31-Jan-2020
And in the overall ranking of the Bertelsmann Stiftung's Digital Health Index, digitization in the healthcare sector in Germany is comparatively far behind in Group 4 of 4, in 16th place out of 17. One reason for this may certainly be the higher data protection regulations in this country, but there is also no uniform nationwide standard in Germany for certified IT security solutions and medical devices. There are many in Germany.
Nevertheless, we will have to deal with a large number of networked medical devices in the future. Respirators, defibrillators and pacemakers are already "smart" and able to collect and "communicate" data. In other words, to exchange data. This is traditionally done via interfaces and IT security is required for each of these interfaces. The number of these interfaces in the health sector is constantly increasing.
Companies in the healthcare industry that have reached or are close to reaching the CRITIS threshold are recommended to implement the industry-specific security standards, also known as B3S. According to the IT security law, those companies are considered Critical Infrastructure Protection (CIP) are obliged to provide special protection. The German Hospital Federation (DKG) has presented the B3S for this purpose, which applies to hospitals with a full inpatient case number of 30,000 or more per year. It aims to guarantee medical patient care, which includes IT as a fundamental part of this.
Important precautions that hospitals should take in the area of IT security - regardless of bed sizes and inpatient case numbers:
Network security
Firewalls in permanent use, securing wireless networks, encryption of external communication, network access controls, port management
Endpoint Security
Programs for detecting viruses and malware should be part of the basic equipment. In addition: measures for identifying unauthorized removable media and hard disk encryption
Protection of mobile devices
Securing WLAN connections, professional device, user and password management
Web security
Secure surfing, separation of intranet and internet, protection against harmful mail attachments, checking of potentially harmful attachments from office applications
Data security
Encryption and decentralized backup of databases
Protection of data and systems
Smartcards, two-factor authentication
General IT security recommendations for hospitals:
- Separation of medical and non-medical networks
- Increase interface security, especially in the HIS area
- Separation of applications from the rest of the system
- Secure connections to HIS and other systems
- Secure, encrypted telematics infrastructure (secure electronic signatures, authentication, networking of various players) for the secure transmission of patient data between hospitals and registered doctors and therapists.
Outlook
- Networking - Hospitals network with the other sectors via the telematics infrastructure. Secure communication across sector boundaries
- NFDM (emergency data management) and eMP (electronic medication plan) - Medical applications of the telematics infrastructure arrive in the area
- Emergency data (for emergencies and unknown patients) and electronic medication plan
- ePA (electronic patient file) - Health insurance companies are obliged to offer their insured persons an electronic patient file from 1.1.2021 onwards. Insured persons in turn grant service providers access to their data - including hospital data
- DiGA (Digital Health Applications) - Could be "prescribed” to patients
Legend
Critical Infrastructure Protection thresholds Health
- 30,000 patients per year in the area of inpatient medical care
- 90.68 million Euro annual turnover for production facilities of directly life-sustaining medical devices
- 4.65 million packages per year for production facilities for prescription drugs and blood and plasma concentrates for use in or on the human body
- 34,000 products per year for equipment and systems for the collection and processing of blood donations
- 1.5 million transmitted orders/ findings per year in laboratory diagnostics