Foreword
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by and is under the jurisdiction of SAC/TC 260 National Technical Committee on Information Security of Standardization Administration of China.
Introduction
The health data includes personal health data and health related data obtained after processing the personal health data. With the vigorous development of health data application, "Internet Plus Healthcare" and intelligent healthcare, new businesses and applications are emerging, health data are facing more security challenges in all stages of the life cycle than before, and security issues are frequent. As health data security is a matter of patient life safety, personal information security, social public interest and national security, in order to better protect health data security, regulate and promote the integration, sharing and open application of health data, and promote the development of health care, the guide for health data security is developed.
Information security technology –
Guide for health data security
1 Scope
This standard specifies the security measures that health data controllers can take to protect the health data.
This standard is applicable to guiding health data controllers in the security protection of health data, and can also be used for reference by health care- and cybersecurity-related competent departments and third-party assessment agencies and other organizations when carrying out security supervision, management and assessment of health data.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 22080-2016 Information technology - Security techniques - Information security management systems - Requirements
GB/T 22081-2016 Information technology - Security techniques - Code of practice for information security controls
GB/T 22239-2019 Information security technology - Baseline for classified protection of cybersecurity
GB/T 25069 Information security technology - Glossary
GB/T 31168 Information security technology - Security capability requirements of cloud computing services
GB/T 35273 Information security technology - Personal information security specification
GB/T 35274-2017 Information security technology - Security capability requirements for big data services
GB/T 37964-2019 Information security technology - Guide for de-identifying personal information
ISO 80001 Application of risk management for IT-networks incorporating medical devices
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069 and the following apply.
3.1
personal health data
electronic data that, alone or in combination with other information, can identify a specific natural person or reflect the physical or mental health of a specific natural person
Note: Personal health data relate to an individual's past, present or future physical or mental health status, health care services received and health care service fees paid for, etc., see Annex A.
3.2
health data
personal health data and health related electronic data obtained after processing the personal health data
Example: Overall analysis results, trend prediction, disease prevention and control statistics of a group obtained after processing group health data.
3.3
health service professional
persons authorized by the government or industry organization to be qualified to perform specific health work duties
Example: Doctor.
3.4
health service
service provided by a health service professional or paraprofessional that have an impact on health condition
3.5
health data controller
organizations or individuals who can determine the purpose, manner, scope, etc. of health data processing
Examples: Organizations, health insurance agencies, government agencies, health care scientific research institutions and individual clinics that provide health services.
3.6
health information system
system that collects, stores, processes, transmits, accesses, and destroys health data in a computer-processable form
3.7
limited data set
personal health data set that have been partially de-identified but still identify the corresponding individual and therefore need to be protected
Example: Health data from which identifications directly related to individuals and their families, family members, and employers are removed.
Note: Limited data set may be used for the purposes of scientific research, medical/health education and public health without individual authorization.
3.8
notes of treatment
observations, reflections, and program discussion conclusions recorded by health service professionals in the course of providing health services
Note: Notes of treatment have the attribute of intellectual property rights and their intellectual property rights belong to health service professionals and/or their units.
3.9
disclosure
act of transferring and sharing health data to specific individuals or organizations, as well as publicly releasing health data to unspecified individuals, organizations or society
3.10
clinical research
scientific research activities aimed at exploring the causes, prevention, diagnosis, treatment, and prognosis of diseases, conducted by medical institutions, academic research institutions, and/or healthcare-related enterprises, with patients or healthy individuals as research subjects
Note: Clinical research is a branch of medical research.
3.11
completely public sharing
data, once released, being difficult to recall and usually released directly to the public via the Internet
[GB/T 37964-2019, Definition 3.12]
3.12
controlled public sharing
constraining the use of data through data use agreement
[GB/T 37964-2019, Definition 3.13]
3.13
enclave public sharing
data shared within the physical or virtual enclave out of which data cannot flow
[GB/T 37964-2019, Definition 3.14]
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
ACL: Access Control Lists
API: Application Programming Interface
APP: Application
DNA: DeoxyriboNucleic Acid
EDC: Electronie Data Capture
GCP: Good Clinical Practice
HIS: Hospital Information Systems
HIV: Human Immunodeficiency Virus
HL7: Healthcare Level 7
ID: ldentity
IP: Internet Protocol
IPSEC: Internet Protocol Security
LDS: Limited Data Set Files
PIN: Personal Identity Number
PUF: Public Use Files
RIF: Research Identifiable Files
RNA: RiboNucleic Acid
SQL: Structured Query Language
TLS: Transport Layer Security
USB: Universal Serial Bus
VPN: Virtual Private Network
XSS: cross-site scripting
7 Principles for use and disclosure
b) Without the authorization of the subject, the controller may use or disclose the corresponding personal health data under the following circumstances:
1) When providing the subject with his/her own health data;
2) During treatment, payment or health care;
3) When involving public interests or laws and regulations;
4) When the limited data set is used for the purposes of scientific research, medical/health education and public health;
Under the above circumstances, the controller may rely on legal and regulatory requirements, ethics and professional judgment to determine what personal health data is permitted to be used or disclosed.
c) The controller should obtain the authorization of the subject before using or disclosing personal health data for marketing activities, except for face-to-face marketing communication between the controller and the subject. The authorization for marketing activities should be presented to the subject in a reasonable manner, and the subject should be made fully aware of it and give his/her explicit and autonomous consent. The authorization should be independent and should not be a precondition for the subject to obtain any public service or medical service or be bundled with other service terms. While obtaining the authorization, the controller should inform the subject in writing that it has the right to revoke the authorization at any time.
1 Scope
2 Normative references
3 Terms and definitions
4 Performance requirements
5 Design
6 Manufacture
7 Naming of joints
8 Marking
9 Marking instructions (cited in this document)