What does IT security in healthcare mean?

The increasing use of digital solutions in administration, diagnostics, and treatment is also putting the issue of cybersecurity in healthcare increasingly into the spotlight. In hardly any other industry is the reliable operation of digital services more essential than in this sector. In an emergency, human lives depend on whether the technology ensures smooth treatment.

Person works on a laptop

01

A definition of IT security and data protection in healthcare

IT security plays two important roles in the healthcare system. Firstly, critical systems for administration, diagnostics, and treatment must be reliably secured. The well-being of patients depends on these systems. Secondly, IT security is essential for the concrete implementation of the demanding requirements for data protection. After all, if you want to protect data, there is no way around having to consistently safeguard information.

02

Why is e-health exacerbating the threat situation?

As the digitization of systems and processes progresses, the digital attack surface of laboratories, hospitals, and e-health companies is also growing at a vigorous pace. The more things go digital, the more they can be targeted by cybercriminals. In its Risk Barometer 2021, the Allianz financial services company currently ranks cyber incidents as the biggest threat to healthcare. Especially since the beginning of the corona pandemic, the German Federal Criminal Police Office (BKA), Interpol, and the German Federal Office for Information Security (BSI) have noted a massive increase in attacks on the healthcare sector. In addition to hospitals and laboratories, the websites and portals of institutions such as the Robert Koch Institute and the European Medicines Agency (EMA) were the primary targets of attackers.

Corona putting fuel on the fire

In addition, cybercriminals are taking advantage of the ongoing high level of interest in information about corona for extensive spam and phishing campaigns. The BKA reports that in the context of the corona pandemic, the number of malicious domains grew by 569 percent in the February/March 2020 timeframe. Consequently, cybercriminals used 16 percent of domains for phishing attacks, while 84 percent were used to host malware. Due to the heightened threat situation, maintaining IT security in healthcare requires ever greater efforts.

Healthcare data breach graph: 50% malicious attacks, 27% human errors, 23% system failures.

03

Why is it so difficult to implement IT security and data protection in e-health?

For e-health solutions to find acceptance among the general public and be used voluntarily by doctors and patients alike, the services must work quickly and conveniently. Users are accustomed to an intuitive user interface on smartphone apps that responds quickly and stably to input. They also expect this level of fine-tuning from e-health services regardless of the much higher compliance requirements in this sector. However, the higher the security and data protection requirements for an application, the more difficult it is to implement fast and uncomplicated use. To achieve the best possible results without any trade-offs requires modern technology and the highest level of expertise.

Doctor with a cell phone in hand

Why are online portals the key to e-health success?

Many e-health solutions, such as the electronic patient record (ePA), offer users an administrative interface on the internet. This is where health data can be viewed and access for hospitals and laboratories can be set up. High-performance and fail-safe infrastructure is required to ensure that this works smoothly in practice. In particular, outside attacks must be blocked. These include DDoS attacks, which aim to paralyze the internet platform, and even attacks by bots. Cybercriminals can use the latter to carry out credential cracking attacks to steal patient login data. This information can be sold for profit on illegal marketplaces on the darknet. If problems and failures multiply at this interface between patients and e-health, trust in the technology may suffer lasting damage.

04

How are IT security and data protection in healthcare regulated by law?

New digital solutions in e-health work with a large number of sensitive data sets such as diagnostic findings, X-ray images, and laboratory results. This information is subject to the strictest security and data protection requirements. The compliance guidelines for the healthcare sector are based on the General Data Protection Regulation (GDPR), the German Social Code (SGB) V and X, the E-Health Act, the Digital Healthcare Act (DVG), and the Patient Data Protection Act (PDSG). Anyone who wants to work with sensitive health information must ensure its integrity and confidentiality and provide an adequate level of protection.

For laboratories, hospitals, and companies that exceed certain thresholds in patient care, the requirements of the BSI Act (BSI-KritisV) and the IT Security Act (IT-SiG) also apply. These include, for example, hospitals that treat more than 30,000 inpatient cases per year. Legislation requires the operators of such critical infrastructure facilities to regularly demonstrate that their IT is secured in accordance with the state of the art. In all cases, the protection must be needs-based and risk-oriented.

What are the penalties for violations of data protection and IT security?

If patient data is lost due to negligence or inadequately secured systems fail due to a hacker attack, those in positions of responsibility face severe fines and even imprisonment. Penalties can run up to 20 million euros or four percent of annual global revenues, whichever is higher.

In the past, fines running into the millions have been imposed several times for violations of the GDPR. Since the end of the Privacy Shield agreement for transatlantic data transfers between the U.S. and the EU, government agencies have been taking a closer look when it comes to failures in data protection. In particular, legally compliant collaboration with U.S. cloud service providers now poses a huge obstacle. In principle, agreements based on standard contractual clauses or Binding Corporate Rules (BCR) are possible, but there are some challenges to be overcome in terms of implementation. Thus, the data exporter bears responsibility for verifying the level of protection. Personal data must essentially enjoy equivalent protection in a third country (such as the U.S.) as under the GDPR. Otherwise, guarantees must be implemented via additional security mechanisms in accordance with Article 46 of the GDPR.

05

What you need to know about IT security and data protection in healthcare

The more the digital transformation in healthcare progresses, the more crucial it becomes to secure the newly implemented systems and processes. These services optimize administration, enable the rapid exchange of important treatment data, and improve collaboration between doctors, laboratories, and pharmacies across the board. If disruptions or failures occur here, the medical care of patients takes a direct hit, and in an emergency, human lives may even be at stake. For this reason, consistent protection is priority number one. Moreover, data protection is also paramount for the healthcare sector. In the EU, the GDPR gives personal data a special protected status. Furthermore, the sector must comply with the SGB, DVG, PDSG, and the E-Health Act in data processing and information security. Violations of security and data protection requirements are punishable by heavy fines.

At the same time, e-health solutions should be as efficient and convenient as possible in order to facilitate the day-to-day work of medical staff and provide patients with real added value. If too many compromises have to be made due to security and data protection requirements, this will considerably lower acceptance and the willingness to implement them. With modern technology and the necessary expertise, however, it is certainly possible to develop fast, convenient, and secure e-health solutions. Specialized service providers can play a key role in supporting the healthcare sector in their implementation. A similar strategy is being pursued by gematik, which is currently pushing ahead with the development of the German Telematics Infrastructure 2 (TI 2.0). As an internet-based platform, TI 2.0 is intended to provide a future-proof basis for e-health services and open communication between services and users. gematik is working closely with industry and service providers to ensure rapid further development and interoperability.