医院网络安全运营能力成熟度评估指南
AI智能总结
随着信息化融入医院各领域全过程,信息系统已经成为医院管理与服务运行的必要支撑,同时也面临着外部攻击、内部漏洞以及自然灾害原因导致的网络安全风险。为此,卫生健康行业主管部门于 2022 年印发《医疗卫生机构网络安全管理办法》,提出了构建 " 管理、技术、运营 " 三位一体的安全防护体系。各级医院根据政府提出的工作要求,先后启动了医院安全防护体系建设。然而,由于不同医院在其网络安全管理水平、技术人员能力、以及资金投入等方面的差距,在落实《医疗卫生机构网络安全管理办法》要求,建立安全防护体系的成效上缺少客观评价的依据。为此,中国医院协会信息专业委员会(CHIMA)组织相关专家,借鉴其他行业网络安全成熟度评价方法,并结合医疗卫生行业特点,编制出本评估指南,用其反映出医院在网络安全策略、流程、技术、人员等方面的综合水平,以及应对网络安全威胁和风险的能力。本网络安全运营能力成熟度评估框架包括:安全策略与制度,风险管理,安全技术措施,人员能力与安全意识,应急响应能力和持续改进机制等方面内容。通过开展网络安全成熟度的评估,我们期望医疗卫生机构能够从技术应用的先进性、管理流程的规范性以及人员能力的专业性等多个角度进行全面自我审视,发现网络安全建设与运营中的短板,为进一步优化工作体系、提升安全效能提供改进方向。我们期望这本指南能够成为医院从业者手中的实用工具,通过使用本指南定期对本单位网络安全体系进行评估,建立持续改进的机制。无论是医院管理者在制定战略决策时,还是信息部门技术人员在日常运维中,以及医护人员在使用信息系统时,都能从中获取到切实可前言 行的指导和建议。 中国医院协会信息专业委员会主任委员指南的诞生凝聚了多方智慧。南昌大学第一附属医院作为核心参编单位,基于本院信息化建设经验和网络安全防护体系建设的积累,为指南贡献了医疗设备安全准入、患者隐私数据保护等标杆性实践案例。同时,十余家三甲医院的信息安全专家通过案例研讨、场景验证,确保指南内容紧贴行业实际需求。CHIMA 将持续完善指南应用生态,通过版本迭代、区域研讨培训等机制,推动行业经验共享与能力共建。诚邀各级医疗机构积极应用本指南,共同构建“评估 - 改进 - 再评估”的良性循环,以安全筑基,以创新赋能,携手筑牢医疗网络安全防线,为人民健康保驾护航。最后,感谢各位专家对指南编写工作的指导,感谢项目组参与者的辛勤付出,期望各医院信息专家共同参与,使本指南在应用中不断完善和升级。 编制《医院网络安全运营能力成熟度评估指南》,旨在为医院安全运营建设提供一套科学、系统、规范的评估标准和验证流程,为医院信息系统的安全、稳定和高效运行提供依据国家法律法规、行业标准要求,梳理医院安全运营工作,建设完善的安全运营体系。通过安全运营体系的落地执行,构建一套全面、细致、科学的评估指标体系,用于评估安全工作开展情况。在评估指标上,我们引入了“成熟度”,主要评估医院在网络安全管理、策略实施、技术应用、人员培训等方面的完善程度,它反映了医院对于网络安全工作的建设程度,是一个从长期和整体视角审视医院网络安全工作的重要标尺。通过“成熟度”评估,我们不仅可以了解到医院网络安全工作的长期发展情况,也能及时发现和处理当前存在的安全问题,从而确保医院网络安全工作的持续改进和高效运行。本指南以南昌大学第一附属医院为范本,结合多家大型医院的信息化建设经验和网络安全防护体系的研究、实践,为医院量身定制,旨在帮助医疗机构准确评估自身网络安全运营现状,清晰了解在网络安全运营能力成熟度方面的优势与不足。中国医学科学院北京协和医院、北京大学肿瘤医院、中国医科大学附属盛京医院、上海交通大学医学院附属瑞金医院、上海交通大学附属儿童医院、浙江大学医学院附属第一医院、厦门大学附属第一医院、厦门大学附属妇女儿童医院、南昌大学第一附属医院、郑州大学第一附属医院、武汉大学中南医院、广东省中医院、贵州省人民医院、云南省肿瘤医院等多家单位的信息专业人员参与研究、编写。在指南发布后,我们会持续监测其运行效果,收集反馈,适时进行更新和修订,以适应不断变化的网络安全环境。指南编制说明 更好保障。 副 主 编:李郁鸿、肖辉、杨洋、邵尉、衡反修委:王淑、孙松儿、李振叶、周敏、贺松、赵敏、戚美珍、涂志炜、曾宇平、路健辑:邓培、刘华、闫懿、章俊注:按姓氏首字笔画数和姓氏字母顺序排序编者名单 主审:王才有主编:曹磊技术顾问:孙国强、赵艳、薛万国审核专家:刘海一、琚文胜编编 目录前言··································································· 01指南编制说明···························································· 03编者名单································································ 04目录··································································· 051. 概述································································· 081.1. 背景及目的· ························································· 081.2. 操作团队职责························································· 091.2.1. 决策团队··························································· 091.2.2. 执行团队··························································· 091.2.3. 协同团队··························································· 091.3. 适用范围· ··························································· 101.4. 基本原则· ··························································· 101.4.1. 合法合规性原则· ···················································· 101.4.2. 风险可控性原则· ···················································· 101.4.3. 实战实效性原则· ···················································· 101.4.4. 持续演进原则· ······················································ 111.5. 引述语及定义························································· 111.6. 缩略语······························································ 122. 应用场景······························································ 122.1. 用于指导网络安全建设规划· ············································· 122.2. 用于评估自身网络安全现状· ············································· 132.3. 用于改进自身安全建设不足· ············································· 133. 成熟度评估框架· ······················································· 133.1. 成熟度框架· ························································· 133.1.1. 框架定义··························································· 133.1.2. 框架来源··························································· 143.2. 成熟度过程域························································· 153.2.1. 过程域定义························································· 153.2.2. 过程域来源························································· 163.3. 成熟度能力域························································· 16 3.3.1. 能力域定义························································· 163.3.2. 能力域来源························································· 183.4. 成熟度层级域························································· 183.4.1. 层级域定义························································· 183.4.2. 层级域来源························································· 203.5. 成熟度评估指标······················································· 203.5.1. 指标定义··························································· 203.5.2. 指标来源··························································· 203.6. 编码规则· ··························································· 214. 成熟度评估方法· ······················································· 214.1. 成熟度评估流程······················································· 214.2. 明确目标等级························································· 224.3. 收集佐证材料························································· 224.4. 执行评估· ···························································
