Digitalisation has changed the healthcare system for good. With the desire to optimise processes and manage data more efficiently, the dependence on information technology systems is also increasing. However, this makes the industry increasingly vulnerable to cyber attacks. To ensure the security of sensitive health data, the legislator has set out special requirements. A central element here is the C5 certificate of the Federal Office for Information Security (BSI), which checks cloud services for their security.
Legal framework: The Digital Act and Section 393 SGB V
In March 2024, the Digital Act (DigiG) came into force, which, among other things, restructured and expanded the requirements for cybersecurity in the healthcare sector. § 393 SGB V now explicitly regulates the use of cloud computing services by service providers and health and nursing insurance companies. Accordingly, social and health data may only be processed in the cloud under certain conditions.
Essential requirements according to § 393 SGB V
- Spatial limitation of data processing: Processing may only take place domestically, in an EU member state or in a third country with a recognized level of data protection.
- Technical and organizational measures (TOM): Appropriate precautions must be taken to ensure information security.
- C5 certificate: A current C5 certificate from the BSI must be available for the cloud services used.
- implementation of corresponding end customer criteria: Service providers must implement specific requirements from the audit report of the attestation.
What is the C5 certificate?
The Cloud Computing Compliance Criteria Catalog (C5) is a criteria catalogue from the BSI that defines minimum requirements for the security of cloud services. It covers 17 subject areas with over 120 individual criteria, including areas such as data security, compliance and transparency.
significance for service providers
Hospitals, doctor's offices and other healthcare providers are now required by law to have a current C5 certificate. It serves as proof that the cloud service used meets high security standards and thus guarantees the protection of sensitive patient data.
Types of C5 Attestations
- C5 Type 1: Attests to the compliant status of the cloud systems at a specific attestation point in time. This attestation is valid until June 30, 2025.
- C5 Type 2: Confirms the compliant status over a defined period of time. This attestation is mandatory from July 1, 2025.
Practical implementation and challenges
selection of suitable cloud service providers
Service providers must ensure that their cloud service providers have a valid C5 certificate. This requires careful selection and regular review of providers.
compliance with end customer criteria
The requirements for end customers contained in the C5 certificate must be implemented by the service providers. This includes, for example, specific configurations and security measures in their own IT system.
Contractual protection
When using IT services, it must be contractually guaranteed that the requirements of the C5 certificate are met. This also includes the obligation of subcontractors to comply.
Benefits of C5 Certification
- increasing data security: Protection against cyberattacks and unauthorized access to sensitive health data.
- Legal certainty: Fulfillment of the legal requirements according to § 393 SGB V.
- confidence building: Strengthening the trust of patients and partners in the security of data processing.
- Competitive advantage: Positioning as a modern and safety-conscious service provider.
Support from Gabler & Hendel Lawyers
The implementation of legal requirements poses challenges for many service providers. Fork & Hendel Lawyers are at your side to provide you with competent support. We offer:
-
- legal advice on IT security: Comprehensive advice on legal requirements and their practical implementation.
- Contracts: Preparation and review of contracts with cloud service providers taking into account compliance requirements.
- compliance management: Support in the implementation of processes to comply with the end customer criteria of the C5 attestation.
- Training: Raising awareness among your employees about the importance of IT security and data protection in healthcare.
Conclusion
The increasing digitization in the healthcare sector requires high security standards when processing social and health data. The BSI's C5 certificate ensures that cloud services meet these requirements. Due to the legal anchoring in Section 393 of the Social Code Book V, it is essential for service providers to familiarize themselves with the requirements and implement them. With the support of Fork & Hendel Lawyers you are well equipped to ensure compliance and benefit from the advantages of secure cloud solutions.
Your comment
Participate in discussion?Leave us your comment!