Digitalization and informatization of the healthcare system, implemented within the information society development strategy and the national Healthcare project, are associated with the introduction and use of information systems in medical and pharmaceutical organizations to provide high-quality medical and medicinal care. Information systems designed to automate business processes include a set of information, software, technical, and organizational tools [1, 2]. At the same time, information systems store data from financial, economic, administrative and organizational facets; medical information about patients; research and monitoring results, etc. The use of information systems makes it possible to reduce errors when filling out accounting documents, provide quick access to large volumes of medical information, etc. [3].

The possibility of integrating information systems of medical and pharmaceutical organizations with the Unified State Information System in the Field of Healthcare (USISZ) is worth mentioning, as one of its tasks is to provide information support for state regulation in the field of healthcare. EGISZ includes information about data from the federal electronic registry, electronic patient medical records (EHRs), electronic medical documents, etc. The EGISZ information also includes federal registers. The Federal Register of Medical Workers (FRMR) is a centralized database that contains information about all medical and pharmaceutical workers in Russia. The Federal Register of Medical Organizations (FRMO) contains information about the structure, business profiles, addresses and equipment of each medical institution. The subsystems of the EGISZ are represented by a specialized patient registry for individual diseases and/or conditions, a registry of medicines for medical use, as well as an information and analytical subsystem for monitoring and control in the field of drug procurement [4].

Consequently, the integrated digital healthcare environment contains up-to-date information on technical, medicinal, and human resources in healthcare and personal health-related data of patients. However, as practice shows, digital transformation is accompanied by an increase in risks, with information security threats now occupying a leading position. Therefore, it is necessary to ensure security of information systems for protection of personal data of patients and specialists by developing ways to protect data and equipment from computer attacks [5–8].

Thus, the relevance of the topic is determined by several factors. First, medical data belongs to a special category of personal data. Its leakage is regarded as a violation of the patient’s right to medical confidentiality. Second, medical and pharmaceutical organizations are recognized as subjects of critical information infrastructure (CII) with increased requirements for information protection. Third, the significant increase in computer attacks on the healthcare sector confirms its high vulnerability (in the first half of 2025, their number increased by 24 % compared to the same period in 2024). Fourth, the level of digital literacy of medical and pharmaceutical workers and training in information security is often insufficient.

The abovementioned facts have determined the purpose of this work consisting in the formation of an integrated approach to information security in medical and pharmaceutical organizations.

Achieving this goal included solving consecutive tasks.

1. Analysis of the stages of development of information security in the healthcare sector.
2. Identification and structuring of information security threats in healthcare.
3. Conducting an analysis of modern information security methods and technologies.
4. Development of recommendations and proposals for ensuring information security in medical and pharmaceutical organizations.

MATERIALS AND METHODS

The research was based on both Russian and foreign scientific publications on the use of information technology while providing medical and medicinal care. Regulatory legal acts in the field of digital transformation of healthcare were studied. In the research process, the logical method, the structural method, and method of content analysis were used.

RESULTS AND DISCUSSION

Based on the analysis of Russian regulatory documents, it is shown that both medical and pharmaceutical information are considered part of the “information constituting a medical secret” (Articles 13, Articles 20 of Federal Law No. 323-FZ) [9] and “special categories of personal data” (Article 10 of Federal Law No. 152-FZ) [10]. This dual legal status determines a special treatment regime to process information. Collection, storage and transfer of such data require the consent of the subject or a lawful basis.

The formation of the legal framework for information security in Russian healthcare is a gradual process. The main focus is primarily on medical secrecy and protection of personal data in accordance with Federal Law No. 152-FZ [10]. In 2017, Federal Law No. 187-FZ was adopted. It changed approaches to information protection. Thus, medical information systems (MIS) and pharmaceutical systems (PS) are classified as objects of critical information infrastructure (CII), which entailed the obligation to categorize them [11]. As part of meeting the requirements of the law on CII, medical and medicinal care providers are required to categorize not only information systems, but also automated process control systems (automated process control systems), which include medical equipment. It is also necessary to create departmental monitoring centers and use certified protective equipment.

In 2021, amendments to Decree of the President of the Russian Federation No. 250 [12] came into force, instructing the heads of CII organizations to create structural information security units. This requirement applies to organizations at the federal, regional, and municipal levels.

In 2022, the Government of the Russian Federation has defined the tasks of the Unified State Healthcare System (USISZ), its structure, procedures and deadlines for providing information, participants in information interaction, the procedure for protecting information contained in the unified system, as well as requirements for software and hardware. The next important step was to tighten the requirements for using foreign software. Since 2025, CII subjects have not been allowed to use foreign-made information protection tools [13].

Thus, issues of information security protection in healthcare are being addressed at the state level.

The analysis of the identified risks of healthcare digitalization within the framework of digital information security has shown that the most likely threat is the loss of personal patient data and computer attacks on the digital databases of medical and pharmaceutical organizations [14–17].

It has been established that threats to the security of digital systems are classified according to various criteria. Therefore, to make the further study possible, a tailored classification of information security (IS) threats is essential for medical and pharmaceutical organizations. As threats come not only from outside, but also from within the organization, we have presented a classification based on the source’s location relative to the organization (figure).

External threats are manifested through targeted computer attacks. Malware is used to infect systems and block access to data; DDoS attacks on telemedicine services make it difficult for the information systems of the Ministry of Defense and the Federal District to function; phishing and social engineering, in the form of letters sent on behalf of the heads of the organization asking for a password, aim at obtaining confidential information from users. Outdated IT systems are also classified by us as external threats because they are vulnerable and can be used by intruders to gain unauthorized access.

Internal threats to information security are classified by source into unintentional and intentional actions of the organization’s employees. The threats included in the first group are related to the loss of a USB flash drive containing databases; sending confidential information from a personal email to messengers; using simple passwords for authentication. Intentional actions may be accompanied by the sale of patient data to competitors, copying of information before dismissal, violations of regulations for information systems, etc.

Thus, understanding specific threats to information security contributes to the formation of comprehensive protection against risks.

The theoretical foundations of information security in medical and pharmaceutical organizations involve the use of various methods and technologies, including technical means of protection, legal mechanisms, as well as organizational and managerial methods.

Technical protection measures include intrusion detection and blocking systems, hardware and software solutions (DLP systems) against data leaks, antivirus software and firewalls. Cryptographic methods (data encryption algorithms and electronic digital signature) are used to ensure data security. Data access control is provided by an authentication system that uses passwords, certificates, and biometric data.

The transition to domestic software in Russia, mandated by law, serves both strategic political goals and critical practical needs. The products of Russian developers are not inferior to their foreign counterparts in terms of functionality, and in a number of aspects (integration with government monitoring systems, adaptation to the specifics of Russian legislation) surpass them [13].

Compliance with the requirements in the field of processing, storing and transferring personal data in healthcare is regulated by a set of regulatory legal acts, whereas legal enforcement mechanisms provide for liability for violations of information security rules in the form of compensation for damage caused to the patient and payment of a fine in accordance with art. 13.11 of the Administrative Code of the Russian Federation.

Technical means and legal mechanisms for information protection will be effective only if they are integrated into the system of organizational and managerial tools that are used to achieve the goals and objectives of the organization.

Based on the results of the study, we have proposed an approach to ensuring information security in healthcare for provision of high-quality medical and medicinal care, consisting of the main directions and criteria for assessing information security.

One of the directions is categorization of CII objects in accordance with the legislation. Depending on the requirements for protective equipment, an object is assigned the first, the second or the third category of significance. Medical and pharmaceutical organizations are included in the register of significant CII facilities [11].

The next direction involves creating a system for responding to the incidents associated with an unauthorized access to information. It is about development of a standard operating procedure (SOP) outlining mandatory actions for detecting hacking or information leakage incidents. This helps you understand who makes the decision to shut down the system, who interacts with law enforcement agencies, and who notifies patients. Regular exercises (for example, phishing simulations) are crucial for practicing these actions.

Continuous staff training is a significant step in ensuring information security. The basics of information security should be studied already at the training stage of university students and followed by advanced training within the system of continuing professional education.

The proposed criteria for assessing information security for medical and pharmaceutical organizations include:

1. regular antivirus software updates;
2. the presence of a structural unit responsible for information security, the presence of an approved SOP in this area;
3. the proportion of employees who received information security training;
4. the absence of recorded violations in the field of information security.

CONCLUSIONS

It has been found out during the study that regulation of information security in healthcare has evolved through successive stages that reflect a systematic strengthening of government requirements for information protection. There exist external and internal threats to the information security of medical and pharmaceutical organizations. Three complementary groups including technical, legal, as well as organizational and management ones were set up following analysis of information protection methods, while the use of each separate group does not provide a sufficient level of protection. To improve information security in medical and pharmaceutical organizations, it is proposed to use an integrated approach containing the main directions and evaluation criteria.