With continuous development of computer software & hardware technologies, many information systems are being more widely used in hospitals, such as Hospital Information System (HIS), Electronic Medical Record System (EMRS), Picture Archiving and Communication System (PACS), Clinical Examination Management Information System (CEMIS), Ultrasound Information System (UIS), Electrocardiogram Information System (ECGIS), Physical Examination Information System (PEIS), Medication Safety Monitoring System (MSMS), Pathological Information System (PIS), Drug Clinical Trial Management System (GCP Center), etc. With the greater application of information technology systems, hospitals have vastly improved their comprehensive strength, scientific management, medical quality and service efficiency. It has also made it convenient for patients to visit the right doctors.

Information system and network security in hospitals is related to the safety of patient diagnosis and treatment, personal privacy and vital interests, and is the foundation and important guarantee for the hospital’s normal operation and management. Therefore, hospitals need to attach great importance to information security development and network security design. It is necessary for them to focus on firewalls, virus protection, security audit, database audit, intrusion protection, data backup and other systems, strengthen security awareness, clarify the key points of information security development, establish security working groups, formulate and improve the security management system and incident contingency plans and other systems to ensure that the hospital’s information systems and network are safe and secure.

1. Major threats in the data layer:
1) Attackers intercept, read, crack the information or residual information in media, to steal electronic medical records and other sensitive information.
2) Electronic medical records and other sensitive information stored/shared by internal personnel through e-mail, online, mobile media or mobile computing devices, where there is risk of data leakage due to loss of the media or devices.

2. Major threats in the network layer:
1) Hackers destruct and gain unauthorized access to the EHR and other information through the Internet.
2) Hackers or internal personnel attack or gain unauthorized access to the platform via the POS connected with the network.
3) Hackers or internal personnel attack or gain unauthorized access to the platform via third party network connected with the network-connected platform.
4) Outbound illegal network connections from the data center’s servers lead to risk of worm-type viruses or Trojan horse infections.

3. Major threats in the application layer:
1) Internal personnel, such as regional health information platform staff, access data beyond their authority or destruct electronic medical records and other information;
2) POS department, external personnel, attackers gain unauthorized access to electronic medical records and other information, or tamper or conduct spoofing attacks on the EHR and other information uploaded to the regional health information platform, by means man-in-the-middle attacks and spoofing.

In accordance with the National Information Security’s Graded Protective System and by following relevant standards and norms, we have developed a comprehensive grading system for protecting information security, system construction rectification and evaluation for the health industry. We have defined key points for information security, implemented information security responsibilities, established a long-term mechanism for the graded protection of information security, and effectively improved the capability of information security protection, danger detection and emergency response in the health industry. We provide a reliable guarantee for the stable development of health information, and for comprehensive maintenance of public interest, social order and national security.