IT security law in hospitals
As operators of a "critical infrastructure in the healthcare sector", hospitals are among the main addressees of the law. The avoidance of availability disruptions and the preservation of the integrity, authenticity and confidentiality of IT systems, their components and processes must now be safeguarded by technical precautions due to legal obligations. Actual or potential IT security incidents must be reported to the Federal Office for Information Security (BSI). Compliance with and implementation of the law is punishable by a fine of up to EUR 100,000.00.
The details, in particular what exactly is to be regarded as "critical infrastructure", will be defined by the Federal Ministry of the Interior in a statutory order. The regulations will only become binding two years later - but then immediately. Within six months of the ordinance coming into force, the hospital must inform the BSI of a contact point without being asked and ensure that it can be contacted at all times.
The Federal Ministry of the Interior must consult the industry associations before issuing the ordinance. Industry associations can also make suggestions as to how exactly - and therefore how strict - the industry-specific security standards should be. The industry associations - or the hospital directly - can therefore now influence the scope of the security measures to be implemented at a later date. Tailor-made solutions can now also be proposed for hospitals, if necessary, which protect them from having to implement "unsuitable" general standards at a later date.
The Bundesrat has already pointed out during the legislative process that the subsidy requirement will increase, at least for hospitals funded by the municipalities and federal states. According to the Federal Government, the additional financial requirements can only be determined after the above-mentioned, concretizing ordinance has been issued. Across all critical operators, the federal government expects costs of over EUR 9 million to be incurred annually by the operators alone. Until the ordinance is issued, the hospital operators can therefore be urged to contribute more to the costs incurred.
Hospitals arealready obliged to take "technical and organizational precautions to ensure that [...] no unauthorized access to the [...] technical equipment used is possible". Furthermore, hospital IT must be technically secured against data protection breaches and disruptions. The "state of the art" must therefore be adhered to. The obligation to "use an encryption method recognized as secure" is explicitly mentioned.
Compliance with the obligations already in force is subject to fines of up to EUR 50,000.00. Available software updates, for example, should therefore be installed promptly. If third-party companies are involved in IT tasks or if third-party companies have access to data (e.g. in the case of external accounting offices or remote maintenance via external software houses), they should be contractually obliged to comply with the new regulations.
However, the new IT Security Act also brings opportunities: for example, it is now permitted to carry out "small-scale voluntary data retention" for up to six months in order to rule out security risks and to be able to detect and ward off potential technical attacks - at least where telecommunications services are concerned. This can be helpful in special situations.
Status: 21.09.2015