The digitalization of the healthcare sector is developing dynamically: digital products are conquering the market; artificial intelligence is making inroads and innovations in areas such as care, medicine, gene therapy and nanotechnology are further drivers. At the same time, the market launch of new healthcare products is subject to strict IT security regulations – and rightly so, as they touch on extremely sensitive data relating to people’s health and lives or influence therapy. IT security is becoming all the more important. However, it is often not easy for providers and operators to keep track of which regulations need to be observed and which evidence needs to be provided.
Critical infrastructures: The KRITIS Regulation
Special IT security requirements already apply to existing healthcare facilities if they are classified as critical infrastructures by the German Federal Office for Information Security (BSI). In the healthcare sector, this applies not only to inpatient medical care, but also to the supply of directly life-sustaining medical devices, prescription drugs, blood and plasma concentrates and laboratory diagnostics above a certain size. The respective threshold values are defined in the BSI Criteria Ordinance. The standard threshold of 500,000 people supplied by the facility is used as a guideline.
According to the BSI Act (Section 8a), the respective operators must take appropriate organizational and technical precautions according to the state of the art in order to avoid disruptions to the availability, integrity, authenticity and confidentiality of their relevant information technology systems, components or processes. Proof of IT security must be provided to the Federal Office every two years in the form of security audits, tests or certifications. In addition, the BSI can also carry out security audits itself or have them carried out. Failure to comply with the legal requirements can result in severe fines.
Extension of the regulation to all hospitals: KRITIS “light”
Since January 2022, these IT security requirements have applied not only to inpatient medical facilities as defined by the KRITIS Regulation, but to all hospitals. Even if the obligation to provide evidence to the BSI no longer applies here, operators must expect claims for damages and liability risks in the event of an emergency. For this reason, the requirements set out in the German Social Security Code V (Section 75) should always be implemented and adapted to the current state of the art every two years as required. The industry-specific security standards for information technology security in hospital healthcare provide guidance in this regard.
Whenever new systems or components are used within the core functions of hospitals and critical infrastructure facilities, these must also be evaluated from a KRITIS security perspective and included in the testing processes.
Data security: one goal – different procedures
However, protecting critical infrastructures that are important to the community is only one aspect of IT security in the healthcare sector. As the security of sensitive data must also be guaranteed at all times in day-to-day operations, cybersecurity requirements, approval requirements and testing processes must be defined in all affected areas and constantly kept up to date with the latest technology. The legal framework for this is summarized in the German Social Security Code. As the national authority for cybersecurity certification, the BSI is the central authority. However – and this makes it difficult for applicants to get an overview – there is no single testing or certification process for the IT security of healthcare products.
The IT security checks are always carried out in consultation with the BSI or by the Federal Office itself, but are integrated into the respective approval processes of the various services. Different institutions are responsible in each case: For example, the Gesellschaft für Telematik for applications in the telematics infrastructure or the Federal Institute for Drugs and Medical Devices for digital health applications, network-enabled medical devices and care devices – some explanations are provided below.
Telematics infrastructure: Multi-stage test processes
One of the challenges in the healthcare sector is the complex structure of operators, service providers, payers and insured parties. Digitalization offers the opportunity to network the individual players in a new way, thereby significantly accelerating and improving communication and processes. The basis for this new digital networking in Germany is the telematics infrastructure (Section 306 of the German Social Code). Services such as the electronic patient file or the e-medication plan are based on this interoperable communication and security architecture. The Gesellschaft für Telematik, gematik, is responsible for setting up and developing the telematics infrastructure (TI), and its tasks also include defining and enforcing binding standards for services, components and applications.
gematik GmbH works closely with the BSI on IT security assessments. To this end, all TI components and services are subjected to extensive tests in a multi-stage test procedure together with the providers before security evaluations or precise security reports are drawn up. The individual requirements are set out in so-called product profiles for the approval of providers in provider profiles.
Even after approval, secure and trouble-free operation is monitored. Unauthorized use of the telematics infrastructure as well as failure to report faults or security deficiencies can be punished with heavy fines of up to EUR 300,000.
Video consultation – Video service provider
While new TI services such as the electronic patient file (ePA) will certainly take some time to reach the insured, the number of users of other digital services has literally exploded since the start of the pandemic: 1.4 million video consultations were held in the first half of 2020 alone. In contrast, there were just under 3,000 in 2019.
A prerequisite for participation as a video service provider is the fulfillment of all requirements for the technical procedures. The requirements for providers, participants and panel doctors were defined in a corresponding agreement between the National Association of Statutory Health Insurance Physicians and the National Association of Statutory Health Insurance Funds.
Among other things, communication between patient and doctor or nurse must be secured by end-to-end encryption and the video service must not pose any serious security risks. The necessary evidence and certificates for IT security are listed in detail in the agreement, and templates for the certificates and the questionnaire with test criteria are attached.
Digital health applications: The app on prescription
In 2020, Germany became the first country to offer digital apps on prescription. These digital health applications (DiGA) are defined as low-risk medical devices for the detection, monitoring, treatment or alleviation of diseases or for the detection, treatment, alleviation or compensation of disabilities and injuries. The main function must be based on digital functions (§ 33a SGB). A prerequisite for cost coverage by health insurance companies is inclusion in the list of the Federal Institute for Drugs and Medical Devices (BfArM).
A three-month fast-track procedure has been set up for these applications; the relevant forms can be downloaded from the BfArM website together with a guide. Basic requirements for data security are described in the Digital Health Applications Ordinance (Section 4). These include an information security management system based on BSI Standard 200-2: IT-Grundschutz-Methodik. The BSI’s technical guideline on security requirements for digital health applications also provides assistance.
Need for regulation of networked medical devices
There is currently still a need for regulation of network-enabled medical devices. In contrast to purely digital health applications, digital functions are usually integrated here as supplements to the existing basic medical function. This results in an extremely broad and heterogeneous range of applications. In some cases, the IT security requirements are also more difficult to address, as these network functions are often purchased from third-party providers and are not yet integrated into the quality assurance processes of all companies. Nevertheless, they are liable as providers.
Basic requirements for the cyber security properties of medical devices were first defined in EU Regulation 2017/745 on medical devices, which is implemented in Germany by the Medical Devices Implementation Act (MPDG). Guidelines and procedural instructions such as these help to implement these – rather general – IT security requirements:
– Guideline of the Medical Device Coordination Group
– Guideline for the use of the MDS2 (Manufacturer Disclosure Statement)
– Manufacturer recommendation on cyber security requirements for network-compatible medical devices.
The BSI has investigated the cyber security of networked medical devices and also formulated the tasks ahead in its final report. The further development of IT security regulation remains an important task. In addition to the IT security of existing products, it is also important to help innovations achieve a breakthrough and promote their rapid and secure market launch.
