The new draft of the Digital Act – New requirements for IT security in the health sector

Digitalisation is gaining momentum in the world of health care. This development is also reflected in the increased attention that legislators have recently paid to this topic.

Thus, in addition to a draft of the Federal Government for a Health Data Usage Act (Gesundheitsdatennutzungsgesetz), an (updated) draft of the Act to Accelerate the Digitalisation of the Health Care System (Digitalgesetz, "Digital Act" or "DigiG") has recently become available. According to the legislator's goal, both laws are intended to accelerate the digital transformation in the health sector.

A key point of the Digital Act is to increase IT security in the health sector. This is the legislator's response to the increasing number of security incidents that have hit health care facilities and suppliers in particular in recent years. This is illustrated by the recently published report of the European Network and Information Security Agency ("ENISA") on the threat situation in the health sector, according to which hospitals and corresponding suppliers for the health industry are identified as primary targets of cyber attacks (the ENISA report is available here).

Following on from this, according to the draft of the Digital Act, the institutions and organisations covered are to take technical and organisational measures to increase the resilience of their IT systems. An essential element is the implementation of measures to sensitise employees to IT security in order to improve their security awareness for the protection of information.

The following is a brief overview of the planned regulations in the area of IT security under the new Digital Act with respect to the provisions in the German Social Code, Book V (Sozialgesetzbuch V, “SGB V”).

I. The essential requirements for IT security in the Digital Act

With regard to IT security in the health sector, four points of the draft law are particularly relevant.

These deal with IT security in contractual medical and dental care (vertragsärztliche und vertragszahnärztliche Versorgung), in hospitals, at the statutory health insurance funds and regarding the use of cloud services in the health sector.

1. IT security in contractual medical and dental care

According to the new draft law, the regulations in § 75b SGB V that currently apply to IT security in the contractual medical and dental care will be deleted and instead included in a newly introduced § 390 SGB V.

In terms of content, the regulations provided for in § 390 SGB V are largely identical to the current provisions in § 75b SGB V. In particular, it is still envisaged that the requirements for IT security are to be laid down in a directive to be drawn up by the National Association of Statutory Health Insurance Physicians (Kassenärztliche Bundesvereinigung), which must be adapted annually to the state of the art and the potential risk.

What is new is that this IT security directive must now explicitly include measures to sensitise staff to information security in order to increase security awareness. The previous IT security directive provides for various technical and organisational measures depending on the size of the respective medical or dental practice. So far, however, it has not included corresponding measures to raise awareness. In the event of implementation of the new digital law, the IT security directive would therefore have to be adapted in this respect in order to implement the requirements of the new § 390 SGB V.

In practice, this should mean that practice owners will have to train their employees in connection with IT security in the future, or have them trained. However, it remains to be seen which concrete requirements will ultimately be included in the new IT security directive.

2. IT security in hospitals

IT security in hospitals is also embedded in a new legal regulatory context. The current § 75c SGB V will be replaced by a new § 391 SGB V.

In terms of content, the previous regulations in § 75c SGB V have been largely adopted and only editorially adapted. Thus, hospitals are still obliged to take appropriate technical and organisational precautions to prevent disruptions to the availability, integrity and confidentiality of their information technology systems, components or processes that are decisive for the functioning of the hospital and the need to protect the patient information processed. In this context, hospitals can continue to make use of sector-specific security standards certified by the BSI (so-called B3S). In the area of hospitals, this is currently the sector-specific security standard "Medical Care".

In contrast, hospitals that fall under the threshold values of the Regulation on the Designation of Critical Infrastructures under the BSI Act (Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz, “KRITIS Regulation”) and are thus to be classified as operators of critical infrastructures within the meaning of the Federal Law on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik, “BSI Act”) are in turn still subject to the special provisions in the BSI Act. It should be noted that the regulations in the BSI Act are also to be significantly adjusted in the course of the planned implementation of the NIS-2 Directive and are also to be supplemented by a newly planned Federal KRITIS umbrella law (KRITIS-Dachgesetz; see our Data Protection Update No. 136 and No. 151).

A new provision in § 391 SGB V is that hospitals must also take mandatory measures to increase the security awareness of their employees. This obligation applies regardless of whether or not the respective hospital, as an operator of critical infrastructures, falls under the regulations of the BSI Act.

3. IT security at statutory health insurance funds

Completely new are the regulations on IT security for statutory health insurance funds, which will be regulated in § 392 SGB V. Until now, special requirements have only applied to those health insurance funds that fall under the threshold values of the KRITIS Regulation as operators of critical infrastructure. While the requirements of the BSI Act apply to such health insurance funds that are classified as critical infrastructure operators, the new requirements in § 392 SGB V now apply to all other health insurance funds.

These provisions in the new § 392 SGB V are analogous to the aforementioned requirements for IT security at hospitals. This means that all statutory health insurers are also expressly obliged under the new Digital Act to implement appropriate technical and organisational precautions in accordance with the state of the art, whereby the health insurers can also fall back on industry-specific security standards certified by the BSI. This is currently the "Sector-specific security standard for statutory health and long-term care insurers".

The new § 392 SGB V contains various requirements for the sector-specific security standards for health insurance funds. Thus, the health insurance funds, represented by their associations and the Federation of Health Insurance Funds as the umbrella organisation, must in the future work towards ensuring that the respective sector-specific security standard also contains specifications on the following topics:

• appropriate measures to increase cybersecurity awareness
• attack detection systems
• security requirements for IT service providers.

The focus here is therefore also on sensitising employees in order to increase cybersecurity awareness. It is also noticeable that requirements for the use of attack detection systems must be defined in the relevant sector-specific security standard. The obligation to use attack detection systems has so far only been regulated in the BSI Act for operators of critical infrastructures. The fact that the use of attack detection systems according to the new concept in § 392 SGB V must now also be taken into account in the respective sector-specific security standard for health insurance funds means, according to the current status, that all health insurance funds must implement corresponding attack detection systems in the future.

Finally, it should be noted that according to Section 392 (6) SGB V, the sector-specific security standards must also apply if the health insurance fund uses IT service providers. Accordingly, health insurance funds must ensure through suitable contractual agreements that the IT service providers they use also comply with the sector-specific security standards.

4. Cloud deployment in the healthcare sector

Also new in the draft of the new Digital Act are the provisions for IT security when health insurance funds and service providers (hospitals, physicians) use the cloud.

To this end, the new § 393 SGB V first generally stipulates that social data within the meaning of § 67 SGB X (Sozialgesetzbuch X) and health data may also be processed within the framework of cloud computing services, provided that the further prerequisites in this section are met. These prerequisites include that the processing of the data may only take place in Germany, within the European Union or a state equated by an adequacy decision, and that the data-processing agency (probably meaning the provider of the respective cloud computing service) has at least one branch in Germany.

The processing within the framework of cloud computing must in turn comply with the state of the art and include appropriate measures to protect IT security. In particular, the data-processing agency must have a current C5 certificate. The C5 catalogue contains minimum requirements for secure cloud computing services and is published by the BSI.

II. Conclusion and outlook

With the draft of the Digital Act, the legislator is creating a new regulatory framework for IT security in the contractual medical and dental care, in hospitals, at health insurance funds and regarding the use of cloud computing services.

A major focus lies on raising the awareness of employees in order to increase security awareness in general. This goal of the German legislator seems appropriate, as security incidents often occur due to a lack of security awareness of the employees involved. In this respect, there is considerable potential for improvement if the security awareness of employees in the health sector is increased.

Overall, the legal framework for digitisation in the health sector continues to take shape with the draft Digital Act in combination with the planned Health Data Usage Act. It can be assumed that this will pose challenges for many organisations and institutions. Experience shows that the implementation of measures in the area of IT or cyber security is often associated with considerable personnel and financial expenditure. It is therefore recommended that the addressees concerned keep an eye on the further development of this legislative proposal in order to be able to start adapting to the new legal requirements at an early stage.