Digital Health: What Now Applies To Cybersecurity
Health apps, e-patient files and networked medical products: Digital solutions are also driving development in the health sector and are making cybersecurity protection increasingly important. However, it is often not easy for providers and operators to keep track of which specifications have to be observed and which proofs have to be provided. The following explanations should help with orientation.
The digitization of the healthcare sector is in full swing: digital products are conquering the market; Artificial intelligence is finding its way, innovations in areas such as care, medicine, gene therapy and nanotechnology are further drivers. At the same time, the market launch of new healthcare products is subject to strict IT security regulations – rightly so, since they touch extremely sensitive data on people’s health and lives or affect therapy.
Critical Infrastructure Healthcare: The Kritis Ordinance
Special IT security requirements already apply to existing healthcare facilities if they are classified as critical infrastructures by the Federal Office for Information Security (BSI). In the healthcare sector, this not only applies to inpatient medical care, but also to the supply of life-sustaining medical products, prescription drugs, blood and plasma concentrates and laboratory diagnostics above a certain size. The respective threshold values are defined in the BSI critique regulation. The rule threshold of
According to BSI law (§ 8a) the respective operators must take appropriate organizational and technical precautions according to the state of the art in order to avoid disruptions to the availability, integrity, authenticity and confidentiality of their relevant information technology systems, components or processes. IT security must be demonstrated to the Federal Office every two years through security audits, tests or certifications. In addition, the BSI can carry out security checks itself or have them carried out. Failure to comply with legal requirements can result in severe fines.
Extension of regulation to all Hospitals: „Kritis light“
Since January 2022 these IT security requirements do not only apply to stationary medical facilities within the meaning of the KRITIS regulation , but for all hospitals. Even if the obligation to provide evidence to the BSI does not apply here, operators must expect claims for damages and liability risks in an emergency. Therefore, the social security code V (§ 11) must be implemented in any case and, as required, updated every two years to reflect the current state of the art. The industry-specific security standards for the information technology security of healthcare in hospitals provide orientation.
Whenever new systems or components are used within the core functions in hospitals and critical infrastructure facilities, they must also be evaluated under KRITIS security aspects and integrated into the Include testing processes.
Data security: One goal – different Procedure
Protection of for However, the critical infrastructure that is important to the community is only one aspect of IT security in healthcare. Since the security of sensitive data must be guaranteed at all times, even in everyday operation, cybersecurity requirements, approval requirements and test processes must be defined in all affected areas and kept up to date with the current state of the art. The legal framework for this is summarized in the Social Security Code. As the national authority for cyber security certification, the BSI is the central authority. However – and this makes it difficult for applicants to get an overview – there is not one testing or certification process for the IT security of health products. The IT security checks are always carried out in consultation with the BSI or by the Federal Office itself, but are integrated into the respective approval processes of the various services. Different institutions are responsible in each case: For example, the Society for Telematics for applications in the telematics infrastructure or the Federal Institute for Drugs and Medical Devices for digital health applications, network-capable medical devices and care devices – some explanations are given below.
Telematics infrastructure: Multi-level testing processes strengthen cybersecurity
One of the challenges in the healthcare sector is the complex structure of operators, service providers, payers and insured. Digitization offers the opportunity to reconnect the individual players, thereby significantly accelerating and improving communication and processes. The basis of this new digital network in Germany is the telematics infrastructure (§ 306 SGB). Services such as the electronic patient file or the e-medication plan are based on this interoperable communication and security architecture. The Gesellschaft für Telematik, gematik, is responsible for the establishment and further development of the telematics infrastructure (TI). Its tasks also include the definition and implementation of binding standards for services, components and applications.
In the IT security assessment, gematik GmbH works closely with the BSI. To this end, all TI components and services are subjected to extensive tests in a multi-stage testing process together with the providers before security evaluations or precise security reports are created. The individual requirements are stored in so-called product profiles for the approval of providers in provider profiles.
Even after approval safe and trouble-free operation is monitored. Unauthorized use of the telematics infrastructure as well as failure to report faults or security deficiencies can result in high fines of up to 220.000 EUR will be fined.
Video consultation – providers of video services
While new TI services such as that the electronic patient file (EPA) will certainly need some time to reach the insured person, the number of users for other digital services literally exploded when the pandemic began: 1.4 million video consultation hours were used in the first half of the year alone 2020 accomplished. In the year 2019 there were only about 3.000.
Among other things, the Communication between patient and doctor or nurse must be secured by end-to-end encryption and the video service must not have any serious security risks. The necessary evidence and certificates for IT security are listed in detail in the agreement, templates for the certificates and the questionnaire with test criteria are in the annex.
Digital Health Applications: The App on Prescription
Germany has been offering since 2020 as the first country ever to have digital apps on prescription. These digital health applications (DiGA) are defined as low-risk medical devices for the detection, monitoring, treatment or alleviation of diseases or for the detection, treatment, alleviation or compensation of disabilities and injuries. The main function must be based on digital functions (§ 33 a SGB). Prerequisite for the assumption of costs by the health insurance companies is the inclusion in the directory of the Federal Institute for Drugs and Medical Devices (BfArM).
A three-month fast-track procedure was set up for these applications; the relevant forms can be accessed together with a guide on the BfArM website . Basic requirements for data security are described in the Digital Health Applications Ordinance (§ 4). This includes, among other things, an information security management system based on the BSI standard 200-2: IT baseline protection methodology. The technical guideline of the BSI on security requirements for digital health applications also offers assistance.
There is currently still a need for regulation for network-capable medical devices. In contrast to the purely digital health applications, digital functions are usually integrated here as supplements to the existing basic medical function. This results in an extremely broad and heterogeneous range of applications. In some cases, the IT security requirements are also more difficult to address, because these network functions are often purchased from third parties and are not yet integrated into the quality assurance processes of all companies. Nevertheless, you are liable as a provider.
Basic requirements for cyber security properties of medical devices were introduced for the first time in the EU regulation 2017/1245 on medical devices defined in Germany is implemented by the Medical Devices Law Implementation Act (MPDG). Guidelines and procedural instructions such as:
help with the implementation of these – quite general – requirements for IT security
The BSI has examined the cyber security of networked medical devices and also formulated the upcoming tasks in its final report.
The further development of regulations for IT security remains an important task. In addition to the IT security of existing products, it is above all about helping innovations to achieve a breakthrough and promoting their rapid and secure market launch.
Randolf Skerka, SRC GmbH.
Source Political magazine with tabloid character: Today, the star is widely known for unusual recordings, real reports and explosive revelations. The 1948 based and always on Thursday published weekly magazine was Germany’s most widely read periodical of the post-war period….
NachrichtenJetRead MoreSicherheit, applies, cybersecurity, Digital, health:, Nachrichten, now?, what
Schreibe einen Kommentar