Project background

Jiangxi Provincial People's Hospital is located beside the gorgeous Ganjiang River, and was previously a missionary hospital founded by the Methodist Church of America in 1897. It is the earliest western medicine hospital in Nanchang City, and a large-scale Third-Grade Class-A general public hospital directly under the health and family planning commission of Jiangxi Municipality. It integrates medical care, health care, scientific research, teaching and physical examination. Along with increasingly deepening reforms in the medical and health system, the growing popularity of information applications in the health industry, has led to hospital information systems becoming important support systems for medical service. Application safety and stability directly affects normal operation of hospitals, and network paralysis or data loss can cause a giant disaster and irreparable loss to the hospital and the patient. At the same time, there is a large amount of private information in hospital operation, patient's medical treatment, etc. in the hospital information system, therefore leakage and spreading of such information leads to safety risks for the hospital, society and the patient. In accordance with classified protection requirements, information security system development should be in line with national and industrial policies and regulations and should be the basis for the hospital information system development.

Requirement Analysis

1) Hospital information security development must meet the requirements of information security classified protection standards, ensure high efficiency and should develop a stable business security supporting platform.

2) Hospital data is sensitive, hence, illegal access of the network must be effectively prevented, to protect critical data from being stolen, tampered or leaked illegally.

3) Modern medical businesses increasingly rely on network transmission and related applications, and medical material transmission need to be protected from interruptions caused by network malfunction. Therefore, higher reliability is required in developing the network system and it should meet the requirement of long-time continuous operation.

4) As hospitals have various business systems, a strong, uniform and central management and monitoring system is required for the maintenance and management staff, and it should support safety audit, unified identity authentication and flow management.

Solution

Based on the vulnerabilities found during the risk assessment and the result of the gap analysis in classified protection level, a detailed plan was designed and appropriate safety products were selected, which led to the creation of a detailed implementation plan that met the requirements of information protection level, and would help users pass the classified information protection evaluation by relevant evaluation institutions.

Next generation firewall, intrusion protection and other safety devices were deployed separately in areas connected to the internet, to help mitigate potential risks in the network, and a safe and reliable OA service was provided via VPN. An Access Gateway was deployed at the server level, realizing standardized management and a comprehensive maintenance staff audit process was established.

Product Deployment

Effect/Feedback

According to the Baseline for Information System Security Protection Level, necessary technical safety measures were adopted to meet the basic requirements of three-level protection in a hospital. Focusing on business applications and with the support of security management, network and system security protection in the hospital was enhanced by developing a network security system.