IT security in hospitals: How are the KRITIS requirements for hospitals to be implemented by the end of 2021?
by Svenja Koch
By the end of 2021, all hospitals are obliged to upgrade their own IT security and thus meet the CRITIS requirements of the BSI.
Hospitals and clinics are part of the critical infrastructure. This area is referred to by the federal government as the KRITIS sector. Hospitals are therefore subject to special laws and regulations regarding IT security. For this reason, hospitals must now also increasingly deal with this topic area.
Which legal rules apply to which facilities?
With regard to the CRITIS requirements, there are both delimitations based on the size of the hospital and several relevant cut-off dates. Accordingly, different requirements apply to facilities from the CRITIS sector and hospitals in general as far as IT security measures are concerned.
Large hospitals with more than 30,000 full inpatient cases per year are already under obligation since 2019. This is defined in the BSI Act. They are part of the KRITIS, the critical infrastructure. Thus, these facilities must implement corresponding legal requirements, such as the industry-specific security standards (B3S). These hospitals are also obliged to provide the Federal Office for Information Security (BSI) with evidence of the prescribed security level.
In October 2020, the Patient Data Protection Act (PDSG) came into force in Germany. This now affects all hospitals in Germany. The Patient Data Protection Act also contains a reference to IT security in hospitals. The deadline for the implementation of the PDSG is 1 January 2022. This is not the only law that entails a change for all hospitals in Germany. In the Social Code (SGB V) under § 75c, IT security in hospitals is newly regulated. Here the law refers to the BSI law and the sector-specific security standards for hospitals. It establishes these regulations as the standard for all hospitals in Germany. Here, too, the cut-off date for implementation is 1 January 2022, meaning that from this date the strict KRITIS requirements for IT security will apply to all hospitals in Germany, regardless of size.
Why are the CRITIS requirements for hospitals and clinics now so high?
The strict rules regarding IT security in hospitals are primarily related to the increasing digitalisation in this area. Critical personal information is now stored exclusively in digital form. The electronic patient share is one of these innovations brought about by digitalisation, as is the e-prescription. The Patient Data Protection Act deals with these changes. Added to this is the ever-increasing number of cyber attacks. More and more often, the CRITIS sector is the target of such cyber attacks. Hackers and criminals now proceed with a plan and choose hospitals or similar institutions as their target. This makes the cyber attacks even more dangerous, because ransomware is often used to cause as much damage as possible. On the one hand, this can dramatically disrupt operational work in hospitals, and on the other hand, patients' personal data is also in acute danger.
Both points are completely unacceptable - or in the worst case, life-threatening - for patients who often need medical help as quickly as possible. For this reason, the IT security of a hospital has become an absolute priority.
What concrete steps must the CRITIS sector and hospitals now take?
The BSI Act and also the Patient Data Protection Act do not mention any precise steps that the CRITIS sector must implement. Rather, the laws speak of "appropriate organisational and technical precautions to avoid disruptions to availability, integrity, authenticity and confidentiality". In addition, it is necessary to comply with the respective state of the art. However, there are industry-specific security standards (B3S) that the German Hospital Association has developed. Here you will find concrete assistance, best practices and guidance for the implementation of minimum standards in IT security.
All hospitals from the CRITIS sector that fall under the BSI Act are additionally required by law to conduct security audits, examinations or certifications that prove the implementation of the aforementioned security standards. Confirmations of the implementation of these measures must be submitted to the BSI. Large hospitals that are assigned to the KRITIS sector under the BSI Act must additionally implement systems for the active detection of cyber attacks from 1 May 2023.
For smaller hospitals that do not fall under the definition of KRITIS requirements, 1 January 2022 is an important deadline. By this date, IT security must correspond to the state of the art. In principle, the same technical requirements apply to IT security in hospitals as are already specified for the larger hospitals from the KRITIS sector via the BSI Act. The only difference is that regular proof of the implementation of the CRITIS requirements via an audit or similar measures is not mandatory. Small hospitals must therefore introduce the electronic patient record (ePA), among other things, from January 2022. Digital referrals and the e-prescription will also be mandatory from 1 January 2022. All of this brings challenges, above all, for the storage and management of patients' personal data. It is precisely this information that is often the target of cyber attacks. Here, hospitals are under an obligation to provide the appropriate systems for data processing on the one hand, and to precisely implement data protection guidelines on the other.
In addition, there are central solutions for the individual services. The electronic patient file, for example, is managed centrally via the telematics infrastructure (TI). The e-prescription is managed via interfaces between the health insurance funds and pharmacies via a central system that also already exists. So the hospitals have to take care of a connection to these services and implement this technically.
What roles do ISO 27001 and an ISMS play?
On the way to implementing the CRITIS requirements, the ISO 27001 standard and an information security management system (ISMS) also play important roles. These are international standards for information security. Hospitals build up a system according to ISO 27001 and thus improve IT security and fulfil the legal requirements in this way.
The ISMS is structured according to the four principles of plan, implement, control and optimise. It includes the establishment of an organisational structure that works independently on the improvement of IT security. This includes the staffing of central positions, such as that of the IT security officer, as well as the means of risk analysis as a way to search for weak points. By setting up appropriate structures, hospitals work on the central challenges of the IT security situation. This also includes raising awareness among staff, which is then implemented with their own resources.
The sector-specific security standard for hospitals also recommends the implementation of the ISO 27001 standard. Accordingly, the legal requirements that are now coming are not really innovations in essence. Rather, they are the extension of known techniques and measures to a larger target group. This basically makes the implementation of the CRITIS requirements easier in practice. The methods are already known and there are specialised personnel who are familiar with the techniques and have practical experience in their application. In addition, many of the legal requirements can also be implemented with the help of external service providers. This applies in particular to the active detection of cyber attacks, which will be required from 2023. Although these are not yet mandatory for small hospitals, corresponding methods can already be implemented today with relatively low resources via external service providers. In this way, healthcare facilities are on the safe side and do more than what is required by the legal minimum standard. Ultimately, it is important to prevent or contain cyber attacks before they have an impact on the daily operations in the hospital.
Federal government promotes the improvement of IT security in the CRITIS sector
The German government has identified the critical infrastructure sector as a sensitive area. Critical infrastructure is essential for everyday life in Germany. It is therefore important to ensure that this sector has the greatest possible protection against digital threats. The increasing number of cyber attacks as well as studies showing vulnerabilities in IT security are the reasons for tightening the legal basis.
At the same time, the government wants to support hospital operators and therefore provides funding specifically for this purpose. Every year between 2019 and 2024, 500 million euros, i.e. a total of four billion euros, will therefore be available for improving IT security in hospitals. This funding is explicitly available for the implementation of the CRITIS requirements. This thus concerns the large hospitals. The federal government is providing a further 4.3 billion euros via the Hospital Future Fund. These funds are therefore available to the smaller hospitals. It is still possible to apply for the funding until December 2021. However, there are conditions on the investments. Operators must invest at least 15 per cent in the hospital's IT security.
The entire world is becoming more digital and this development does not stop at the health sector. The increasingly targeted cyber-attacks, which particularly affect the CRITIS sector, make it essential to upgrade IT security in hospitals and similar healthcare facilities. Healthcare failures due to cyber-attacks put human lives at risk and thus pose a threat to civil society as a whole. Minimum standards for IT security, KRITIS requirements, certifications and guidelines can significantly raise the level of IT security in a hospital. Operators of these facilities are now under obligation to implement these CRITIS requirements, but will benefit in the long term through a high level of security and improved protection against cyber attacks. The central goal of IT security in hospitals is to prevent cyber threats from interfering with daily operations.