Privacy Protection

• Medical Information Architecture

The Hospital’s information systems are divided into three main sections: clinical care, hospital management, and teaching and research. Both the clinical care and hospital management systems are equipped with dual server rooms, dual mainframes, and dual-loop connections. Additionally, the outpatient system includes a standalone version for use in case of system failure. All in-hospital data are stored in a private cloud, which serves the needs of all hospital staff and the management team.

In the past, due to the immense and complex nature of the Hospital’s information systems—with hundreds of functional subsystems directly or indirectly interconnected—maintenance was difficult and interdependencies often posed barriers to integration with external organizations. In response to evolving trends, the Hospital’s Information Technology Office undertook a system reengineering project from 2009 to 2013. During this period, a microservices architecture was gradually implemented, breaking down the system into independent functional modules. This transformation significantly enhanced the system’s availability and scalability, enabling development, updates, or the addition of specific cybersecurity mechanisms for different tasks without affecting the overall system or other functions.

Currently, NCKU Hospital has upgraded most of its non-core subsystems to a microservices architecture and continues to develop related information integration services with external institutions, enabling real-time transmission and sharing of information. The Hospital is also in the process of reconstructing its core internal systems using microservices. Following the virtualization of the PACS Picture Archiving and Communication System and CIS（Clinical Information System）, this is expected to further enhance the flexibility of deployment, maintenance, expansion, and management of each functional module, while accelerating heterogeneous integration and application across systems.

• Cybersecurity Joint Defense Mechanism

As one of the critical infrastructures in the medical field, NCKU Hospital has been designated by the Executive Yuan National Security Office as an A-level agency in information and communication security responsibility. The Hospital has established various operational protocols and annually appoints consultants for guidance, thereby enhancing the information security maintenance plan and reporting implementation status to the Executive Yuan’s performance assessment system each year. Since 2016, the Hospital has passed ISO 27001 information security certification and has gradually expanded the certification scope to include HIS (outpatient, emergency, inpatient, and laboratory), the PACS system, electronic medical records, and the NHI medical information cloud inquiry system. Recertification is conducted every three years, with annual reviews, and the Hospital completed the ISO 27001:2022 transition certification in 2024.

By joining the Health-Information Sharing and Analysis Center (H-ISAC) for the healthcare sector, the Hospital shares cybersecurity intelligence with peer institutions, promotes relevant policies internally in a timely manner, and enhances staff awareness of cybersecurity efforts. The Hospital also commissions a top-rated cybersecurity firm to establish a Security Operations Center (SOC) to monitor the Hospital’s cybersecurity status and transmit incident data in real time to the Ministry of Health and Welfare’s H-SOC platform and the National Security Operation Center (N-SOC) platform to prevent cybersecurity incidents.

In 2022, the Hospital also signed the “Memorandum of Cooperation on National Cybersecurity Joint Defense and Intelligence Sharing” and the “Security Protection Support Agreement” with the Tainan City Investigation Office. This established a “Regional Joint Defense” mechanism, elevating cybersecurity protection to a national security level. The Hospital can leverage the Ministry of Justice Investigation Bureau’s intelligence on early warnings of security threats to guard against malicious cybersecurity threats and hacker attacks. In the event of man-made, natural, or accidental incidents, the Hospital can also promptly receive support from the Investigation Office for emergency response and joint defense, helping NCKU Hospital protect its cybersecurity and maintain the normal operation and sustainable development of its medical services.