Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · HOSPITAL INFORMATIZATION STANDARDS

National Standards and Norms for Hospital Informatization Construction (Trial).

全国医院信息化建设标准与规范(试行)

DCC note. This page reproduces the issuing notice in full (faithful translation) and provides a structured English summary of the attached standard. The standard itself — National Standards and Norms for Hospital Informatization Construction (Trial) — is a large tabular technical document (5 chapters, 22 categories, 262 graded line-items, each specified separately for Grade-II, Grade-III Class-B, and Grade-III Class-A hospitals). It is not reproduced verbatim; instead, the summary focuses on its data-security, network-security, and information-security functional requirements (Chapter 4 and the emerging-technologies chapter), which are the parts relevant to data compliance.


Issuing Notice (full translation)

Notice on the Issuance of the National Standards and Norms for Hospital Informatization Construction (Trial)

Document No.: Guo Wei Ban Gui Hua Fa [2018] No. 4

To the health and family planning commissions of all provinces, autonomous regions, municipalities directly under the Central Government and cities specifically designated in the State plan, and the Xinjiang Production and Construction Corps; to all departments and bureaus of the Commission; and to the units directly under and affiliated with the Commission, and the hospitals affiliated with (administered by) the Commission:

In order to promote and standardize hospital informatization construction, our Commission — building upon the Hospital Information Platform Application Function Guide and the Hospital Informatization Construction Application Technology Guide — has formulated the National Standards and Norms for Hospital Informatization Construction (Trial), which clarifies the construction content and construction requirements for hospital informatization. It is hereby issued to you (it may be downloaded from the website of the National Health Commission). Please implement it by reference.

Contact persons: Wang Yong and Shen Jianfeng, Department of Planning Telephone: 010-68792937, 68791911

General Office of the National Health Commission 2 April 2018

Attachment: National Standards and Norms for Hospital Informatization Construction (Trial)


Structured summary of the Standard

Status and scope

The National Standards and Norms for Hospital Informatization Construction (Trial) (the “Construction Standards”) were drafted by the Department of Planning and Information of the National Health Commission together with its Statistical Information Center, with input from more than 60 experts and technicians. The Standards target the clinical-business and hospital-management needs of Grade-II hospitals, Grade-III Class-B hospitals, and Grade-III Class-A hospitals, looking out over a 5–10 year development horizon. Maternal-and-child health hospitals and specialty hospitals may apply them by reference. Grade-II-and-above hospitals are directed to comply, in addition, with health-industry information standards including the basic dataset for electronic medical records, the EMR shared-document specification, and the EMR-based hospital information platform technical specification.

Document structure (5 chapters, 22 categories, 262 items)

  • Chapter 1 — Business Applications (9 categories): convenience services, medical services, medical management, medical collaboration, operations management, logistics management, research management, teaching management, human-resources management.
  • Chapter 2 — Information Platform (2 categories): information-platform foundation, platform service integration.
  • Chapter 3 — Infrastructure (3 categories): equipment-room foundation, hardware equipment, basic software.
  • Chapter 4 — Security Protection (4 categories): data-center security, endpoint security, network security, disaster-recovery backup.
  • Chapter 5 — Emerging Technologies (4 categories): big-data technology, cloud-computing technology, artificial-intelligence technology, Internet-of-Things technology.

Each line-item is specified at three capability tiers, so that a Grade-II hospital generally must meet a reduced subset of the functions and service types that a Grade-III Class-A hospital must meet.

Chapter 4 — Security Protection (the data-compliance core)

This is the chapter most relevant to data security and network security. It is framed as a catalogue of security devices and capabilities and their required functions.

Data-center security. Specifies dedicated security equipment and the functions each must provide, including:

  • Web application firewall — web access control, page anti-tampering, identity authentication, log auditing, and other functions.
  • Database firewall / database audit and access control — database auditing, database access control, database access detection and filtering, database service discovery, de-identified-data discovery, and database-status monitoring; support for bridge, gateway, and hybrid deployment, access-control policies based on security-level labels, and active-standby hot backup for continuity of service.
  • Network-boundary firewall — access control, intrusion prevention, virus prevention, application identification, web protection, load balancing, traffic control, identity authentication, and data-leak prevention, with multiple access-control modes (zone access control, packet-level access control, session access control, content-filtering access control, application-identification access control).
  • Security-audit appliances — recording network behaviour and user behaviour; audit records capturing event time and date, user, event type, and success/failure; analysis and audit-report generation. Includes database-operation auditing (query, protection, backup, analysis, audit, real-time monitoring, risk alerting, operation playback), operations-and-maintenance auditing (resource authorization, O&M monitoring, O&M-operation audit, real-time alerting and blocking of violations, session audit and playback), and host-security auditing.
  • Encryption appliances — database encryption, key management, database-status monitoring, database risk-scanning; mail encryption with attachment encryption, gateway-to-gateway encryption and related modes, plus mail security defence.
  • Intrusion-prevention / intrusion-detection appliances — active defence against network attacks (with cross-reference to the national standard GB/T 20275-2013 on network intrusion-detection systems), wireless-attack defence, anti-DoS, traffic monitoring, statistical thresholds, and real-time blocking; detection of trojans/backdoors, DoS, buffer-overflow, IP-fragment and network-worm attacks, with source-IP, attack-type, attack-target and attack-time logging and alerting on serious incidents.
  • Network-admission control — admission identity authentication, compliance/health checks, terminal policy management, and log auditing to screen out non-compliant devices and personnel.
  • Website-protection appliances — website-attack filtering, file-access control, security verification, attack-event alerting, security-policy management, backup, synchronization, automatic recovery, server-reliability monitoring, and audit logging.

Endpoint security. Functional requirements for securing clinical and office terminals (anti-malware, terminal control, and related controls), graded by hospital tier.

Network security. Boundary protection, access control, intrusion prevention, and monitoring across the hospital network, consistent with the national Multi-Level Protection Scheme (等级保护 / MLPS).

Disaster-recovery backup. Requirements for local full backup and offsite backup of important data, redundancy of key links and key devices, and recoverability — feeding the broader health-data requirement that medical data be reliably backed up and recoverable.

Chapter 5 — Emerging Technologies (security-relevant notes)

The emerging-technologies chapter (big data, cloud computing, artificial intelligence, Internet of Things) sets capability expectations that carry their own security implications — for example, security assessment of cloud platforms and data, and protection of data processed through big-data and AI applications. These requirements are echoed and tightened by the later Measures for Cybersecurity Management of Healthcare Institutions and the Measures for Data Security and Personal Information Protection of Healthcare Institutions (Trial).

Why this matters for data compliance

For overseas medtech, hospital-IT, and health-data vendors building or supplying systems to Chinese hospitals, the Construction Standards are the reference catalogue that hospitals use to specify security functions in tenders and acceptance testing. The Chapter 4 device/function list is, in practice, a checklist of the security controls a compliant hospital information environment is expected to contain — firewalls, database audit and access control, intrusion detection/prevention, encryption and key management, data-leak prevention, audit logging, network-admission control, and offsite backup. A supplier whose product is intended to operate inside a Grade-III hospital environment should expect these controls to be present and to be required to interoperate with them.


National Standards and Norms for Hospital Informatization Construction (Trial), issued 2 April 2018 by the General Office of the National Health Commission (Guo Wei Ban Gui Hua Fa [2018] No. 4). The issuing notice above is a faithful DCC translation; the description of the standard is a structured DCC summary of a large tabular technical document, not a verbatim translation. For the source document, see the National Health Commission website.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →