The healthcare sector faces unprecedented data-security pressures. On one hand, laws and regulations such as the Cryptography Law of the People’s Republic of China, the Commercial Cryptography Administration Regulations, and the Cybersecurity Management Measures for Medical Institutions create increasingly strict compliance safeguards. On the other hand, hospital information systems handle massive amounts of sensitive data—from patient identities and electronic medical records to treatment data—making every data point a priority for privacy protection.
Traditional cryptography solutions face three core challenges in healthcare: (1) complex and heavy business processes, (2) high barriers to system upgrades, and (3) balancing security with business needs.
With Beijing Infosec assisting, a hospital in Gansu leveraged commercial cryptography as the engine and a commercial-cryptography-based modernization plan as the vehicle. The hospital became one of the early institutions in the province to pass security evaluations for commercial-cryptography applications and to file the required records, establishing a replicable “Gansu Path” for cryptography deployment across the province and potentially nationwide.
Beijing Infosec tailored a four-layer cryptography architecture for the hospital, covering physical/environment, network/communication, devices/compute, and applications/data. Rooted in domestic cryptographic algorithms, the full-stack commercial-cryptography defense system provides comprehensive protection.
1. Easy-to-adapt enablement: data encryption with zero-friction deployment A data encryption/decryption system paired with transparent encryption techniques implements table-level encryption for important data. Core systems such as HIS and EMR require no complex retooling, while data at rest remains encrypted, achieving true “business zero-friction, security with no blind spots.”
2. Comprehensive coverage: identity verification and secure transmission At the network and communications layer, a national-standard SSL VPN gateway is deployed, enabling secure TLCP-based encrypted transmission between healthcare staff and the gateway via VPN clients. At the device and compute level, operations staff use USB key smart credentials and the SSL VPN gateway, with SM2/SM4/SM3 for authentication and transmission encryption, ensuring secure and controllable maintenance channels.
3. Application-layer hardening: coordinated signing and electronic seals A mobile single sign-on security management system provides strong authentication via coordinated-signing technology when staff scan to log in. The existing electronic-signature system and timestamp server are reused, using SM2-based digital seals with timestamps to support paperless operations and ensure the authenticity, integrity, and non-repudiation of documents such as electronic medical records and receipts.
4. Physical environment protection: national-standard access control and video surveillance National-standard secure access control and video-surveillance systems use SM4 and HMAC-SM3 to verify the identities of personnel entering the data center and to protect entry logs and surveillance footage, establishing a robust physical-security first line of defense.
Since deployment, the hospital’s commercial-cryptography solution has achieved a deep integration of security capability and business efficiency.
All components are built on SM algorithms (SM2/SM3/SM4) and cover identity authentication, secure transmission, data storage, and physical security across the full chain, effectively preventing data leakage and unauthorized access.
In addition, leveraging transparent encryption and coordinated-signing, the solution enables “zero-modification” integration with applications, reducing the technical and financial barriers to cryptography modernization while ensuring security and compliance.
The project also complies with the “Specification for Security Evaluation of Commercial Cryptography Applications” and has passed cryptographic evaluations and filings. It established a robust cryptography operations framework and key-management policy to support future business expansion and technological evolution, with flexible integration of new cryptography services as the hospital grows.
Future outlook: hardening the digital-health safety foundation This commercial-cryptography deployment at the hospital represents another successful exploration for Infosec in healthcare cryptography applications. The project delivers a repeatable model of “easy-to-deploy, full-scene coverage” for cryptography practices, offering a strong demonstration for the healthcare sector within Gansu and paving the way for scalable adoption of cryptography security across the national healthcare information system.