IT security concept for the healthcare sector - the most important information

Digitalization in the healthcare sector is in full swing: hospitals are becoming "intelligent" and are increasingly networked, patient records are going digital, consultations are taking place online and robots are assisting with operations. These developments offer great opportunities. At the same time, however, they also increase the risk of healthcare facilities falling victim to attacks by cyber criminals.

The topic of IT security in the healthcare sector is therefore increasingly moving into the spotlight. In hardly any other industry is it more important that digital services are operated securely and reliably. After all, in an emergency, human lives depend on critical systems for administration, diagnostics and treatment being reliably secured. In this article, we explain what to look out for in an IT security concept for the healthcare sector.

A. What makes cyber security in the healthcare sector special?

In principle, no industry is immune to cyberattacks. However, the threat situation in the healthcare sector has increased particularly sharply in recent years. Why is this? Because the healthcare sector is confronted with a wide range of challenges that make it particularly vulnerable. These include

• Outdated IT infrastructures that cannot keep pace with digitalization.
• Large volumes of sensitive and personal data are attractive to potential attackers and place high demands on data protection.
• Comprehensive legal regulations, where it is often unclear who is responsible for implementation (e.g. the hospital or the manufacturers of the products and solutions).
• Complex IT systems that have developed over long periods of time.
• The shortage of IT specialists
• New forms of work such as remote work, which create additional risks in healthcare companies due to unsecured end devices and vulnerable access structures.
• New digital solutions in e-health that work with a large amount of sensitive data (e.g. diagnostic findings, X-ray images or laboratory results)
• The COVID-19 pandemic, which has massively increased interest in patient information and exacerbated the situation.
  
  

B. How is IT security in the healthcare sector regulated by law?

In Germany, three authorities are responsible for IT security in the healthcare sector:

• The Federal Office for Information Security (BSI) has the overview in the area of IT security and formulates technical guidelines that set specific requirements for digital healthcare applications.
• The Federal Institute for Drugs and Medical Devices (BfArM) in Bonn regulates the approval of medical products and devices.
• gematik in Berlin is responsible for updating the telematics infrastructure (TI). This is required for the electronic health card, for example.

In 2022, a lot has changed by law in the area of IT security. The Patient Data Protection Act (PDSG) and the IT Security Act 2.0 are particularly important for the healthcare sector.

The IT Security Act (IT-SiG) has regulated the security of critical infrastructures with the BSI Act since 2015. It obliges healthcare facilities that are classified as KRITIS to meet a minimum standard of IT security: the uninterrupted availability, integrity and confidentiality of IT systems, components and processes must be ensured. Serious IT security incidents must be reported.

With the IT Security Act 2.0 , the requirements for KRITIS facilities have now been tightened once again - with more obligations for operators, higher cybersecurity requirements and more powers for the state and supervisory authorities. For example, hospitals with more than 30,000 inpatients per year must fall under the KRITIS Regulation:

• Report "critical components" to the BSI,
• introduce systems for attack detection,
• register with the BSI immediately after KRITIS classification, and
• provide the BSI with comprehensive information in the event of significant disruptions.

In order to ensure that the requirements are actually implemented on time, the fines have been increased: Anyone who fails to register with the BSI, fails to meet protection targets, fails to report incidents or fails to follow BSI instructions will face fines of up to 20 million euros.

The German Hospital Federation provides an industry-specific security standard (B3S) , which is officially approved by the BSI and supports the implementation of KRITIS regulations.

The PDSG also regulates the gradual introduction of the electronic patient file (ePA) and other digital services. It also contains specific legal regulations for IT security in hospitals that are not defined as KRITIS: According to §75c in the Social Security Code (SGB) Fifth Book (V), all German hospitals have been obliged since January 2022 to take "appropriate organizational and technical precautions" to ensure the "availability, integrity and confidentiality" of their information technology systems.

In concrete terms, this means that even small hospitals are now obliged to take measures for IT security. This can also be implemented with the help of the industry-specific security standard (B3S) for hospitals.

In addition, healthcare facilities and organizations must of course always comply with the requirements of the General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act (BDSG).

C. How can IT security be implemented in the healthcare sector?

The legal requirements for IT security in the healthcare sector alone do not provide any specific recommendations for action. However, the aforementioned industry-specific security standard for hospitals provides guidance on what an IT security concept in the healthcare sector can look like.

It lists a total of 168 measures in three categories (must, should and can). Essentially, the aim is to establish a comprehensive information security management system (ISMS). This means that all important information in the hospital must be protected appropriately and effectively.

The classic protection goals of information security in accordance with ISO 27001 are central:

• Availability: Authorized persons can actually access all information, services and systems when they need them.
• Integrity: All systems function correctly and the data is available intact (i.e. in the "correct" version).
• Authenticity: All information is "genuine" and originates only from the specified source or authorized persons.
• Confidentiality: No important information is inadvertently accessible to unauthorized persons.

In addition, two industry-specific protection goals are defined in the B3S hospital:

• Patient safety: patients remain free from unacceptable risks of physical injury or damage to health (including avoidance of lasting psychological stress).
• Treatment effectiveness: The effective treatment of patients using information and effective therapeutic measures is ensured, if necessary on the basis of an exchange of information between different responsible organizational units.

The primary objective of the industry standard is to provide patients with secure medical care - regardless of the circumstances. The technical aspects of IT security are only one piece of the puzzle. Organizational, structural and procedural issues also play a role. The responsibility for this lies with the management.

D. The first steps for implementation

Before hospitals immediately start to overhaul their entire IT infrastructure, they should compare their current status quo with the target status according to B3S (gap analysis). This will give them clarity on the following questions:

• Where do we currently stand?
• What still needs to be done to achieve the current state of the art?

The next step is to draw up an individual action plan and calculate how much time and money will probably have to be invested to close the gaps. Some basic measures that are included in the security standard are probably already covered. This means that the entire IT system does not necessarily have to be rebuilt.

By the way: On our blog, you will also find some additional recommendations on cyber defence that organizations and companies in the critical infrastructure should always follow.

E. KHZG as an opportunity for IT security

In order to provide hospitals with financial support, the federal and state governments are currently promoting digitalization with the Hospital Future Act (KHZG).

The aim is to modernize the healthcare sector - and improve IT security in the process. This is because 15 percent of the funds provided must go towards improving IT security in the healthcare sector. The focus is on university clinics and (smaller) hospitals that are not part of the critical infrastructure.

Read our other articles on cyber security in other sectors:

• Cybersecurity in the legal sector
• IT Security Act 2.0 - regulations for companies
• How can public authorities protect themselves against cyber attacks?

F. Meeting IT security requirements with DriveLock

DriveLock also supports healthcare facilities in ensuring information security and effectively preventing threats.

The DriveLock Application Control and DriveLock Device Control solutions are certified to Common Criteria EAL 3+ and reliably protect systems against malware. Unauthorized applications and devices are reliably detected and blocked. Data is cryptographically secured to ensure its confidentiality, authenticity and integrity. DriveLock also offers secure authentication and intrusion detection.

DriveLock also offers cost-effective and flexible security awareness training, in which employees are continuously sensitized on an ad hoc basis. This also strengthens the human firewall.

You can find more information on how to protect healthcare and patient data effectively and securely in the white paper "IT security in the healthcare sector".

Benjamin Brumaire, Senior Consultant at DriveLock partner UBM, also reveals how secure digitalization in the hospital environment works with DriveLock.