications, continuously enrich the system of cybersecurity-related standards and norms, and focus on preventing aggregated risks associated with data resources and potential risks arising from the application of new technologies. In the event of a major cybersecurity incident, reporting and handling shall be carried out in accordance with relevant laws, regulations, and requirements.

Chapter 4 Service Management

Article 26 The National Health Commission is responsible for formulating relevant regulations and standards in the field of health and medical big data applications, establishing integrity and exit mechanisms for such applications, and developing security and management specifications for the mining and application of health and medical big data.

Article 27 Responsible entities implementing the management and services of health and medical big data shall, in accordance with laws, regulations, and relevant documents, adhere to principles of medical ethics and protect personal privacy.

Article 28 Responsible entities shall, in accordance with their needs for the management of health and medical big data, designate corresponding management departments and positions. In compliance with national authorization, they shall implement a management system characterized by “unified hierarchical authorization, classified application management, and consistency of authority and responsibility,” and establish corresponding health and medical big data information systems to provide technical and managerial support.

Article 29 Responsible entities collecting health and medical big data shall strictly implement relevant national and industry standards and procedures, comply with technical standards for business applications and management specifications, ensure unified standards, standardized terminology, and accurate content, guarantee unique identity identification and consistency of basic data items for service and management subjects within their information systems, and strictly implement information review and final approval procedures for collected information to ensure effective data quality management.

Article 30 Responsible entities shall possess data storage, disaster recovery backup, and security management capabilities that comply with relevant national regulations, and strengthen the storage management of big health and medical data. Big health and medical data shall be stored on secure and trustworthy servers within China; where it is truly necessary to provide such data overseas due to business needs, a security assessment and review shall be conducted in accordance with relevant laws, regulations, and requirements.

Article 31 When selecting health and medical big data service providers, responsible entities shall ensure that such providers comply with national and industry regulations and requirements, possess the capability to implement relevant laws and regulations, enforce applicable standards, and guarantee data security, and establish management systems for data security management, personal privacy protection, and emergency response management.

Article 32 Where a responsible entity entrusts relevant institutions with the storage and operation of health and medical big data, the entrusting entity and the entrusted entity shall jointly assume management and security responsibilities for such data. The entrusted entity shall strictly comply with applicable laws, regulations, and the entrustment agreement in performing its duties regarding the storage, management, and operation of health and medical big data.

Article 33 Responsible entities shall, in accordance with the needs of service and management, timely update, screen, optimize, and maintain health and medical big data to ensure that the information remains current, continuous, valid, high-quality, and secure.

Article 34 Where the responsible entity undergoes a change, it shall transfer the health and medical big data under its management completely and securely to the institution that assumes its functions or to the health administrative department within the same administrative region, and shall not cause any damage, loss, or leakage of such health and medical big data.

Article 35 When responsible entities disclose health and medical big data to the public, they shall comply with relevant national regulations, and shall not disclose state secrets, commercial secrets, or personal privacy, nor infringe upon national interests, public interests, or the legitimate rights and interests of citizens, legal persons, and other organizations.

Article 36 Responsible entities shall strengthen the utilization and services of health and medical big data, create conditions to standardize its use, and promote online query capabilities for certain health and medical big data.

Article 37 The National Health Commission shall, in accordance with the relevant provisions on the opening and sharing of national information resources, establish a working mechanism for the opening and sharing of health and medical big data, strengthen the sharing and exchange of health and medical big data, and coordinate the development of the reporting system platform for health and medical big data, the information resource catalog system, and the sharing and exchange system.

Chapter 5 Management and Supervision

Article 38 Health administrative departments shall strengthen supervision and administration, conduct routine inspections of the health and medical big data security management work carried out by all responsible entities within their respective administrative regions, and guide and supervise the comprehensive utilization of data by these entities to improve data service quality and ensure security. Medical and health institutions at all levels and of all types shall connect to the corresponding regional platforms for national population health information, transmit and back up data generated from medical and health services, and open regulatory access ports to the health administrative departments.

Article 39 The health administrative departments shall strengthen monitoring and assessment, regularly conduct stability and security evaluations of health and medical big data platforms and service providers, as well as security monitoring and assessment of health and medical big data applications, and establish software evaluation and security review confidentiality systems for network security protection, system interconnection and sharing, and citizen privacy protection.

Article 40 The health administrative departments, in conjunction with relevant departments, shall establish an accountability system for the security management of health and medical big data. For entities and individuals that violate the provisions of these Measures, the competent authorities shall, depending on the severity of the circumstances, take measures such as regulatory interviews, supervision and rectification, admonition, circulating a notice of criticism, imposing disciplinary sanctions, or proposing disciplinary sanctions; where such violations constitute illegal acts, the cases shall be transferred to judicial organs for legal liability in accordance with the law.

Chapter VI Supplementary Provisions

Article 41 These Measures shall come into force as of the date of issuance.