The first step: Demarcate the boundaries of the "safe" and the environment (regional boundary security)
OCT devices should not be directly exposed to public networks. First, it is necessary to plan the security domain.
1. Network partition isolation
Medical equipment dedicated network: OCT devices, PACS servers, image storage servers, etc. are classified into an independent VLAN and logically isolated from the office network and the Internet.
Firewall policy: Deploy firewalls at the network boundary and strictly follow the "principle of least privilege". Only specific and necessary ports and IP addresses are allowed for communication (for example, port 104 of the DICOM protocol, a specific port of the hospital information system). Any illegal external access is prohibited.
3. Physical Access Control
The computer room where OCT equipment and core servers are placed should implement strict physical access control and video surveillance management to prevent unauthorized physical contact.

Step 2: Build a sturdy box for the "safe" (secure computing environment)
This is the core layer that protects the data itself.
OCT Equipment and Terminal Security:
Strengthen the operating system: Enhance the security of the operating system of the industrial control computer or computer built into the OCT device, as well as that of the diagnostic workstation.
Anti-virus software: Install hospital-specific anti-virus software and update the virus database regularly.
Identity authentication: It is mandatory to log in to the system with a unique personal username and a strong password. For the third-level information security protection, two-factor authentication should be mandatory.
2. Data storage encryption (lock of the safe) :
Static data encryption: All OCT image data must be encrypted when stored on the disk. Available options:
Transparent database encryption: Encrypting sensitive fields in the database.
Storage layer encryption: Encrypt the entire disk or volume using the built-in encryption function of the storage device or operating system-level encryption.
File-level encryption: Encrypting a single DICOM file.
Key management: Encryption keys must be uniformly managed by a professional key management system, stored separately from encrypted data, and rotated regularly. This is the key point of the requirements for the equal protection.
3. Application Security
Ensure that the PACS software and OCT device software themselves have no known high-risk vulnerabilities, and conduct regular security assessments.

Step 3: Ensure "safety during transportation" (communication network security)
When data is transmitted between OCT devices, PACS servers and diagnostic workstations, it is necessary to prevent eavesdropping and tampering.
1. Transmission encryption
Enforce the use of encryption protocols such as DICOM over TLS or DICOM over HTTPS to replace the traditional plaintext DICOM protocol. This ensures that data is encrypted when transmitted over the network, similar to HTTPS protecting web page communication.
For scenarios such as remote consultation that require cross-internet transmission, a VPN encrypted tunnel must be established.

Step 4: Establish a monitoring and management center for the "safe deposit box" (Safety Management center)
This is the brain and nerve center of the "safe", responsible for monitoring, auditing and emergency response.
1. Log audit (recording who opened the box) :
Collect all logs related to OCT data centrally, including: user login/logout logs, logs of OCT image creation, modification, deletion, access, printing, export and other operations. These logs must be retained for no less than six months.
The information security protection level requires that the content of logs cannot be tampered with, so it is necessary to deploy a professional log auditing system.
2. Database Audit
For operations that directly access the database, a database auditing system is deployed to record all access behaviors to OCT data tables, especially high-risk operations.
3. Operation and Maintenance Management and Security Audit
Video the operations of system administrators and record instructions to achieve traceability.
Regularly conduct security risk assessments and vulnerability scans.
4. Data Backup and Recovery (Spare key for the safe) :
Formulate a complete data backup strategy and regularly back up OCT image data and related patient information.
Regularly conduct disaster recovery drills to ensure that business and data can be quickly restored in the event of data loss, system downtime or ransomware attacks. Backup data also needs to be encrypted for protection.

Also welcome to contact us, we are ZD Medical Inc.
Tel : +86-187 9586 9515
Email : sales@zd-med.com
Whatsapp/Mobile : +86-187 9586 9515