March 5, 2020 Appeal for Opinions on Draft Safety Management Guidelines for Providers of Information Systems and Services Handling Medical Information

For the security management of medical information, the Cloud Operator Guidelines of the Ministry of Internal Affairs and Communications (MIC) and the Information Processing Provider Guidelines of the Ministry of Economy, Trade and Industry (METI) stipulate the necessary measures for providers of information systems and services (hereinafter referred to as “medical information systems”) to handle medical information.
In recent years, the diversification of forms of providing information services has made it necessary for providers of medical information systems to refer to and respond to both two guidelines. This time, MIC has drafted Safety Management Guidelines for Providers of Information Systems and Services Handling Medical Information and decided to make an appeal for opinions from Friday, March 6 through Monday, April 6, 2020, on the draft.

1. Overview

MIC and METI have guidelines for providers of medical information systems to ensure the safety of electronically creating and storing medical information. Specifically, they are MIC’s Guidelines on Safety Management for Medical Service Handling by Cloud Service Providers (First Edition) for cloud service providers, such as ASP, SaaS, PaaS, and IaaS (established in July 2018, hereinafter referred to as “Cloud Operator Guidelines”) and METI’s Guidelines for Safety Management of Information Processing Businesses that Entrust and Manage Medical Information (Second Edition) (established in October 2012, hereinafter referred to as “Guidelines for Information Processing Businesses”). These guidelines prescribe necessary measures for the security management of medical information.
In recent years, due to the diversification of forms of providing information services, it has become necessary for providers of medical information systems to respond by referring to both the Guidelines for Information Processing Businesses and the Cloud Operator Guidelines. Therefore, MIC and METI have decided to integrate and revise the two guidelines. The following policies are being considered for revision:

• Attention should be paid to ensuring consistency with other standards and guidelines, and a level of safety management equivalent to compliance with the past guidelines will be ensured.
• For designing necessary and enough countermeasures according to the characteristics of medical information systems, requirements will not be defined uniformly. Still, a risk management process based on a risk-based approach will be defined.
• Emphasis is placed on risk communication between medical institutions and providers of medical information systems to operate medical information systems based on correct mutual understanding and explicit agreement on security measures.
• The guidelines will clarify the points to be considered in handling medical information and system requirements and prevent any omission of countermeasures against the demands of laws and regulations related to the medical information system.

In revising the guidelines, MIC and METI have jointly held a review group called the Study Group for Revision of Safety Management Guidelines for Information Processing Providers Accepting Medical Information and have been conducting discussions. Based on the results of the Study Group’s deliberations, MIC has drafted Safety Management Guidelines for Providers of Information Systems and Services Handling Medical Information and decided to make an appeal for opinions on the draft.

2. Procedure of appeal for opinions

Subject

Draft Safety Management Guidelines for Providers of Information Systems and Services Handling Medical Information

Period of submission

No later than noon on Monday, April 6, 2020 (Submission of opinions by mail must also arrive no later than the deadline date).
For details, see the linked procedure for the public appeal for opinions.

3. Future plans

With consideration of submitted opinions, the above study group will deliberate and publish the Safety Management Guidelines for Providers of Information Systems and Services Handling Medical Information.

4. Method for obtaining references

MIC will post the attachments on the press release page of MIC’s official website (https://www.soumu.go.jp) around 2 pm today (Thursday, March 5) and also make them available for viewing and providing copies at MIC’s Information and Communications Bureau (Central Gov’t Building No. 2 11F). Furthermore, the 2PDF link will be posted on the public comment page of the e-Gov (https://www.e-gov.go.jp/ ).

5. Joint announcement

This press release can also be viewed on the News Releases on the Ministry of Economy, Trade and Industry website (https://www.meti.go.jp/ ).