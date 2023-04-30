The IT security of a medical practice is increasingly characterized by a complex interaction of telematics infrastructure, digital health and care applications, a further expansion of the electronic patient file (ePA) and last but not least the IT security guideline of the KBV. In this article, attorney Dr. Alex Janzen on some old and new challenges of IT security in medical practices.

telematics infrastructure

The telematics infrastructure (TI) will be further expanded, in particular it includes further use cases, provides links to digital health and care applications, etc. The Federal Office for Information Security (BSI) places high security requirements on the expansion of the TI. The further developed TI must offer room for changes and adjustments, but at the same time maintain the previous security standards. According to the BSI, maintaining these standards requires the security and risk analyzes to be updated and expanded, whereby the BSI assumes that these processes are viewed holistically.

The end devices in medical practices that use confidential medical data must also include adequate security measures, which must be technically supported by the TI. According to the BSI, the requirements for the encryption techniques must also be met: certified cryptographic security anchors must be used. The communication between the TI and the user has to take place – in both directions – with two-factor authentication and encrypted. Irrespective of the high TI requirements, insured persons must be able to use all services without having the appropriate end devices. The conversion to a new TI structure will require a migration concept and parallel operation of both systems for a period of time.

Digital health and care applications

Digital health applications are to § 33a paragraph 1 sentence 1 SGB V Assist healthcare providers and patients in the detection, monitoring, treatment or alleviation of illness, injury or disability, using only low-risk medical devices. Under these conditions, insured persons are entitled to the supply of such digital health applications, provided that the Federal Institute for Drugs and Medical Devices has included relevant applications in the directory for digital health applications according to § 139e SGB V and a corresponding regulation or approval from the health insurance company is available.

The Federal Institute for Drugs and Medical Devices does not officially include digital health applications in the relevant directory, but at the request of the manufacturer of an application. According to Section 139e Paragraph 2 Sentence 2 SGB V, a manufacturer must provide evidence with the application that its digital health application

“1. meets the requirements for safety, functionality and quality, including the interoperability of the medical device,

2. complies with data protection requirements and ensures state-of-the-art data security and

3. has positive supply effects”.

According to Section 40a Paragraph 1 Sentence 1 SGB XI, digital care applications are based on digital technologies and are used “to reduce impairments to the independence or the abilities of the person in need of care and to counteract a worsening of the need for care, insofar as the application is not covered by health insurance due to illness or disability or other responsible service providers”. Approved digital care applications are also recorded in a register.

Expansion of the electronic patient file (ePA)

The ePA will be further expanded and expanded to include new components and functions. In addition to the introduction of the electronic prescription (e-prescription), the electronic certificate of incapacity for work (eAU), the communication applications for service providers, the possibilities for use by patients in relation to the ePA are to be expanded step by step.

The Patient Data Protection Act of October 14, 2020 reaffirms and expands the rights of patients when it comes to their data in the ePA. The key point of the legal regulation is the sole authority of the patient to access his EHR and to be able to make changes here. Extensive medical information about insured persons, such as data on findings, diagnoses, therapeutic measures, etc., should have been included in the ePA by January 1st, 2021. From January 1st, 2022, the inclusion of further data, in particular bonus and examination booklets, mother passports, vaccination documentation, health insurance benefits for the insured person, was planned. From January 1st, 2023, further data should have been included in the ePA: in addition to e-prescriptions and electronic certificates of incapacity for work, it can also be data from digital health applications, from nursing care and other data from the service providers for the patient.

IT security guidelines of the KBV

According to § 75b paragraph 1 sentence 1 SGB V, the KBV was legally obliged to define “the requirements for ensuring IT security in contract medical and contract dentist care in a guideline” by June 30th, 2020. According to § 75b Abs. 2 SGB V, the requirements of the relevant guideline must be suitable, based on the risk potential and the need for protection of the information processed, “faults in the information technology systems, components or processes of the contract medical service providers in terms of availability, integrity and confidentiality and others to avoid security targets”. Furthermore, the IT security guideline of the KBV according to § 75b Abs. 1 Satz 2 SGB V must also contain requirements regarding the installation and maintenance of the telematics infrastructure. The requirements of the IT security guideline must acc. § 75b paragraph 3 sentence 1 SGB V annually adapted to the state of the art and the risk potential. According to § 75b paragraph 4 sentence 1 SGB V, the IT security guideline of the KBV is binding for the service providers in contract medical and contract dental care.

Guideline according to § 75b SGB V to ensure IT security

The KBV has implemented the order of § 75b SGB V in its “Guideline according to § 75b SGB V on the requirements for ensuring IT security” of December 16th, 2020. According to the KBV, contract doctors, who are the addressees of this IT security guideline, should assume that the relevant guideline only contains the minimum standards for IT security in a medical practice. The IT security guideline should by no means contain a conclusive catalog of measures that stipulates all possible security precautions for all practices and in every case. Depending on the size, specialty and equipment of a practice, additional requirements may be placed on the IT security of a specific practice; whether such are necessary must be decided in each specific individual case.

The IT security guideline of the KBV does not specify abstract requirements for all practices, but differentiates on the one hand according to the size of the practice and on the other hand according to the equipment of the practices with large medical devices. As the practice grows in size, so too do the requirements for IT security in the practice concerned.

Total will 3 practice sizes distinguished:

one Contract medical practice with up to five peoplewho are constantly entrusted with data processing, one medium-sized contract medical practice with 6 to 20 peoplewho are constantly entrusted with data processing and one Large practice with over 20 peoplewho are constantly entrusted with data processing. A practice that processes data to a considerable extent is also equivalent to a large practice, with the IT security guideline naming large MVZs with hospital-like structures or laboratories as examples of such practices.

Safety requirements for practices by size

A practice must implement the requirements of Annexes 1 and 5 with regard to IT security insofar as it uses the target objects specified in the relevant Annexes. A medium-sized practice must meet increased requirements: The requirements of Appendices 1, 2 and 5 already apply to this. The requirements of Appendices 1, 2, 3 and 5 apply to a large practice and a practice with significant data processing Large medical devices in the practice must also meet the requirements of Appendix 4, regardless of the size of the practice in question.

Annex 1, which applies to all practices regardless of their size, already contains numerous requirements for the IT security of practices. Although many of these requirements were implemented by numerous practices beforehand, some requirements are new or not yet widespread. For example, Appendix 1 writes For example, when using Office applications in practice, there is a mandatory waiver of cloud storage and data economy when using end devices with Windows as the operating system. Compared to Annex 1, the other annexes contain significantly more specific and complex requirements for the IT security of medical practices.