How a Leading Telehealth Platform Implements Data Classification and Grading for Security

1. Value of Data Classification and Grading

Compliance with the Data Security Law and Personal Information Protection Law requires a formal data classification and grading system; it also helps identify sensitive data, balance data utility with protection, and support business operations by providing a clear data asset inventory.

2. Classification and Grading Approach

The team built a three‑pillar framework covering governance, technical tools, and operational processes, then applied it to data sharing and usage scenarios.

3. Institutional Construction

For financial firms, the People’s Bank of China’s JRT 0197‑2020 guide provides ready‑made classification rules. The healthcare sector lacks a unified standard, so the team referenced GB_T 39725‑2020 (Health‑care Data Security Guide) and adapted it to internet‑medical business needs, defining classification rules and usage requirements.

4. Data Classification Rules

Based on GB_T 39725‑2020 and internal scenarios, six categories were defined: personal attribute data, identity authentication data, health‑related data, medical application data, medical payment data, and others.

5. Data Grading Rules

Four sensitivity levels were established, also derived from GB_T 39725‑2020, to support lifecycle security management.

6. Tooling Construction

6.1 Data Asset Management Platform

Built on an automated database management platform, it links data assets to database schemas and business systems, offering classification lists, security work‑order flows, third‑party data management, and sensitive data export/view modules.

6.2 Sensitive Data Identification Tool

Using the open‑source D18N engine, the platform scans relational databases via keyword and regex matching. Custom rules were added for URL‑type medical records and other domain‑specific patterns.

6.3 Data Security Monitoring Dashboard

Grafana visualizes classification results, data distribution, and usage monitoring. Data sources include MySQL, ClickHouse, and Elasticsearch from the asset platform.

7. Process Construction

7.1 Classification During Data Ingestion

When developers submit MySQL table‑creation tickets, they self‑assess field sensitivity, tag classification and grade, and undergo security and DBA review before syncing to the asset inventory.

7.2 Classification of Existing Data

Periodic scans of backup databases using the sensitive‑data tool detect missed fields; results are de‑duplicated, reviewed, and synchronized to downstream systems such as masking and encryption services.

Sample scan result list:

7.3 Additional Workflows

Rule changes triggered by regulatory updates or business adjustments, reviewed by security or business owners.

Big‑data usage restrictions: Level‑4 data is prohibited in big‑data clusters; Level‑3 requires explicit authorization.

Sensitive data export/view requires strict approval of purpose and volume.

8. Results Presentation

8.1 Data Asset Inventory

The inventory lists each field’s classification, security level, associated system, big‑data consumption status, and masking status.

8.2 Asset Distribution Maps

Static and partner‑consumption maps show sensitive data locations across applications and external collaborators.

9. Future Outlook

9.1 Recognizing Complex Medical Data

Advanced techniques such as image recognition and NLP are needed to classify unstructured medical records.

9.2 Building Data Lineage

Dynamic lineage maps will illustrate data flow across subsystems, enabling finer‑grained access control and encryption policies.

9.3 Integrating with Security Controls

Classification outcomes must be combined with DLP, masking, encryption, access control, and audit mechanisms to balance business agility with risk mitigation.

Successful implementation requires early stakeholder alignment, continuous communication with development, operations, and big‑data teams, and extensive training to embed the classification discipline across the organization.