YD/T 4538-2023
Technical requirements for personal information protection of Internet medical and health mobile application software (APP) (English Version)

Standard No.

YD/T 4538-2023

Language

Chinese, Available in English version

Release Date

2023

Published By

Professional Standard - Post and Telecommunication  CN  /  YD

Latest

YD/T 4538-2023

Introduction

Analysis of the core content of the standard

This standard establishes a vertical field personal information protection technical framework for medical and health apps for the first time, focusing on the following specifications:

• Four types of sensitive information processing unique to medical and health apps
• Network security baseline that meets the requirements of Grade 2 Protection Scheme 2.0
• Full life cycle management requirements from collection to destruction

---

Medical and health information classification system

Information category	Typical data items	Protection level
Personal attribute information	ID number, biometrics, etc.	L3 level
Health status information	Medical history, physical examination data, etc.	L4 level
Medical application information	Diagnosis record, medication information, etc.	L4 level
Personal genetic information	Genetic data, etc.	L5 level

---

Comparison of key technical requirements

Differences from traditional APP protection standards

Compared with the GB/T 35273 general standard, this specification adds:

1. Special protection of genetic information: Blockchain and other technologies are required to ensure that data cannot be tampered with
2. Principle of medical data minimization: The consultation function shall not compulsorily collect geographic location
3. Emergency response mechanism: Medical data leakage must be handled within 2 hours

---

Implementation suggestions

Technical implementation path

• Data classification and grading: Refer to Appendix A to establish a risk matrix
• Encrypted storage solution: Data above L4 level must be protected by national secret algorithms
• Dynamic permission control: Implement fine-grained authorization based on the RBAC model

Key points of compliance management

1. Perform at least 3 penetration tests per year
2. Establish an operation and maintenance audit system with two-factor authentication
3. Third-party sharing requires a separate DPA agreement

---

Analysis of Standard Evolution

This standard forms a three-in-one regulatory framework with the Data Security Law and the Personal Information Protection Law. The evolution trend of its technical requirements is as follows:

• The 2023 version will add special protection clauses for AI diagnosis and treatment data
• It is planned to introduce federated learning technical specifications
• Detailed rules for cross-border medical data flow are being formulated

YD/T 4538-2023 Referenced Document

• GB/T 25069 Information security techniques—Terminology
• GB/T 35273 Information security technology—Personal information security specification

YD/T 4538-2023 history

• 2023 YD/T 4538-2023 Technical requirements for personal information protection of Internet medical and health mobile application software (APP)

Topics on standards and specifications

Standard and Specification