Three level construction of hospital information security protection

1 背景随着医院信息化的迅猛发展,医院信息系统已经深入到医疗工作的各个环节之中,信息系统的安全一旦受到威胁将会严重影响到医疗活动的顺利开展,因此该工作受到了医院越来越高的重视。信息安全等级保护是国家出台的针对信息安全分级保护的制度,其最终目的就是保护重要的信息系统的安全,提高信息系统的防护能力和应急水平。为了信息安全等级保护制度能够更好的在各医院得到有效的落实,国家有关部门针对医疗行业的实际现状印发了《卫生行业信息安全等级保护工作的指导意见》的通知卫办发[2011] 85 号,此文件在信息安全保护和医疗行业信息安全管理之间起到承接桥梁的作用。根据文件精神,医院的核心业务信息系统安全保护等级原则上不低于第三级。2 医院信息安全等级保护建设流程2.1 信息系统定级信息系统定级主要考虑两个方面,一是业务信息受到破坏时的客观对象是谁,二是对于客观对象的损坏程度如何。两方面结合根据表1来制定本单位的具体哪个信息系统应该定位第几级。针对医院,一般门诊量都比较大,当在早晨挂号、就诊等高峰的时候就会有大量的患者排队,如果一旦发生系统瘫痪就会造成大面积患者排队,很容易引发群体事件。因此,定义为对“社会秩序、公共利益”造成“严重损害”,即信息安全等级保护定级为第三级。涉及的信息系统即与挂号、就诊等门诊患者密切相关的系统。2.2 信息系统评审与备案按照等级保护管理办法和定级指南要求,在完成对本单位信息系统的自主定级后需要将业务系统自主定级结果提交卫生部审批。在定级审批过程中,卫生部组织专家进行评审,并出具《审批意见》。完成评审后,医院需要填写《信息系统安全等级保护备案表》和《信息系统安全等级保护定级报告》,备案表与报告范例可在“中国信息安全等级保护网”进行下载。最后医院持评审意见、备案表、定级报告到所在地管辖区的市级以上公安机关办理备案手续,在拿到备案回执和审核结果通知后完成定级备案。2.3 信息系统安全建设与整改在完成备案后需要开始对信息系统进行合规性建设与整改,主要分为以下几个步骤完成。2.3.1 等级保护差距分析等级保护的要求整体分为技术与管理两个方面,而技术又可以分为SAG三类,主要包括:业务信息安全类(S类):关注的是保护数据在存储、传输、处理过程中不被泄露、破坏和免受未授权的修改,比如在传输患者数据及费用数据是否进行了加密传输,在传输过程中如果出现异常能否及时发现等。系统服务安全类(A类):关注的是保护系统连续正常的运行,比如机房的电力方面、服务器的负载方面、HIS系统的容错性与资源控制,是否支持单机挂号、就诊、收费、取药,能够在系统服务器瘫痪的情况下保存现有数据,并继续开展诊疗活动,再有就是灾备的建设情况,是否可在系统瘫痪的情况下进行快速恢复。通用安全保护类(G类):大多数技术类安全要求都属于此类,属于基础类,如机房的物理安全,网络及主机的访问控制与审计、信息系统的审计等。管理方面三级等级保护执行的是管理G3的要求,控制项为154项,医院需要根据自己的管理制度与控制项进行逐一比对,列出不符合项。技术方面三级等级保护可进行选择性执行,主要分为 G3S3A3、G3S1A3、G3S2A3、G3S3A1、G3S3A2,及G类必须达到三级,A类和S类选择一个达到三级即可。医院可以根据自身的实际情况选择一个标准进行差距分析,最严格的G3S3A3控制项共计136项。根据管理、技术共计290个控制项医院可进行自行评定得出与等级保护三级的差距分析。2.3.2 安全需求分析当前,医院对于信息安全的关注点主要集中在业务连续性与数据隐私保护方面,因此可根据差距分析结果结合医院实际安全需求进行集中分析,使信息安全的建设工作可以满足实际的临床需求,这样才能使资源有效利用,避免资金投入的浪费。2.3.3 安全建设/整改方案在明确需求后就要进行整体的方案设计,在设计过程中,要提出总体规划(近期、远期)和详细设计方案,将其细分为不同的子项目,逐一进行完善,最后应组织专家对方案进行评审。2.3.4 方案实施完成方案制定与评审后及进入实施阶段,实施过程中应注意管理和技术并重的原则,将技术措施和管理措施有机结合。简历信息系统综合防护体系,提高信息系统整体安全保护能力。2.4 开展等级测评信息系统建设完成后,可以着手进行等级保护测评工作,测评需要找公安局认可,具有“DICP”认证的测评机构,机构名称可以在“中国信息安全等级保护网”进行查询,测评机构测评周期一般为一个月。等级保护测评的主要流程。2.4.1 测评准备阶段这个阶段主要是测评公司于医院进行前期的沟通阶段,医院需要向测评机构介绍本单位的大致医疗流程,介绍数据流的输出过程,介绍系统的拓扑结构、设备的使用情况等,随后测评机构会根据医院提供的相关信息准备相关的测评工具及表单。2.4.2 测评方案制定阶段此阶段测评机构会定制测评指标、测评工具接入点,并对测评的内容进行确定,编制测评方案书。随后与医院进行沟通,确定现场测评的时间以及现场测评的主要内容和流程。2.4.3 现场测评阶段此阶段测评机构会进驻医院大约一周左右,主要对上文提到的管理与技术共计290个控制项进行逐一测评,此阶段与医院关系密切,需要逐一测评时双方要约定好时间,不能影响医院业务的正常开展,比如做漏洞扫描等需要占用服务器资源的操作时尽量选择下班等非业务高峰期进行。测评工具的接入前要进行充分测试,保证其对现有业务不会造成任何影响。在此阶段医院的网络工程师、系统工程师、审计工程师需要在场进行配合。2.4.4 分析与报告编制阶段完成现场测评后,测评机构会整理所有的单项测评结果,并对其进行分项判定,会对医院的整体结果进行分析,最后给出测评报告,告知医院存在的风险点、整改建议和测评结果。测评结果是标准医院是否通过测评的主要依据,根据等级保护相关要求,测评结果分为:不符合、部分符合、全部符合,其中不符合为没有通过测评,部分符合和全部符合为通过测评。根据医院的逐项测评数据,290个控制项除必须达到的项目外,达到80%以上符合的即可通过测评。2.5 做好自查与配合监管部门检查根据等级保护制度要求,当信息系统定级为第三级时,每年至少进行一次等级保护自查,并且监管部门每年至少来医院现场检查一次。因此该项工作是一个长期工作,必须常抓不懈。2.5.1 等级保护自查目前公安局已开发出信息安全等级保护自查工具,医院可以利用工具进行自查,工具主要需要填写医院的信息安全组织机构、资产信息、制度信息等基础信息,然后再进行各备案系统的自查,自查过程需要关联之前填写的资产和制度信息。完成后提交当地公安部门。2.5.2 监督检查监管部门多数为当地市属公安部门,公安部门每年定期对三级系统进行上门检查,检查依据主要是自查工具中提供的拓扑、自查以及管理文档,检查时间一般为半天,检查完成后公安部门会对检查结果进行评定,并对下一步安全工作给出建设性指导意见。3 等级保护建设总结信息安全等级保护建设可从合规性和系统内需驱动两方面考虑,并要定期检验建设的合规性、合理性。合规性是指在政策要求指导下构建医院完整的信息安全体系。要落实国家等级保护标准;响应卫生部推进等级保护建设工作的指导精神;通过国家等级保护测评;为医疗行业信息安全体系建设以及等级保护建设方面起到试点示范效应。系统内需驱动是指结合业务发展,进行系统化建设,切实提高自身信息安全防护水平。实现主动防御外部入侵威胁,防范内部不规范操作带来危害影响;降低日常信息化管理工作难度,提高对复杂、异构信息系统的运管效率,做到“有法可依,有技可行”;对已建、新建和拟建的信息系统进行合理规划,规范建设。医院信息安全建设,要切合自身条件特点,分批分期循序建设,保证医院各系统能够长期稳定安全运行,以适应医院不断扩展的业务应用和管理需求,这才是信息安全等级保护建设的重要意义所在。
侵删

02:25美情报部门解密报告剑指俄干预美国选情
东坡中学举行食品安全突发事件应急演练

一拨又一拨的特大电信诈骗犯罪集团成员被押解回国,真是令人振奋的消息,不过相信像黑社会电影中的一样,小型的诈骗集团会晋级,大佬出狱后也会卷土重来。
长按二维码关注我们
微信扫一扫关注该公众号

新疆丝路蓝盾正式设立 蓝盾股份信息安全教育再加码

1 background with the rapid development of hospital information system, hospital information system has been deep into all aspects of medical work smoothly, once the threat to safety will seriously affect the activities of the medical information system, so the work is regarded more and more hospitals. Information security level protection is a system of information security classified protection, the ultimate goal is to protect the security of important information systems, improve the protection of information systems and emergency response level. In order to information security protection system can better be effectively carried out in the hospital, the relevant departments of the state according to the actual situation of the medical industry issued a guidance health industry information security protection work notice sanitation [2011] No. 85, this document to undertake the bridge role in the information security management of information security protection and medical industry. According to the spirit of the document, the hospital’s core business information system security protection level is not less than third. The 2 hospital information security protection information system construction process 2.1 grading grading information system mainly consider two aspects, one is who is the object of business information is damaged, the two is to the extent of damage to objects. Two aspects of the table in accordance with the development of the specific information which should be located in the first level of the unit 1. In the hospital, the general outpatient amount is relatively large, when in the morning rush registered treatment will have a large number of patients queuing, if the system crashes will cause a large area of patients queuing, easily lead to mass incidents. Therefore, it is defined as serious damage to social order and public interest, that is to say, it is classified into third grades. The information system involved is closely related to the clinic, such as registration, clinic and so on. 2.2 review and filing of information systems in accordance with the level of protection management practices and grading guide requirements, in the completion of the information system of the unit after the independent grading of the business system needs to be submitted to the Ministry of health grading results. In the process of grading examination and approval, the Ministry of health organized experts to review and issue the examination and approval opinions. Upon completion of the review, the hospital needs to fill in the information system security protection for the table and information system security protection rating report, and report filing form examples can be downloaded in China information security protection network. Finally, the hospital to review and record form, grading report to public security organs above the level of local jurisdictions filing procedures, complete classification to filing receipt and audit results notice. 2.3 information system security construction and rectification in the completion of the record after the need for information systems compliance construction and rectification, mainly divided into the following steps. The 2.3.1 level of protection gap analysis of the level of protection requirements of the whole is divided into two aspects of technology and management, and the technology can be divided into three types of SAG, including: information security business class (class S): concern is to protect the data in storage, transmission and processing in the process of being leaked, and from unauthorized destruction the modifications, such as whether the transmission of patient data and cost data were encrypted during transmission if abnormal can be found. System service security class (Class A): attention is running normal protection system, such as computer power, server load, HIS system fault tolerance and resource control, whether to support stand-alone registration, attendance and charge, take medicine, can save the data in the existing server system paralysis cases, and continue to carry out medical activities, then there is the construction of disaster recovery, whether can be quickly recovered in the system down. General security class (class G): most of the technical requirements of security are of this type, belonging to the basic class, such as the physical security of the computer room, network and host access control and audit, information systems audit, etc.. Management of the three level of protection is the implementation of the management of G3 requirements, control for the 154 items, the hospital needs to be based on their own management system and control one by one to compare, list of non conformance. Technical aspects of the three levels of protection can be selectively implemented, mainly divided into G3S3A3, G3S1A3, G3S2A3, G3S3A1, G3S3A2, and G class must reach level three, class A and S class to select a level of up to three. According to the actual situation of the hospital can choose a standard for gap analysis, the most stringent G3S3A3 control a total of 136 items. According to the management and technology of a total of 290 control hospitals can be assessed with the level of protection to achieve the level of the gap analysis of three. 2.3.2 analysis of the current security requirements for information security concerns, the hospital focused on business continuity and data privacy protection, so according to the gap analysis results combined with the actual security needs of hospital centralized analysis, clinical needs so that the information security construction work can meet the actual, so as to make effective use of resources, avoid capital investment waste. 2.3.3 security construction \/ rectification plan in a clear demand to carry out the overall design scheme in the design process, to put forward the overall planning (short-term and long-term) and detailed design, divides it into different sub projects, and will further improve, finally should organize experts to review the other case. 2.3.4 program to complete the implementation of the program and after the review and into the implementation phase, the implementation process should pay attention to the principle of equal emphasis on management and technology, technical measures and management measures. Resume information system integrated protection system to improve the overall security of information systems
基金专题报告:专户业务基金管理人分析报告
Invade delete
Long by the two-dimensional code to pay attention to us
Sweep the concern of the public, WeChat

垃圾邮件制造者开始向社交网站转移,因为他们发现电子邮件越来越不赚钱了。

猜您喜欢

西安邮电大学荣获”海丰杯”信息安全铁人三项赛西北赛区数据赛冠…
强化信息安全自检倡导廉洁自律防控监守自盗
一个信息安全动画小故事,随意丢弃损毁的U盘,被保洁员拾走,泄了密……
胰岛素会过敏吗
BFMDEV9 VINTAGE-LADIES
如何提升涉密人员的信息安全与保密责任感