New China rules for cybersecurity for hospitals and clinics

October 2022

The Healthcare Institutions Cybersecurity Regulation (issued and effective on 8 August, 2022) (the ‘Regulation’) is a new sector specific cybersecurity regulation with which hospitals and clinics operating in China must comply.

The Regulation is one of a number of new data and cybersecurity rules applicable to the pharmaceutical, biotech and healthcare industry which have been issued by Chinese regulators this year, including the Cybersecurity Review Measures and the Measures on Security Assessment of Cross-border Data Transfer. Consultation papers have also been issued by Chinese regulators in relation to the Implementation Regulation to the Rules on Human Genetic Resources Administration and amendments to the Cybersecurity Law (to increase the penalties for individuals and companies). These law and regulation are expected to be formally adopted soon.

This article highlights some of the new requirements contained in the Regulation, including a significant number of specific legal obligations. In particular, the Regulation incorporates many elements of the MLPS 2.0. Furthermore, the outbound transfer of data requirement set out in the Regulation is stricter than the requirements contained in the China Cybersecurity Law, Data Security Law and Personal Information Protection Law. 

Companies in the life sciences industry which are operating in, or considering expanding into, China should evaluate the Regulations and get prepared.