FEMH Magazine

:::
  • 2025-11-03

Your Health Data — We Protect It Together— Hospital Information Security Mini Guide

Digital Development Department Engineer Jin Zhenyuan

PIC

1. Why Do Hospitals Also Need “Information Security”?

       When you walk into a hospital — whether for registration, consultation, examination, or picking up medication — there’s actually a vast information system running in the background. These systems store your personal information, medical records, lab reports, imaging files, and even medication history.

       In the past, hospital records might have been paper charts locked in a cabinet; today, almost all data is digitized and connected to the internet. While this brings convenience, it also exposes the data to risks such as hacker attacks and data breaches.

       In the era of rapidly developing digital healthcare, hospital operations and medical services are highly dependent on information systems, including the Hospital Information System (HIS), Picture Archiving and Communication System (PACS), Electronic Medical Record system (EMR), Laboratory Information System (LIS), Nursing Information System (NIS), and pharmacy management systems. However, medical data is both highly sensitive and highly valuable, making it a prime target for hackers.

        In recent years, numerous domestic and international hospitals have been attacked by ransomware. Once hackers infiltrate the system, they encrypt medical records and lab data, demanding ransom to unlock them; if refused, they may even publish the data online. This not only disrupts medical services but also poses serious threats to patient privacy.

         Therefore, incorporating information security into hospital governance is not only a regulatory requirement but also a core responsibility for maintaining care quality, protecting patient rights, and safeguarding the hospital’s reputation.

2. What Is a Ransomware Attack?

        Ransomware is a type of malicious software that locks your files and demands payment to unlock them.
For the average person, this could mean losing access to photos or documents; for a hospital, it could mean the ER’s medical record system or the operating room’s imaging equipment becomes unusable.

In a hospital setting, such attacks can lead to:

O   Delayed treatment: Medical records become inaccessible, preventing doctors from promptly assessing patient conditions.

O   Testing shutdowns: Radiology images or lab results can’t be transmitted, forcing patients to wait.

O   Privacy breaches: Personal data could be sold or leaked by hackers.

3. How Does the Hospital Protect Your Data?

      Our hospital has a comprehensive information security protection strategy, which can be understood as “three lines of defense”:

(1) Policies and Regulations

O   Establish information security policies and a hospital personal data protection plan to ensure the CIA triad: Confidentiality, Integrity, and Availability. Clearly regulate how data is collected, processed, used, and destroyed.

O   Sign information security responsibility clauses with all partners to ensure outsourced services follow the same standards.

(2) Technical Safeguards

O   Deploy antivirus systems, firewalls, intrusion detection and prevention systems (IDS/IPS), and endpoint detection and response (EDR) to continuously monitor abnormal traffic.

O   Implement offsite/offline backups for critical systems to enable rapid recovery after attacks.

O   Apply the “principle of least privilege” so each medical staff member can only access data necessary for their work.

O   Conduct regular vulnerability assessment and penetration testing, and implement a Zero Trust architecture to control cross-network access.

(3) Personnel Education and Drills

O   Provide regular information security training to help staff identify phishing emails and suspicious links.

O   Conduct annual incident response drills and disaster recovery drills (DR Drills) to simulate system downtime and ensure uninterrupted clinical services.

4. Three Things the Public Can Also Do

       Information security isn’t solely the hospital’s responsibility — you can help protect your data, too:

(1)   Be cautious with public Wi-Fi
Avoid checking medical information over public Wi-Fi in cafes or stations; use mobile data or a VPN instead.

(2)   Don’t click unknown links
If you receive a text message or email claiming to be from the hospital, verify its source before clicking or replying.

(3)   Ask about data usage during visits
When signing consent forms, inquire about data retention periods and usage scope to protect your rights.

5. Lessons from Recent Healthcare Cyber Incidents

         In early 2025, several hospitals in Taiwan were attacked by ransomware, causing system outages and concerns over data leaks. Although most hospitals quickly activated backup systems, the incident reminds us:

O   Cyber incidents can happen anytime.

O   Hospitals that conduct drills and prepare recover faster.

O   Participation from everyone — from the hospital director to every staff member and even patients — is key to cybersecurity awareness.

6. Our Commitment

As your partner in protecting health, we promise to:

O   Continuously invest in the latest cybersecurity technologies.

O   Regularly review and improve security processes.

O   Protect every patient’s data to the highest standard.

       Your trust is our most valuable asset. We will continue to share cybersecurity knowledge and healthcare information so everyone can enjoy convenient medical services without compromising safety.

Note: If you receive any suspicious messages after a hospital visit, please contact the hospital’s official customer service immediately — do not reply or click unknown links.


Back