The paper introduces the basic theories of information system security baseline as well as security requirements of hospital information system (HIS), learning from the implementation and landing process of the Federal Information Security Management Act (FISMA), it discusses how to implement security baseline management based on HIS, concretely including the aspects of targets, model construction, general steps, etc.