Image source: Shutterstock/wk1003mike
The new branch-specific security standard (B3S) of the German Hospital Federation (DKG) shows how hospitals can improve their IT security. The Federal Office for Information Security (BSI) officially recognised this standard in October 2019; its implementation meets the legal requirements.
Hospitals are critical infrastructure operators and every two years need to prove to the BSI that they implement adequate measures of protection for their IT systems if they treat a minimum of 30,000 cases a year. ‘The B3S is a very rigorous security standard,’ explains Markus Holzbrecher-Morys, deputy managing director of the Department for IT, Data Exchange and eHealth at the DKG. He was majorly involved in its development. ‘The subject of IT security is very important to us here at the DKG.
The B3S lists 168 standards that must be implemented. However, realistically, not all points can be covered in one inspection and several assessments are likely to be required.’ If shortcomings are detected they have to be notified to the BSI along with an improvement plan. The BSI has extensive information- and access rights to verify compliance with legal requirements – this includes demanding proof of implementation and, if a lack of IT security measures is determined, it can also impose fines.
The situation is always difficult when failings cannot be resolved for financial reasons. The German federal states are liable to fund the investment costs. However: ‘For a number of years we have been following the case of a hospital which had to move its computer centre into a building with pressurised water pipes under the ceiling,’ Holzbrecher-Morys reports. ‘The state should have paid for the replacement of the pipes, which are clearly a flaw, but for years it has not done so. In this case, the hospital's hands are tied, the problem continues but the BSI cannot do anything about it.’
Costs can equate to an entire annual budget
IT security also means patient security. All hospitals have responsibility towards their patients, which is why they must focus on this subjectMarkus Holzbrecher-Morys
The DKG does not deny that the implementation of the measures detailed in B3S is associated with costs. On average, they translate into a one-off investment of €2 million, with an annual €600,000 for operation, staff and investment costs in the following years, according to a current survey. ‘For some hospitals, this equates to their entire annual IT budget,’ Holzbrecher-Morys points out. ‘But, we have no satisfactory answers as to how this should be covered. Without some financial leeway it is difficult for some hospitals.’
However, he maintains that the improvement of IT security is necessary for all hospitals, including those with fewer than 30,000 cases a year. ‘An IT security breach can quickly turn into a data security breach. Even more important: IT security also means patient security. All hospitals have responsibility towards their patients, which is why they must focus on this subject.’ This is also the view at the BSI, which stated: ‘Information security is the prerequisite for successful digitisation of IT-security. IT security is not a cost item but a necessary investment into operability and the future of an organisation. It should become routine in the same way as disinfection.’
To make it easier for smaller institutions, the DKG is currently working on a ‘light version’ of the B3S, which makes it possible to achieve a lot with low expenditure: ‘IT security must be internalised,’ Holzbrecher-Morys explains. Initially an IT security officer is appointed. Additionally, all staff members should receive regular training on the subject. These are some essential points.’
‘From an IT perspective, medicine is now networked to a very large degree, no matter which departments you look at,’ says Stefan Bücken, IT Security Officer at Erlangen University Hospital, Germany.
Under cyber attack
What can happen when a cyber attack is successful was demonstrated in July 2019. The entire network of the DRK hospitals in Rhineland-Palatinate and Saarland was hacked. The BSI knows of further cases in hospitals in Neuss, Giessen and Fürstenfeldbruck. ‘Most hospitals have numerous IT connections – 30,000 devices is not unusual. Add to this different IT and device suppliers and old systems, no longer supported, and cannot be integrated into modern IT security structures without great difficulty,’ which make access easier for hackers. At worst, this unauthorised access not only leads to theft of sensitive patient data, but also to changed or switched off product functionality. Unknown consequences for health, or even patient death, could result.
The current version of the B3S is now being revised. ‘It is a document in progress, with continuous revisions,’ Holzbrecher-Morys explains. ‘We will have finished it in the third or fourth quarter of 2020 and be prepared for the next assessment in 2021. We have succeeded in writing a joint paper with all those involved in the process, which was approved by the BSI, which was not a given. We have made a successful start and now we can build on this.’
Markus Holzbrecher-Morys is Deputy Managing Director of the Department for IT, Data Exchange and eHealth at the German Hospital Federation (DKG). After gaining his IT degree he initially carried out academic research, focusing on further developments of neuroinformatic procedures for bio signal analysis. Since 2008 he has been responsible for electronic data exchange procedures in hospitals and hospital IT at the DKG, particularly for technical data protection, IT risk management and information security.