IT Sicherheit in Krankenhäusern

How secure is IT in our hospitals?

Digiti­sation poses IT security challenges for hospitals

Cloud computing, networked commu­ni­cation, virtual teamwork — digiti­sation offers hospitals and other healthcare facil­ities enormous potential for optimi­sation. The effects on the profitability of medical facil­ities and on patient care are sustainably positive. If it weren’t for IT security. How well protected are healthcare networks? Can sensitive data be lost during trans­mission or in the course of collab­o­ration? Or even worse: be inter­cepted? Can IT security in hospitals keep pace with the tempo of digital­i­sation?

Protection of sensitive patient infor­mation is required

If one thinks about the most sensitive data of a society, then patient infor­mation certainly belongs to it. The need for protection is therefore partic­u­larly high. In the meantime, the legis­lator has also recog­nised this and created a clear legal situation. At the latest, IT security in the healthcare sector will become a playing field for liability risks and claims for damages. This is why IT security is a top priority in hospitals. Several hospitals have already painfully discovered that absolute security can hardly be achieved. In particular, the attack with the ransomware “Wannacry” in 2017 had an enormous impact on hospital IT worldwide. Exami­na­tions had to be postponed, opera­tions had to be cancelled and the financial damage was immense.

The electronic patient file, telemed­icine and cross-sector infor­mation logistics make it extremely demanding to manage data securely. But IT security is no longer just a technical issue. It also concerns the awareness of the employees, the inten­sified data protection and the growing require­ments of the legis­lator. Examples are the Medical Devices Ordinance (MDR) and the audits according to § 8a of the BSI Act.

SRC expert Dr. Deniz Ulucay talks to the KU Gesund­heits­man­agement Magazine

In an interview with Birgit Sander, editor of KU Gesund­heits­man­agement Magazine, Dr. Deniz Ulucay, SRC expert for IT security in healthcare, gives detailed insights into potential threat scenarios and adequate defense strategies. The title of the article asks: “How secure is IT in our hospitals? It can be downloaded here (German).

IT Security Congress 2019

IT-Security Congress 2019 — Arne Schönbohm welcomes SRC

The IT-Security Congress 2019 again offered SRC the platform for dialogues with manufac­turers, partners and repre­sen­ta­tives of public author­ities. The motto of the event was “IT security as a prereq­uisite for successful digiti­zation”. The topics are as varied as the visitors: artificial intel­li­gence and its fields of appli­cation, Common Criteria certi­fi­ca­tions of micro-kernel operating systems and profes­sional perspec­tives for scien­tists and computer scien­tists at SRC. Almost all SRC services were in demand at the stand, whether penetration tests, consulting and certi­fi­cation of infor­mation security management systems or support for product manufac­turers in evalu­a­tions according to Common Criteria.

Sandro Amendola’s lecture at the IT-Security Congress 2019, entitled “Legal Security Require­ments for Payment Proce­dures for Customer Authen­ti­cation Using Mobile Devices”, was widely discussed. The high pace of innovation on the one hand and the parallel devel­opment of regulatory require­ments on the other hand provide continuous material for discus­sions and forecasts of future trends.

The host of the IT-Security Congress 2019, the Federal Office for Infor­mation Security (BSI) (see photo), also stopped by our stand. Thilo Pannen is respon­sible for Business Devel­opment at SRC. “We at SRC are delighted that we have been able to support the BSI for many years with a range of experts,” said Thilo Pannen in his welcoming address. The extensive discussion with BSI President Arne Schönbohm touched all aspects of the extensive cooper­ation with the BSI. Be it the prepa­ration of studies, the support in the various BSI projects or the work of SRC as a BSI-recog­nized testing laboratory. In its function as a testing laboratory, SRC does not only assess according to Common Criteria. The require­ments for the technical domains “Smart­cards and similar Devices” and “Hardware Devices with Security Boxes” are also fulfilled by SRC.
Such extensive and complex cooper­ation in such a dynamic environment requires constant adaptation of the processes. “If we at BSI can contribute to further good cooper­ation, please let me know,” said the BSI President at the end of his visit to the SRC stand.

IT Security Congress

SRC contributes to the German IT Security Congress 2019

IT security as a prereq­uisite for successful digital­i­sation

This is the motto of this year’s German IT Security Congress, which is held every two years by the Federal Office for Infor­mation Security (BSI). The congress will take place from 21 to 23 May 2019 at the Stadthalle Bonn — Bad Godesberg. The aim of this year’s congress is to examine the topic of IT security from different perspec­tives, to present and further develop possible solutions.

SRC is at the German IT Security Congress

As a BSI-approved evalu­ation body for evalu­a­tions according to Common Criteria (CC) and various other technical guide­lines, SRC will also be present with a booth at the German IT Security Congress in 2019. Thus we offer the experts of customers, partners and those of the BSI once again the well-estab­lished contact point at the German IT Security Congress. This concept has proven itself over many years. The stable personal network between the partic­i­pants offers the optimal platform for the transfer of complex technical and regulatory aspects.

SRC expert Sandro Amendola talks about compliance, mobile payment proce­dures and customer authen­ti­cation

The triumphal march of mobile payment proce­dures seems unstop­pable. The legis­lator has also inten­sively considered the security of these proce­dures and the necessary customer authen­ti­cation. Sandro Amendola will talk about “Legal security require­ments for payment proce­dures for customer authen­ti­cation using mobile devices” on Thursday, 23 May 2019 at 11:00 a.m. in the main hall.

BarCamp “Infor­mation Security Management in Credit Insti­tu­tions” — 19 September 2019

In cooper­ation with SRC Security Research & Consulting GmbH, Bank-Verlag GmbH hosts a BarCamp on the subject of “Infor­mation Security Management in Credit Insti­tu­tions”. The event will take place on 19 September 2019 at the premises of Bank-Verlag in Cologne.

The Federal Financial Super­visory Authority (BaFin) has also defined the new function of the Infor­mation Security Officer with the “Banking Super­visory Require­ments for IT” (BAIT). He or she controls the infor­mation security process and reports directly to management. What this theory looks like in practice will be examined in more detail on 19 September at the BarCamp “Infor­mation Security Management in Credit Insti­tu­tions”.

The BarCamp Principle

A BarCamp is an open conference with practical workshops. The workshops serve the exchange and discussion among the partic­i­pants. At the beginning, the partic­i­pants themselves develop the contents and the agenda, which they then develop further. There are no prede­fined speakers or proce­dures to be found in a BarCamp. Instead, this principle relies on the (moderated) exchange of experience.

BarCamp “Infor­mation Security Management in Credit Insti­tu­tions

The BarCamp “Infor­mation Security Management in Credit Insti­tu­tions” gives Infor­mation Security Officers as well as all those respon­sible for infor­mation and IT security management at credit insti­tu­tions the oppor­tunity to exchange infor­mation on topics such as BAIT audits, service provider management or risk management. In addition, contacts can be estab­lished and expertise expanded. The coffee breaks can be used for individual discus­sions. At the end of the event, a “get-together” provides an in-depth exchange among the partic­i­pants.

The SRC Speakers

Four experts from different areas of SRC will share their knowledge and expertise with the partic­i­pants.

Sandro Amendola, deputy head of the evalu­ation body at SRC, is respon­sible for the topic “IT compliance in the banking industry”. In addition, he develops security concepts and security require­ments for payment trans­action proce­dures on behalf of the German banking industry, among others.

Jochen Schumacher is respon­sible for commu­ni­ca­tions at SRC. He concen­trates on product management, the technical and editorial support of the website as well as the planning, imple­men­tation and moder­ation of events.

Florian Schumann is Head of IT at SRC. In addition, he is an infor­mation security consultant and qualified auditor according to § 8 (a) BSIG for critical infra­struc­tures.

Dr. Deniz Ulucay works at SRC as a consultant for infor­mation security. His focus is on the devel­opment of ISMSs, in particular for operators of critical infra­struc­tures. He is also respon­sible for the devel­opment and imple­men­tation of security concepts.

Regis­tration & Schedule

Further infor­mation about the regis­tration and the course of the BarCamp on the topic “Infor­mation security management in Credit Insti­tu­tions” can be found in this flyer (GER) and on the website of Bank-Verlag. Here you can register directly online for the event and bring in the topics that are important and inter­esting for you and thus help to determine the course and outcome of the BarCamp “Infor­mation Security Management in Credit Insti­tu­tions”.

For further questions Mrs. van Kessel is at your disposal (Tel. 0221/5490–161, andrea.vankessel(at)bank-verlag.de).

Information security officers for credit institutions

Certificate Course “Infor­mation Security Officer for Credit Insti­tu­tions” — November 19 to 22, 2019

BAIT-Compliance: Use of an Infor­mation Security Officer (ISB)

The German Banking Act (KWG) and MaRisk require banks to ensure the integrity, avail­ability, authen­ticity and confi­den­tiality of data in their IT systems and processes. However, secure and efficient IT is also essential for the economic success of a bank. The new “Banking Super­vision Require­ments for IT” (BAIT) formulate concrete expec­ta­tions. Among other things, the Federal Financial Super­visory Authority (BaFin) is calling for the newly created function “Infor­mation Security Officer for Credit Insti­tu­tions” (ISB) in its guideline. They control the infor­mation security process and report directly to the management.

6th Certificate Course “Infor­mation Security Officer (ISB) for Credit Insti­tu­tions

In cooper­ation with Bank-Verlag, SRC has already success­fully completed five certificate courses on “Infor­mation Security Officer (ISB) for Credit Insti­tu­tions”. After the great response and the continuing demand, we are pleased that Bank-Verlag has made another date possible for this four-day certificate course.

From 19 to 22 November 2019, you will once again have the oppor­tunity to receive further training as an “Infor­mation Security Officer (ISB) for Credit Insti­tu­tions” on the premises of Bank-Verlag GmbH in Cologne.

Training by skilled experts

In cooper­ation with Heinrich Lottmann (TARGOBANK AG & Co. KGaA) and Alexandros Manakos (HSBC Germany) the SRC experts Sandro Amendola, Florian Schumann and Dr. Deniz Ulucay will give lectures. In this course, the experts inform you compre­hen­sively about the norms and standards according to ISO and IT-Grund­schutz, as well as about all legal/regulatory require­ments relevant to you as an ISB. In addition, the topics IT Risks and Emergency Prevention as well as Business Conti­nuity Management are dealt with.

After passing the final exami­nation, you will receive the certificate “Infor­mation Security Officer for Credit Insti­tu­tions”.

Optionally, you have the oppor­tunity to acquire the basic IT knowledge required for the course in a one-day intensive seminar in Cologne on 18 November 2019 prior to the event. This course deals with the basics, terms, encryption and IT security techniques in infor­mation technology.

Aspects of Common Criteria Certifications

Aspects of Common Criteria Certi­fi­ca­tions — Guest lecture at the Vienna University of Technology

Aspects of Common Criteria Certi­fi­ca­tions — this is the topic of the lecture that the experts of the SRC evalu­ation body for Common Criteria will address at the Vienna University of Technology. The lecture will take place on 10 May 2019 as part of the lecture IT Security in Large IT Infra­struc­tures at the Institute of Infor­mation Systems Engineering.

Common Criteria in science

With the help of Common Criteria for Infor­mation Technology Security Evalu­ation (CC), IT products can be evaluated regarding their security according to general criteria. As an inter­na­tionally recog­nised standard, Common Criteria is of interest to the scien­tific world. Initially, an evalu­ation is carried out by an evalu­ation body accredited by the German Federal Office for Infor­mation Security (BSI). SRC is accredited as such a CC evalu­ation body. The BSI then carries out the certi­fi­cation.

Guest lecture for students

The SRC experts will discuss the Aspects of Common Criteria Certi­fi­ca­tions at first hand. The lecture informs the students about the basic approach for product certi­fi­ca­tions according to Common Criteria. Infra­struc­tures in the European Union that rely on Common Criteria certi­fi­cation will be highlighted. The formal side including the respon­sible certi­fi­cation and recog­nition bodies will also be considered. The comparison of Common Criteria with other concepts concludes the lecture. Certi­fi­ca­tions according to technical guide­lines of the BSI, ISO27001 or the criteria of the Payment Card Industry (PCI) will be considered.

NextGenPSD2 certification

NextGenPSD2 certi­fi­cation | SRC launches audits for XS2A

Are you ready to certify your NextGenPSD2 imple­men­tation?

The revised Payment Services Directive (PSD2) requires banks to allow autho­rized third parties access to customer data. These third party payment service providers (TPP) are to be granted access via a programming interface (XS2A) with the customer’s consent. With this data, TPPs will be able to offer innov­ative payment initi­ation and account infor­mation services. The NextGenPSD2 certi­fi­cation promotes the imple­men­tation of a uniform standard.

Most banks and API providers in Europe implement the XS2A interface using the NextGenPSD2 framework of the Berlin Group. This is an open and Europe-wide harmo­nized solution for imple­menting the PSD2 require­ments for the XS2A interface.

The correct imple­men­tation of the XS2A interface relieves the institute from imple­menting a fallback interface solution. The NextGenPSD2 Imple­men­tation Support Program (NISP) offers the partic­i­pants a testing framework with test concept, test case catalog, compliance best practices and test tool require­ments. The imple­menting institute evaluates its own work. As a result, the imple­men­tation is completed. It remains to be seen if this self-assessment will be considered suffi­cient by the super­visory authority (NCA).

Why should you undergo the NextGenPSD2 certi­fi­cation?

The self-assessment of the NextGenPSD2 imple­men­tation already offers a high level of quality. However, different inter­pre­ta­tions of the speci­fi­cation can lead to inter­op­er­ability problems. There is currently no documented agreement between banks and third-party providers on the exact imple­men­tation of the XS2A interface. This increases the proba­bility that the respon­sible super­visory authority of the banks will refuse the exemption from the imple­men­tation of a fallback interface solution.

SRC has extensive and detailed expertise from its involvement in the speci­fi­cation and imple­men­tation of the XS2A interface as part of NISP. On this basis, we have developed the NextGenPSD2 certi­fi­cation for you.

How does the NextGenPSD2 certi­fi­cation process work?

Require­ments for the NextGenPSD2 certi­fi­cation are the test case catalogue, the imple­men­tation profile and the test speci­fi­cation of the imple­menting institute. SRC uses these require­ments to carry out a complete functional, security and perfor­mance audit of the NextGenPSD2 imple­men­tation.

Audit Validation

During validation, the imple­men­tation is reviewed with respect to the require­ments of the documen­tation.

Functional part

In the functional part, the test speci­fi­ca­tions are executed and the results are verified.

Non-functional part

In the non-functional part, the avail­ability of the imple­men­tation (stress test) is deter­mined and evaluated at relevant points.

Security test

In the security test, methods of penetration testing are used. It is evaluated if the imple­men­tation of the XS2A interface offers suffi­cient protection against fraud attempts on customer data and trans­ac­tions.

The certi­fi­cation is documented in a final report. If all require­ments are at least suffi­ciently fulfilled, the institute receives an SRC certificate. With this certificate, the conformity of the imple­mented XS2A interface can be demon­strated to third parties and the super­visory authority. Based on the first certi­fi­cation, regression audits can be carried out in the future.

SRC consulting services for devel­opment optimization or for creating the test speci­fi­cation can be used to prepare for the NextGenPSD certi­fi­cation.

Why SRC?

As a co-editor of the NextGenPSD2 Framework and the NISP Testing Framework, SRC has a deep under­standing of the NextGenPSD2 standards and all tasks associated with testing. In addition, SRC has many years of experience in devel­oping test environ­ments with many licensed auditors for multiple functional and security evalu­a­tions according to formal certi­fi­cation schemes. As a result, SRC is able to carry out a high-quality audit with manageable effort.

Are you inter­ested in NextGenPSD2 certi­fi­cation? Then please contact us at info@src-gmbh.de.

ISB

Certificate Course “Infor­mation Security Officer for Credit Insti­tu­tions” — May 7 to 10, 2019

The German Banking Act (KWG) and MaRisk require banks to ensure the integrity, avail­ability, authen­ticity and confi­den­tiality of data in their IT systems and processes. But secure and efficient IT is also essential for the economic success of a bank.

The new “Banking Super­vision Require­ments for IT” (BAIT) formulate concrete expec­ta­tions. Among other things, the Federal Financial Super­visory Authority (BaFin) has issued a guideline calling for the new function of the “Infor­mation Security Officer ” to be set up. He or she controls the infor­mation security process and reports directly to the management.

In cooper­ation with Bank-Verlag, SRC has already success­fully completed three certificate courses for the “Infor­mation Security Officer (ISB) for credit insti­tu­tions”. After the great response and the continuing demand, we are pleased that the Bank-Verlag has made another date possible for this four-day certificate course.

From 7 to 10 May 2019, you will once again have the oppor­tunity of further training in Cologne to become an “Infor­mation Security Officer (ISB) for credit insti­tu­tions”.

In a team with Heinrich Lottmann (TARGOBANK AG & Co. KGaA) and Alexandros Manakos (HSBC Trinkaus & Burkhardt AG) the SRC experts Sandro Amendola, Florian Schumann and Randolf Skerka will give a lecture on the norms and standards according to ISO and IT-Grund­schutz, as well as on all legal/regulatory require­ments relevant for you as an ISB. In addition, the topics IT Risks and Contin­gency Management as well as Business Conti­nuity Management will be discussed.

After passing the final exami­nation, you will receive the certificate “Infor­mation Security Officer for Credit Insti­tu­tions”.

On 6 May 2019 you will also have the optional oppor­tunity to acquire the basic IT knowledge required for the course in a one-day intensive seminar in Cologne prior to the event. This course deals with basics, terms, encryption and IT security techniques in infor­mation technology.

 

 

Associate QSA

Associate QSA — quali­fying as a QSA

SRC offers mentoring programme for future Security Evalu­ators

The QSA accred­i­tation — the previous, unstruc­tured path to becoming a highly qualified Security Evaluator

Extensive experience is required to audit environ­ments in which payment card data is accepted and/or processed for compliance with the PCI DSS security standard. To date, there has been no standardised way of fulfilling the relevant prereq­ui­sites for admission as a PCI DSS assessor (Qualified Security Assessor, QSA) which are compre­hensive profes­sional experience, PCI DSS-specific training and testing as well as at least two other accred­i­ta­tions in the field of infor­mation security and IT auditing.

Associate QSA — the accom­panied path to QSA

With the new Associate QSA programme of the Payment Card Industry Security Standards Council (PCI SSC), an oppor­tunity has now been defined through which new talents with a basic level of profes­sional experience can advance towards QSA approval.

Associate QSA will be accom­panied by an experi­enced QSA mentor. The devel­opment and increasing audit experience of the Associate QSA are regularly reflected and documented. In this way, it is monitored and ensured that the employee has compre­hensive experience in all relevant areas until he or she obtains QSA accred­i­tation.

SRC provides training

The SRC team is known for not consid­ering test standards as check­lists to be processed, but for deriving their appli­cation from complex environ­ments and for supporting the customer in the imple­men­tation and inter­pre­tation as practi­cally as possible. This requires compre­hensive expertise and experience in combi­nation with a constant exchange with other experts.

SRC therefore welcomes the defin­ition of a step-by-step procedure for the training and support of Associate QSA, which contributes to the devel­opment of an appro­priate quali­fi­cation. SRC has thus regis­tered as an Associate QSA company and has already approved the first employee as an Associate QSA. In this way, the quality of the audits in the constantly changing payment trans­action environ­ments is to be guaranteed also in the future.

Akkreditierung

SRC receives accred­i­tation for Conformity Assessment Body (KBS) according to ISO 17065

Last month, the German Accred­i­tation Body (DAkkS) granted SRC Security Research & Consulting GmbH accred­i­tation for its Confomity Assessment Body (KBS) according to ISO 17065.

This accred­i­tation applies to the confomity assessment of (qualified) trust service providers who wish to have trust services qualified in accor­dance with the require­ments of Regulation (EU) No. 910/2014 (eIDAS).

The eIDAS Regulation contains binding Europe-wide regula­tions in the fields of “Electronic Identi­fi­cation” and “Electronic Trust Services”. The Regulation creates a uniform framework for the cross-border use of electronic means of identi­fi­cation and trust services.

As an EU regulation, it is directly applicable law in all 28 EU member states as well as in the European Economic Area.