Cyber China

China’s first full cybersecurity law came into effect in June 2017, bringing with it new requirements and protections. The life sciences sector should take note of its impact on connected medical devices, as well as on traditional pharma companies and medical institutions.

The Standing Committee of the National People’s Congress passed China’s first cohesive cybersecurity law on 7 November 2016, which came into effect from 1 June 2017, and regulates the establishment, operation, maintenance and use of networks within the territory of China. The activities of telecom operators, online service providers, device manufacturers, personal data controllers and even ordinary users will all fall within its scope. Since the law has been passed, some further implementation rules and guidance have been published that provide clarification as to its actual scope.

Network Operators

The law establishes new security stipulations for network operators – the owners or administrators of networks or online service providers. The main conditions include:

• Establishing internal protection systems such as formulating management policies and procedures and designating personnel responsible for cybersecurity matters
• Adopting necessary technical measures to prevent intrusion and attacks like monitoring operators and keeping records of these observations for at least six months, conducting data classification, backup and encryption, as well as establishing adequate response and mitigation processes to cope with interferences
• Following the principles and requirements protecting personal information

It also creates additional demands for operators of critical information infrastructure (CII). CII is used in public communication and information services, energy, transportation, water conservancy, finance, public services, electronic government systems and other important industries and areas, as well as those that might seriously endanger national security, citizens’ wellbeing and public interests if impaired or breached.

A CII operator must exclusively store all personal and important data that it collects in China within that territory – the so-called ‘data localisation’ requirement. If a CII operator wants to transfer such information overseas, it must pass a security assessment. In addition, if the products or services used by CII operations may involve national security, they will be subject to national security reviews.

Products, Services and Data Protection

Products and services must comply with the applicable national standards which the government is currently formulating. In addition, the government will publish a catalogue of “critical equipment and specialised network security products”, detailing those that can only be sold or supplied to users after they pass rigorous security examinations and are certified by the designated testing institutions.

The new law states that suppliers of network products and services must not install malicious programmes within them. Further, if a supplier discovers vulnerability in a product, they are obliged to mitigate and rectify any damage as soon as possible and must alert users and the government. Suppliers should also provide security maintenance.

Requirements concerning the collection, processing and use of personal data already exist in various laws and administrative regulations. China’s law addresses these from a cybersecurity perspective, such as notifying subjects of the kind of personal data involved, as well as how such information will be collected and processed, obtaining consent from the relevant individuals and taking the necessary measures to ensure security. If a cybersecurity incident occurs, adequate response mechanisms must be in place that include reporting it to the administrative authorities and telling the affected subject.

Notably, to address the practicalities of using this information in big data projects, the law now permits information to be distributed without consent if it has been anonymised and is incapable of identifying a specific individual.

Cause and Effect

Although the approach of the authorities in enforcing the law may still be unknown at time of writing, the following key developments since it has been passed provide a flavour of how some of the above requirements will be implemented in practice:

Security Reviews

The government published the Draft Measures for the Security Reviews of Network Products and Services on 4 February 2017, setting out the general framework for national security reviews, the focus of which is determining if products or services

are secure and controllable. The key considerations will be:

• The chances of the products or services being illegally manipulated or disrupted
• The risks involved in their development, delivery and technical support
• The potential for them to be employed to infringe user information or conduct unfair competition

These measures propose the establishment of a network security review committee and office, which will take responsibility for formulating key policies and organising security reviews respectively.

Outbound Transfer of Data

On 11 April 2017, the Draft Assessment Measures for Outbound Transfer of Personal Data and Important Data were published to solicit public opinions. They state that all personal or important data collected by network operators in China must be stored within the territory and if operators want to transfer such information to overseas countries, they will need to complete security assessments. In some circumstances – like those involving the personal data of more than 500,000 individuals, over 1,000GB data or certain sensitive data – self-conducted security assessments will not be sufficient and it will be necessary to apply to the relevant government authorities for a supervised assessment.

The Draft Assessment Measures expand the scope of the data localisation requirement under the law. If the final version remains unchanged, both international companies working in China and domestic firms already operating or planning to expand overseas are likely to have to adjust their current data hosting plans in order to comply.

Technical Standards and Specifications

According to the law, the government will need to formulate a series of technical standards, specifications and catalogues to implement the specific regulatory requirements. The National Information Security Standardisation Technical Committee is currently in the process of formulating these.

A key focus is to ensure the demands of the “cybersecurity multi-level protection system” can be met. Some of the draft standards have been published to solicit public comments.

Feeling the Impact

The life sciences sector should take note of the impact that the law is likely to have on connected medical devices, as well as on traditional pharmaceutical companies and medical institutions:

Medical Devices

The cybersecurity of medical devices is not just significant due to the sensitive and personal information that is collected and processed through them, but also because the user’s health could be put at risk if the device’s functionality is interfered with.

In accordance with the general principle of the law, the China Food and Drug Administration (CFDA) published the Guiding Principles on the Technical Reviews of the Cybersecurity Registration of Medical Devices in January 2017. These apply to the registration of Type 2 and Type 3 medical devices that can be connected to networks to conduct electronic data exchanges or remote control, or those that use storage media to exchange information. The Guiding Principles are not mandatory, but the CFDA is likely to base their reviews of registration applications on them.

Without being duly registered, no connected medical devices can be sold in the market. According to the Guiding Principles, a key aspect of the cybersecurity of connected medical devices is the confidentiality, integrity and availability of the data generated and used. When deciding on an appropriate data exchange and remote control method, manufacturers will need to consider the data type – such as personal information of users or device operations data – and the device function. Additionally, the Guiding Principles focus on the technology used in medical devices like user access, encryption, attack prevention and response mechanisms. They also require manufacturers to demonstrate that they can monitor preinstalled software in medical devices as well as provide the necessary updates and keep accurate logs.

Generally, more countries have started to focus on addressing cybersecurity issues in medical devices. Considering the possibility that a single connected device might even be able to jeopardise global cybersecurity, it is likely that there will be increased international cooperation in this area in the future. The Guiding Principles encourage manufacturers to refer to the relevant international standards when establishing their protection mechanisms. The 19 types of cybersecurity capabilities provided in the IEC/TR 8000122 are specifically mentioned in the guidelines.

Pharma Companies

Firms are constantly creating new intellectual property (IP) and undertaking pioneering R&D, both of which constitute desirable insider information in the mergers and acquisitions market. This factor, combined with high reliance on IT systems and providers, make pharma businesses a target for industrial espionage, IP theft and service denial. A cyberattack that leads to the theft of a formula for a new drug, trade secrets or sensitive personal data can significantly damage an organisation’s economic interests as well as its reputation.

The law implements strict requirements, including higher security standards for devices and equipment used in networks and more comprehensive security management systems adopted by their operators, in an effort to create a safer cyberspace environment. It is hoped that these will lead to a heightened awareness among companies of the serious implications that a breach of cybersecurity can cause and consequently encourage them to take active measures to protect their data.

Medical Institutions

As mentioned above, the government is currently drafting a catalogue that will determine the scope of CII. At the time of writing this catalogue has not yet been released, but the Chinese government has previously organised a cybersecurity examination, which categorised the websites, platforms and operation-related infrastructure used by hospitals, disease control institutions and emergency centres as CII. If the catalogue follows the same approach, medical institutions that operate their own CII will be subject to the data localisation requirement, as well as the national security reviews when purchasing products or services.

Becoming Secure

The law has been widely reported across both local and international media and has generated mixed responses. As cybersecurity becomes an increasingly important global priority, the law indisputably demonstrates China’s clear commitment to managing and preventing risks in this area. However, concerns have stemmed from the increased compliance demands that could be burdensome in terms of both cost and time.

These apprehensions are heightened due to the somewhat broad drafting of the current law, meaning its true scope is not yet clear. It is likely that more detailed implementation rules, technical standards and sectoral requirements will be published to provide clarification and guidance, decreasing this apprehension.

Undoubtedly, the law will create greater compliance obligations, but these will be outweighed by the improved management and operations of cybersecurity, leading to a more secure digital environment in China.

This article is taken from Innovations in Pharmaceutical Technology July 2017, pages 26-28. © Samedan Ltd