The result of the Federal Office for Information Security (BSI) on the IT security of software in the healthcare sector did not surprise experts in the IT landscape, even if many would have hoped for a different result.
The BSI aptly describes the results of the investigations into practice management systems (PVS) and digital nursing documentation systems (DiPS) with the following sentence:
“However, the IT security of software products in the healthcare sector can be improved.” (BSI, 17.03.2026)
Results of the PVS survey
In the study on PVS, i.e. the software used by doctors to record and save examinations, diagnoses and doctor’s letters on a daily basis, only a comparatively small sample of the more than one hundred solutions in use was examined. Nevertheless, it can be assumed that the results are at least partially transferable to products that were not examined.
The study identified significant security problems. These include insecure or missing encryption, inadequate rights and role models as well as open access from the internet. According to the study, the identified vulnerabilities have been closed. However, the question remains as to how such problems could have arisen in the first place.
Causes and structural challenges
It is interesting to note that practice software today contains significantly more medical information than the publicly discussed electronic patient record (EPR), as only some of the data is transferred from a PVS to the EPR.
Health data is among the data with the highest protection requirements. It is therefore all the more surprising that the systems in which most of this data is collected have so far only been regulated to a limited extent. These include practice management systems, hospital information systems and digital care systems.
The approval of DiGAs or ePA systems requires comprehensive and cost-intensive security checks by legislators and institutions such as gematik and BSI. The requirements for primary systems are comparatively low. Currently, only certification by the National Association of Statutory Health Insurance Physicians and a confirmation of conformity by gematik are planned. In-depth technical testing by independent bodies is currently not mandatory.
Manufacturers can take appropriate measures on their own responsibility. However, the results of the study suggest that not all providers focus on security to the same extent.
There can be many reasons for this. IT security is often initially seen as a cost factor. The potential follow-up costs of a security incident are difficult to estimate and are not always adequately taken into account. The attitude “nothing will happen to us” is still to be found in non-regulated environments.
If an incident occurs, it is often followed by short-term measures that are not sustainable. After some time, it is questioned again whether certain safety measures are actually necessary.
IT security as a continuous process
IT security requires continuous measures throughout the entire product life cycle. It makes sense to think about security from the outset and develop it step by step.
Even if this initially involves effort, this approach is generally more economical in the long term than subsequent improvements or dealing with security incidents.
The question remains as to why many companies are not yet consistently pursuing this path and continue to view security primarily as a cost factor. Regulation can play a role here. However, it does not replace the responsibility of manufacturers and operators.
What can be deduced from this?
The studies show that further awareness of IT security in the healthcare sector is necessary.
In addition, security should be anchored as a cross-cutting issue at all levels, from software development to management.
Manufacturers should regularly check how they can evaluate the security of their solutions and develop them further as part of a continuous improvement process.
Progress is possible even with limited resources. Security measures can be implemented step by step, for example through architecture reviews, targeted penetration tests or voluntary tests according to established procedures such as BSI-TR-03161 or comparable tests in the gematik environment.
How can SRC provide support?
SRC has been supporting manufacturers and operators of products and services in regulated and non-regulated environments for many years, from the planning and development phase through to testing and certification according to recognized schemes such as gematik assessments, BSI-TR-03161, Common Criteria or KRITIS.
DMEA 2026 from April 21 to 23, 2026 in Berlin is one of the places to exchange ideas. Manufacturers and experts will come together there to discuss current developments in the healthcare sector.
In our view, this dialog is an important building block in the further development of secure and user-friendly solutions.
Curious about how SRC can help? Then please contact us on site or use the contact form.
