Germany: Hospitals – Increasing demands on IT security

Online appointments for patients, artificial intelligence for tumor detection, medication plans based on online databases, communicating pacemakers, cloud storage for patient files or digital discharge management: from the first contact, through diagnosis and therapy, to follow-up care – digitisation has become an indispensable part of the medical sector. To drive the digitisation forward in the hospital sector, the German Federal Office for Social Security set up the so called “Hospital Future Fund” just last year with a funding volume of up to 4.3 billion euros.

But for all the advantages offered by digitisation, it also increases the risk of attacks from cyberspace. The number of cyberattacks has risen sharply in recent years: the number of cybercrime offenses more than doubled in Germany from 2015 to 2020, according to a respective federal report on cybercrime by the Federal Criminal Police Office. The reality of this threat was demonstrated by a hacker attack on the IT systems of the University Hospital in Düsseldorf in September 2020.

Legal requirements

The legislature has seen this risk, particularly in the case of larger hospitals, and has regulated it accordingly. According to the German BSI Critical Infrastructure Act (BSI-KritisV), hospitals are considered to be operators of critical infrastructure (KRITIS) if they exceed a threshold of 30,000 full inpatient cases per year. The BSI Act (BSIG) imposes an obligation on KRITIS operators to fully protect their IT system by taking appropriate organizational and technical precautions, while complying with the state of the art. In addition, operators are required to provide the German Federal Office for Information Security (BSI) with proof of compliance with the relevant requirements every two years, to name a contact point that can be reached at any time, and to report significant malfunctions with undue delay. In the event of a breach of duty, there is the threat of severe fines of up to 20 million euros.

These obligations previously only applied to hospitals classified as KRITIS operators. However, this will change in the future in Germany as a result of the Patient Data Protection Act (PDSG) enacted in October 2020 and the newly introduced Section 75c of the German Social Code, Book V (SGB V). Accordingly, as of January 1, 2022, all hospitals, without exception, are required to take precautions to prevent disruptions to the availability, integrity, and confidentiality, as well as the other security objectives of their information technology systems, components, or processes that are crucial to the functionality of the respective hospital and the security of the patient information processed. In short, this means that even smaller hospitals are now required to take appropriate precautions to protect their IT systems in accordance with the state of the art.

Hospital operators can fulfill these obligations in particular by implementing the industry-specific security standards (B3S) in its current version. The B3S describes information security processes and measures that can be used to achieve an appropriate level of protection. Compliance with the B3S is standardized as a recommendation in Section 75c (2) SGB V.

Audit obligation for small hospitals?

While hospitals classified as KRITIS operators have already been obliged by the BSI-KritisV to provide evidence to the BSI, such a requirement for small hospitals arises neither from Section 75c SGB V nor from the PDSG. Nevertheless, even smaller hospitals must adapt their IT security measures to the current state of the art every two years (see Section 75c (1) sentence 3 SGB V).

Irrespective of this, compliance with protective measures is essential for hospital operators. If, for example, patients are not treated or, in the worst case, die as a result of a cyber attack, it cannot be ruled out that possible claims for damages will be asserted against the operator. In a lawsuit, evidence of having taken appropriate precautions to protect the IT systems can have an exculpatory effect. Under certain circumstances, there could also be criminal consequences.

Data protection requires IT security measures as well

However, it is not only for the above reasons that appropriate IT security measures are required. Rather, it should be noted that almost every IT security incident also results in a (notifiable) data protection breach. This does not only refer to cyberattacks, but also to the handling of personal data in the course of operations. One of the most common data protection breaches that resulted in a fine was a non-existent or inadequate role and authorization system for patient data. For example, all employees of a hospital in The Hague were able to access patient records at any time, even without proper authorization. The responsible supervisory authority imposed a fine of 460,000 euros for this blatant security deficiency. It is thus following the example of a Portuguese supervisory authority, which already imposed a fine of 400,000 euros on a hospital for the same reason in 2018. But the data protection authority in the German State Rhineland-Palatinate also penalized a hospital for several data protection violations in connection with a patient mix-up during admission. It imposed a fine of 105,000 euros.

Conclusion and recommendation

Hospitals will be required to pay even more attention to IT security in the future. Increasing digitization is desirable for patients, doctors, nurses and hospital operators alike, but only if security standards are met. We therefore urgently recommend hospital operators to re-examine their existing IT security structures in view of the increasing requirements and close any loopholes in protection. If necessary, support should be obtained from legal and technical experts.