IT security creates a foundation of trust for e-health solutions

Digitization in the healthcare sector is advancing inexorably. New digital solutions, such as the electronic patient record (ePA), the e-prescription, electronic certificates documenting incapacity to work (eAU), and the digital vaccination certificate, are increasingly replacing their analog equivalents. The smartphone is developing into a centralized health hub providing an interface to doctors, health insurance companies, and hospitals. This far-reaching transformation is enabling immense increases in efficiency: critical health data is available at all times, allowing unnecessary multiple diagnoses and examinations to be avoided when changing doctors or hospitals.

In addition to concrete added value, the basic prerequisite for user acceptance and thus the success of the new e-health solutions is above all trust in the technology. The German Federal Ministry of Health (BMG) wants to strengthen this by imposing strict data protection requirements. The protection of critical patient data is one of the guiding principles of all digital medical solutions and requires IT security at the highest level. For this reason, the German Hospital Future Act (KHZG) ties funding for hospitals to investments in IT security.

Coping with demand and external attacks: challenges for digital infrastructure

Possible consequences of cyberattacks on e-health solutions and telematics:

• Delayed transfer of critical emergency data

• Difficulty prescribing medication in emergency situations

• Superfluous multiple examinations

• Delayed treatment

• Patients do not have access to their own health data

• Fines for data breaches & data leaks

E-health solutions, such as the ePA and the digital vaccination certificate, are designed to be used by millions of citizens. The associated online portals and interfaces have to work flawlessly, even under heavy use and with unpredictable peaks in traffic. Without flexible scalability and overload protection, there is a risk of critical services failing, as was observed with some vaccination portals, which temporarily were unable to cope with the immense rush of users.

IT infrastructure is also increasingly at risk of external attacks. Since the beginning of the corona pandemic, the healthcare system and other critical sectors have increasingly come under attack. This is shown by both mitigation data from Myra Security and studies by Interpol, the German Federal Criminal Police Office (BKA), and the German Federal Office for Information Security (BSI). In fact, in its latest Risk Barometer, Allianz ranks cyber incidents as the biggest risk to healthcare, along with pandemic outbreaks.

Data protection hurdles when choosing a service provider

The requirements for data protection and IT security are particularly high for health data and thus also for e-health solutions. This is reflected in Article 9 of the General Data Protection Regulation (GDPR) and the increasingly demanding regulatory requirements of the German Federal Ministry of Health (BMG) and gematik, the Society for Telematics Applications. E-health operators, hospitals, and physicians must therefore address internal data architecture and compliance issues more intensively.

Outsourcing IT security is an efficient alternative to managing costly in-house operations. If desired, Managed Service Providers can handle the implementation, maintenance, and operation of all necessary security solutions. This eliminates the need for additional expenditures on software, hardware, and personnel. Of course, it is important to carefully select a service provider. Partnerships with U.S. providers have been on shaky ground since the suspension of the Privacy Shield agreement for transatlantic data transfers, as the legal basis is lacking and data protection provisions are difficult to implement due to the conflicting positioning of EU and U.S. law. These hurdles can be overcome by choosing local providers who are subject to local jurisdiction and meet the highest data protection requirements.