At a recent seminar on the needs and organization of cybersecurity training in Vietnam, hosted by the Hanoi National University, experts noted that the use of cyberspace for criminal activities has increased in both the number of cases, their nature and severity, and carried out through sophisticated methods and tactics, resulting in victims losing vast sums of money.

Cybercriminals target key agencies and organizations, including those in healthcare. Reports showed that cyberattacks to healthcare systems occurred at An Giang central general hospital, where the virtualized server system was hit by hackers, encrypting all data and halting operations.

In March 2024, foreign virtual IP addresses attacked the online appointment booking website of HCMC Heart Hospital, forcing the hospital to shut down the system for repairs and switch to a backup.

According to information from cybercrime forums, in June 2024, hackers advertised for sale the details of 112,000 patient and medical staff records from Hong Ngoc General Hospital, including names, contact information, medical records, and financial details. 

Meanwhile, the University of Medicine and Pharmacy HCMC Hospital had personnel information and lists of over 50 servers exposed online.

In October 2024, cybercriminals attacked the IT system of Duc Giang General Hospital, encrypting nine servers and causing major data loss and system paralysis.

In January 2025, the hospital information system (HIS) at the On-demand and International Treatment Center of Hue Central Hospital was compromised, with over 500gb of data encrypted and a ransom demanded for decryption.

Experts emphasized that these risks stem not only from external threats but also from the limited cybersecurity awareness among medical personnel.

Many medical facilities have not fully implemented information security measures as required, including management and technical safeguards.

Senior Lieutenant Colonel Le Xuan Thuy, director of the National Cybersecurity Center (A05), under the Ministry of Public Security, said that recently, a hospital in Vietnam had to seek help after being attacked by hackers who threatened to publicly release patient data and medical histories on the internet.

“No patient wants their private life exposed online. This directly impacts the community. The issue is not that hospitals don't see the risks, but there are no legal regulations compelling them to address them properly,” Thuy said.

According to Thuy, in the first six months of 2025, there was a surge in ransomware attacks targeting systems in the energy sector, healthcare, government agencies, and recently even press and information agencies.

He believes that developing the national standard on cybersecurity TCVN 14423:2025 is a core step in state management, providing both guidance and protection for critical information systems.

“Standards are not just for inspection. More importantly, they guide, instruct, and help organizations secure their infrastructure,” Thuy emphasized.

He noted that many organizations are aware of cybersecurity risks but are confused about where to start.

Large tech enterprises like VNPT and MobiFone can learn from global practices. But for businesses and organizations unsure of where to begin, a clear standard tailored to Vietnam's context is needed as a basis for application.

“We provide guidelines based on the most secure information, but we understand that not every organization can immediately comply with all standards. It's like not everyone can run 5km every day for health benefits. We hope this standard will help units increase their maturity level and ensure cybersecurity,” Thuy said.

TCVN 14423:2025 is the first national standard on cybersecurity developed by the national cybersecurity center to help agencies and organizations comprehensively implement cybersecurity measures.

In this regard, A05 chose to issue it as a “standard” rather than a “regulation,” meaning it is not mandatory to give organizations and businesses more time to adapt and enhance their infrastructure protection capabilities.

However, for entities handling large volumes of personal data with significant community impact, Thuy said that mandatory sanctions are necessary.

“When organizations are classified as having serious or very serious impact levels, applying the standards will be mandatory, with specific legal documents regulating it,” Thuy stated.

Issuing TCVN 14423:2025 is not only a technical advancement, but also demonstrates the state's role in establishing a legal framework, enabling agencies and organizations to proactively protect their systems and contribute to safeguarding national sovereignty in cyberspace.

Thai Khang