On June 27, VCBeat (WeChat Official Account: vcbeat) learned that, in order to implement the Cybersecurity Law of the People's Republic of China and further advance the national Multi-Level Protection Scheme (MLPS) for cybersecurity, the Ministry of Public Security, in conjunction with relevant departments, has drafted the Regulations on Multi-Level Protection of Cybersecurity (Draft for Comments) (hereinafter referred to as the “Regulations”) after extensive consultation and repeated revisions. It is reported that the Regulations were jointly formulated by the Ministry of Public Security, the Office of the Central Cyberspace Affairs Commission, the National Administration of State Secrets Protection, and the State Cryptography Administration, and have been released for public comment. The release of these Regulations marks 11 years since the previous version of the administrative measures.
In June 2007, the Ministry of Public Security, the State Administration for the Protection of State Secrets, the State Cryptography Administration, and the State Council Information Office jointly formulated the first version of the "Administrative Measures for Classified Protection of Information Security" (hereinafter referred to as the "Measures").
In accordance with the requirements of the Measures, the security protection levels of information systems are classified into the following five tiers:
Level 1: Damage to an information system will harm the lawful rights and interests of citizens, legal persons, and other organizations, but will not compromise national security, social order, or public interest.
Level 2: Where damage to an information system would cause serious harm to the lawful rights and interests of citizens, legal persons, and other organizations, or impair social order and public interest, but does not compromise national security.
Level 3: If an information system is compromised, it will cause serious harm to social order and public interests, or harm national security.
Level 4: After the information system is damaged, it will cause particularly serious damage to social order and public interests, or cause serious damage to national security.
Level 5: After the information system is damaged, it will cause particularly serious damage to national security.
According to Guo Qiquan, Chief Engineer of the Cyber Security Bureau of the Ministry of Public Security, compared with the first version of the Measures, the 2.0 version of the Regulations incorporates key matters stipulated in the Cybersecurity Law of the People's Republic of China; furthermore, while the Measures targeted only networks and information systems, the Regulations have extended regulatory oversight to emerging business models such as cloud computing, big data, and the Internet of Things; in addition, the Regulations have expanded the scope of regulated entities from within the public sector to society at large.
The Regulations also introduce new requirements in specific provisions. For instance, under the Measures, the highest protection level for information systems was capped at Level 2 in cases where damage to the lawful rights and interests of citizens, legal persons, and other organizations would be serious. The Regulations raise the required protection level to Level 3 in scenarios where “particularly severe damage” would result. Guo Qiquan considers this the “most significant change” introduced by the Regulations.
The Regulations also extend the interval for classified cybersecurity assessments. “Previously, operators of Level 3 networks were required to undergo assessment annually, while those operating Level 4 networks had to do so every six months—meaning assessments were nearly continuous,” said Guo Qiquan. The Regulations have revised this requirement to stipulate that “operators of networks at Level 3 or above shall conduct a cybersecurity classified assessment once per year.”
VCBeat assesses that the release of these Regulations will bring significant changes to the medical informatics industry.
In 2011, the National Health and Family Planning Commission (formerly the Ministry of Health) issued the Guiding Opinions on Information Security Level Protection in the Health Industry. These Guiding Opinions were formulated by the Ministry of Health in light of the actual conditions of the health sector, in accordance with the requirements set forth in the Ministry of Public Security’s Guiding Opinions on Carrying Out Rectification Work for the Construction of Information Security Level Protection (Gong Xin An [2009] No. 1429).
The “Opinions” state that, in accordance with the national Classified Protection of Cybersecurity system and relevant standards and specifications, the health sector shall comprehensively carry out work on classification filing, construction and rectification, and graded evaluation for information security classified protection.
Under the National Classified Protection System for Information Security, information security protection levels are categorized into five tiers:
Level 1 is the Autonomous Protection Level, Level 2 is the Guided Protection Level, Level 3 is the Supervised Protection Level, Level 4 is the Mandatory Protection Level, and Level 5 is the Specialized Control Protection Level.
The security protection level of some critical health information systems shall, in principle, be no lower than Level 3:
(1) Information systems operating on a nationwide cross-provincial network, such as the National Direct Reporting System for Health Statistics, the Infectious Disease Reporting System, the Health Supervision Information Reporting System, and the Emergency Command Information System for Public Health Emergencies;
(2) Three-tier health information platforms at the national, provincial, and municipal levels; national-level data centers for the New Rural Cooperative Medical Scheme, health supervision, and maternal and child health care;
(3) Core business information systems of Grade 3A hospitals;
(4) Ministry of Health website system;
(5) Other information systems assessed by the Information Security Technology Expert Committee as Level 3 or above (including Level 3).
The release of these “Opinions” provided, for the first time in a true sense, guidance on cybersecurity management in the healthcare industry.
The release of the “Regulations on Classified Protection of Cybersecurity (Draft for Comments)” marks the most significant overhaul of cybersecurity classified protection in the era of cloud computing, big data, the Internet of Things, mobile internet, and artificial intelligence. Building on this foundation, healthcare informatics products are poised to undergo comprehensive upgrades in cybersecurity, laying a solid groundwork for the next generation of interoperable solutions.
Appendix:《Regulations on the Classified Protection of Cybersecurity (Draft for Comment)》Download Link