In times of cybercrime and data protection breaches, the IT Security in Medical practices increasingly important. The new IT security guideline in accordance with Section 75b SGB V ensures that sensitive patient data is protected against unauthorized access. This Guideline was approved by the National Association of Statutory Health Insurance Physicians (KBV) in cooperation with the Federal Office for Information Security (BSI) has been developed.
The IT security guideline translates the Specifications the General Data Protection Regulation (GDPR) into clear and practice-oriented Requirements for the Privacy in Medical practices. Through the Implementation These measures enable practices to ensure the security of confidential patient data and comply with legal requirements.
Key findings
- The IT security guideline defines binding standards for the IT Security in Medical practices fixed.
- It was developed by the KBV in agreement with the BSI developed.
- The Guideline translates the DSGVO-Specifications into concrete measures for the medical sector.
- Through the Implementation practices can use the Privacy and comply with legal requirements.
- The KBV provides Implementation aids like Explanatory videos and sample documents.
What is the IT security guideline in accordance with Section 75b SGB V?
The General Data Protection Regulation (GDPR) regulates the handling of personal data throughout Europe, but until now there has been a lack of specific Specifications for medical practices. The IT security guideline in accordance with Section 75b SGB V was developed to close this gap.
Translation of the GDPR for medical practices
Its aim is to translate the provisions of the GDPR into clear and practicable Practical requirements to the IT Security to translate. This should enable doctors to Implementation data protection requirements and Legal certainty be created.
Purpose: Clear and practicable requirements for IT security
The IT security guideline defines binding standards and specific measures that medical practices can use to ensure the security of sensitive patient data. It translates the general Specifications of the GDPR into practicable Practical requirements for the medical sector.
Developed by the KBV in agreement with the BSI
The National Association of Statutory Health Insurance Physicians (KBV) developed the Guideline in agreement with the Federal Office for Information Security (BSI), the central cyber security authority in Germany. It therefore combines expertise from both areas - healthcare and IT security.
Which practice sizes and systems are affected?
The IT security policy contains five Attachments with different Requirementsdepending on the Practice size and equipment apply. The basis is Appendix 1, the specifications of which apply to all Practice types are mandatory.
Appendix 1: Requirements for all practice types
Appendix 2: Additional requirements for medium-sized practices
Medium-sized practices with more than 20 employees in the data processing area must also have the Requirements from Appendix 2.
Annex 3: Additional requirements for large practices
In addition to Annex 1, the extended requirements in Annex 3 also apply to large practices.
Appendix 4: Additional requirements for large medical devices
Practices that have large medical devices must comply with the specific Requirements from Appendix 4.
Annex 5: Requirements for decentralized components of the telematics infrastructure
Annex 5 regulates the IT Security for decentralized components of the Telematics infrastructure.
The exact definitions of the various Practice sizes and the detailed Requirements of the respective Attachments are defined in the directive.
Secure use of apps
The IT security policy contains precise Specifications for the safe handling of mobile apps in medical practices. To ensure a high level of App security some important aspects must be taken into account.
Only install apps from official stores
Only the installation of Apps from trustworthy App stores such as Google Play or the Apple App Store. Apps from unofficial sources pose increased security risks and should therefore be avoided.
Activate automatic updates
In order to always use the latest and most secure version of an app, the automatic update function must be activated. This ensures that security gaps are closed quickly and the Privacy kept up to date.
Avoid data outflow to third-party providers
In order to protect the confidentiality of sensitive practice data, only Apps that do not transmit data to third-party providers such as advertising companies or analysis services.
Encrypt local app data
Should be stored locally on the smartphone or tablet Data are stored, they must be stored in encrypted form to prevent unauthorized access.
| Safety aspect | Requirement |
|---|---|
| App sources | Only official App stores |
| Updates | Activate automatic updates |
| Data transfer | No data transfer to third parties |
| Local data | Encryption on the end device |
IT security guideline in accordance with § 75b SGB V
The IT security policy places particular emphasis on controlling and minimizing app security risks.Authorizations. The Authorizations for mobile applications should be reduced to the absolute minimum necessary and their use carefully monitored. This serves to protect sensitive patient data from unauthorized access.
Minimization and control of app permissions
Furthermore, the use of Cloud-storage services such as iCloud or Google Drive are no longer permitted in medical practices. The directive prohibits the storage of confidential data in the Cloudto avoid security risks from third-party providers. Instead, local storage solutions must be used that comply with the strict Requirements to data security.
Dispensing with cloud storage
With regard to Web applications The IT security guideline prescribes a secure Authentication before. Access must be protected by at least a user name and password. In addition, an automatic logout is required after a certain period of inactivity to prevent unauthorized access.
Secure authentication for web applications
For medium-sized and large practices, additional safety requirements also apply with regard to Authorizations, Cloud-utilization and Authentication from Web applications. The exact specifications can be found in the corresponding Attachments of the directive.
Protection of confidential data
The IT security guideline places a special focus on the protection of confidential data in medical practices. Several specific measures are prescribed to ensure the security of this sensitive information.
No storage in the browser
One of the core requirements is that no confidential data may be stored in the browser. This prevents unauthorized persons from accessing this information on unattended computers.
Regular deletion of browser data
In addition, browser data such as history and cookies must be deleted regularly. This is the only way to ensure that any cached Confidential data permanently from the practice PCs.
Only use HTTPS connections
When transmitting confidential data via the Internet, for example to Web applicationsis a Encryption is mandatory. For this reason, all Internet connections in the practice must be via HTTPSthe secure hypertext transfer protocol. The integrity of the certificates used should always be checked in order to Browser security to ensure that
Firewall and access control
One of the central security measures of the IT security guideline concerns the protection of web applications in medical practices. According to the directive, practices that host such applications themselves must take additional security precautions to prevent unauthorized access and misuse.
Using firewalls for web applications
In order to effectively protect web applications from attacks from the Internet, the directive provides for the use of special Web Application Firewalls (WAF) before. These Firewalls monitor all data traffic to and from the web applications and block suspicious activities.
Protection against automated access
In addition to the Firewalls must Access control-mechanisms must be implemented that are specifically designed to protect against automated attacks such as brute force attacks. These include captchas, for example, where the user must prove that the access is human.
Implementing rights concepts for web applications
Furthermore, a well thought-out Rights management in the web applications is mandatory. Only authorized users should be able to access sensitive functions and data. The Access control is to be implemented by means of a role and authorization concept based on the need-to-know principle.
| Security measure | Description | Purpose |
|---|---|---|
| Web Application Firewall | Special Firewall for the protection of web applications | Detection and defense against attacks |
| Captchas | Security queries to differentiate between humans and bots | Protection against automated access |
| Role-based Rights management | Finely graduated authorization concept in web applications | Access control according to the need-to-know principle |
Further safety measures
The IT security guideline not only takes software security into account, but also regulates the physical security of end devices in medical practices. For example, certain measures must be taken to prevent unwanted access to microphones, cameras and screen content.
Prevention of unwanted microphone and camera access
Is the use of Microphone or Camera not required, these components must be deactivated or covered. This serves to protect against unauthorized recording and possible data protection violations due to unwanted access.
Screen lock during inactivity
To ensure that Confidential data not fall into the wrong hands, all End devices such as PCs, laptops and tablets via a Screen lock have. This automatically blocks access after a certain period of inactivity so that unauthorized persons cannot access the running systems.
These additional security measures are intended to ensure comprehensive protection of confidential data and information in medical practices. The consistent Implementation of the directive is of fundamental importance.
Implementation aids and resources
To help medical practices implement the new Requirements of the IT Security Guideline, the National Association of Statutory Health Insurance Physicians (KBV) and the Associations of Statutory Health Insurance Dentists such as the KVWL provide extensive Implementation aids and Handouts ready.
Information and examples from the KBV and KVWL
The KBV and KVWL offer practical tips and illustrative examples that make it easier for practices to interpret and implement the directive. These Handouts illustrate the specific requirements and show ways of practical implementation.
Sample documents and explanatory videos
In addition, the practices have Sample documents as templates and Explanatory videos on various IT security topics. These audiovisual aids explain the requirements in an understandable and practical way.
Contact points for questions and support
If you have any questions or need support, doctors can contact the Contact points of the KBV, KVWL and other bodies. They will receive competent advice and help with the professional implementation of the IT security guideline.
Conclusion
With the IT security guideline according to §75b SGB V the National Association of Statutory Health Insurance Physicians (KBV) has taken an important step towards strengthening the Patient data protection in Medical practices undertaken. The uniform and binding standards defined therein for IT Security practices can now ensure the security of sensitive patient data while complying with legal requirements.
Despite the administrative burden involved in implementing the new requirements, this is a significant step towards increasing patient confidence in the Privacy to strengthen. Legal certainty and responsible handling of sensitive data are essential for Medical practices of utmost importance to protect the privacy of their patients.
Fortunately, the KBV and the Kassenzahnärztlichen Vereinigungen (KVen) provide extensive aids such as Handouts, sample documents and Explanatory videos ready to Medical practices at the IT Security support. These resources facilitate the practical implementation of the directive and provide Contact points for questions and support.
English 
Deutsch 
Español 
Français 
Polski