On December 12, the famous actress Zhou Haimei, who was only 57 years old, died of illness a few days ago, which is regrettable. On the night of the release of the obituary, a screenshot of Zhou Haimei's electronic medical record suspected of being circulated on social **, in the online rumor**, Zhou Haimei was rescued in the emergency department of a hospital in Shunyi District, Beijing, and her personal information such as age, illness, and medical history was clearly visible, and "Zhou Haimei's medical records are suspected to have been leaked" and then appeared on Weibo hot search.
On the 14th, the Shunyi Branch of the Beijing Municipal Public Security Bureau issued a notice: After investigation, on December 11, Fu Moumou (male, 36 years old) took advantage of his work in a hospital in Shunyi District to take a photo of a patient's personal medical records and send them to the WeChat group for the purpose of showing off, resulting in the spread of information and causing a bad social impact. At present, the Shunyi Public Security Bureau has placed Fu Moumou under administrative detention in accordance with the law.
This incident has aroused public concern and vigilance about the confidentiality of information in the medical industry. As a hospital employee, how can I easily get medical records and take photos to disseminate them?For the hospital involved, how to maintain patient privacy more strictly?How to establish an effective supervision mechanism to prevent hospital staff from leaking patient medical records?In other words, how to really take a counter.
3. Plugging loopholesHow should medical institutions improve their data security protection?
Focusing on this series of topics, Security 419 interviewed Yuan Haibin, the technical director of the data security vendor Digital Security Bank, and gave a professional interpretation of the incident.
Yuan Haibin, CTO of Digital Security Bank, told us that because this incident leaked personal sensitive information, it was a very typical illegal incident of personal privacy data leakage.
The Personal Information Protection of the People's Republic of China, which came into effect on November 1, 2021, classifies all personal information of biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts and tracks, and minors under the age of 14 as sensitive personal information.
The case information involved in this incident is personal sensitive information related to medical and health care, and the "Personal Information Protection" specifically explains the rules for the processing of sensitive personal information, and if you collect this kind of data first, you must have a specific purpose and sufficient necessity.
Because of the need to treat patients, it is necessary for hospitals to collect patient information. However, since you want to collect data, you must ensure that you have taken some strict protection measures to deal with this sensitive information, and at the same time, the hospital will inform the individual of the necessity of processing and the impact on the rights and interests of the individual. It can be seen that the hospital did not take responsibility in this regard, which led to such a data breach.
According to the Civil Code of the People's Republic of China and the Basic Medical Care and Health Promotion Law of the People's Republic of China, medical institutions and their medical staff shall keep patients' privacy and personal information confidential. If the patient's privacy and personal information are disclosed, or the patient's medical record data is disclosed without the patient's consent, the patient shall bear the corresponding legal responsibility.
In fact, it is not only celebrities who are public figures, but also similar medical information leaks in recent years. The management of patients' private information in some hospitals is relatively loose and chaotic, and some medical staff even have the idea of patient's private information as a means of profit. The leakage of Zhou Haimei's medical records this time has once again sounded the alarm bell for data security for the medical industry.
Yuan Haibin said that as a unit that has collected personal information or personal sensitive information, the first thing is to educate employees on legal awareness, although the "Personal Information Protection" has been officially implemented for 2 years, in fact, many people's legal awareness of personal information protection needs to be strengthened.
It can be seen from the ** report of this incident that the hospital employee who leaked the case was actually for the purpose of showing off, not other subjective and malicious acts for the purpose of seeking illegal benefits, so in fact, as a hospital employee, he still lacks relevant legal awareness at more levels.
As a medical institution, it is also necessary to educate all employees who have access to such data on cyber security awareness and legal awareness, and clearly inform that leaking medical data is illegal, not just a violation of certain rules and regulations.
In addition, the "Personal Information Protection" has actually given relatively clear requirements for what information processors should do. To process sensitive personal information, you must first clarify the purpose and method of processing, the impact that such information may have on the rights and interests of individuals, and the security risks that may exist when we collect such information. In addition, it is important to take appropriate protective measures to prevent unauthorized access or the leakage, falsification, or loss of personal information.
Yuan Haibin said that from the incident itself, in addition to the lack of management system, there is also a lack of emergency response plan. "Because as a data processor, there may be no guarantee that there will be no data leakage, whether it is the irregular operation of internal employees or some malicious theft from the outside, it may lead to data leakage, so we must activate this emergency plan in time. ”
For example, taking this incident as an example, hospitals should quickly locate the source of data leakage as soon as they know that a data breach has occurred. After a data breach, an emergency statement should be issued quickly to prohibit the secondary dissemination of the relevant ** on the network. In similar data breaches, rebroadcasts often cause greater concern and impact. Therefore, it is also necessary to make emergency plans in the daily management system to control and save the development of the situation.
From the perspective of a person in charge of information construction in the medical industry, what measures should be taken to plug data security vulnerabilities from the technical and management levels?At the end of the interview, we also asked Yuan Haibin to give some suggestions.
First of all, he suggested that medical institutions should formulate their own internal management systems based on their own actual conditions, and in some cases, even if there is no data leakage in the end, but some illegal data processing behaviors are found internally, and corresponding punishment measures need to be formulated in similar situationsIn addition, there is a need to avoid unintentional data breaches by internal employees.
Therefore, the security officer of the organization should stipulate some operation procedures, such as which computers must be used to query these data, and it is forbidden to take photos or other illegal operations during the query of this data, so as to prevent the risk of leakage of such data.
Secondly, the person in charge of institutional security should also classify and classify personal information. Because in the process of collecting personal information, there are not only some ordinary personal information, but also a large amount of sensitive personal information, so it is necessary to classify and manage these different levels of personal information, and distinguish and protect these different data, especially sensitive personal information, which must be ensured to be processed and used only when certain protective measures have been taken.
Third, from the perspective of technical means, institutions can also take some de-identification processing methods such as encryption and desensitization to ensure that in the process of normal work, when some data is not necessary to be fully displayed, some de-identification processing can be done, for example, the patient's medical record ID number can be displayed, it is enough to know who is coming to see the doctor, and it is enough to be able to query the patient's information, but the patient's name should be desensitized.
After the introduction of the Personal Information Protection, many industries have issued corresponding compliance requirements. It stipulates technical specifications for the processing of personal information in different scenarios. Data security vendors, including DSB, also provide corresponding products and technical capabilities to help various customers, including medical institutions, build data security compliance capabilities.
In fact, in addition, a large amount of sensitive data is stored in the background of medical institutions, and according to relevant laws and regulatory requirements, this part of the data also needs to take fine-grained encryption and other protection measures to prevent data from being de-database or other forms of data loss.
Yuan Haibin suggested that for some large-scale medical institutions, on the basis of meeting data compliance, some protection measures should be added, such as watermarking and sandbox isolation, which can ensure that data is processed and used in a safe environment and will not lead to offline diffusion and leakage. By reading watermarks and other protection methods for the operator is also a reminder and deterrent, in the opening of the page with privacy information will show a logo watermark, whether it is to take a photo or other ways to leak, can be quickly traced according to the watermark information.
For employees, if there is this watermark on the screen, it will remind him that the data currently displayed is sensitive information, in addition to not being able to take photos and screenshots, but also consciously prevent others from taking pictures, so as to form an active sense of protection of sensitive data," Yuan said.