“Like other vital public services in Germany, including water and electricity, the German government classified hospitals as critical infrastructure or KRITIS.”
The German government deemed all hospitals treating over 30,000 cases annually as critical infrastructure supporting German citizens. All KRITIS-designated hospitals were required to update their IT security by the end of 2021.
By 2021, all hospitals in Germany must meet and exceed cybersecurity standards set forth by the BSI in response to increases in attacks during the global pandemic. BSI created a new industry standard – B3S. This new method incorporated 168 standards. All hospitals, regardless of size in Germany, are required to meet B3S standards.
A significant portion of B3S standards includes monitoring, incident response, and reporting. To meet these requirements, hospitals either staff their security operations or outsource to a managed detection and response like a Nova MDR solution from ForeNova.
What are the KRITIS Requirements for Hospitals?
Hospitals that fall under the KRITIS designation should leverage the ISO 27000 framework to help meet several critical mandates, including the enablement of proper security controls defined by the BSI.
These BSI-mandated controls include:
- Enablement of detection and response capabilities
- Cybersecurity breach reporting to the BSI within 72 hours of the event
- Deployment of an Information Security Management System (ISMS)
- 24×7 security operations capability to handle all incident responses
Here are other critical components hospitals need to execute for KRITIS:
Registration with BSI
KRITIS operators must register with the BSI and provide a primary contact for compliance, cybersecurity, and breach notifications.
Implementation of Security Measures and Intrusion Detection Systems
KRITIS hospitals must enable and sustain all adaptive controls, processes, and procedures necessary to safeguard IT systems against cyberattacks, adhering to BSI’s minimum standards.
Reporting Mandates and Information Sharing With the BSI
KRITIS operators must report major IT incidents to the BSI within 72 hours and provide necessary details for incident management. All KRITIS hospitals must also share relevant information with other hospitals and BSI authorities.
The KRITIS-designated hospital needs to develop and deploy a comprehensive disaster recovery plan to include:
- Business impact analysis (BIA)
- Business continuity management
- Business continuity plan
- Recovery time objectives
Aligning KRITIS, ISMS, B3S, and ISO 270001
The BSI mandates that KRITIS hospitals deploy and sustain an ISMS that aligns with ISO 27001 standards.
The ISMS follows four principles defined within ISO 27001: plan, implement, control, and optimize. It establishes an independent structure for improving IT security, including central roles like an IT security officer and risk analysis to identify vulnerabilities.
KRITIS hospitals need to provide evidence specifically around their risk management program, proof of monitoring, demonstrate compliance, audit management, and other elements from the B3S.
These hospitals must hire external auditors and report their findings to the BSI every two years.
Understanding B3S Standards
The B3S features 168 standards for resilient IT and patient care. These standards become categorized as must, should, and optional requirements.
The standards become broken out into five categories:
- Interoperability: Securing data access across multiple platforms
- Data security: Enabling encryption across all data sources
- Privacy: Meeting all privacy mandates
- Consent Management: Enabling patent consent systems
- Data quality: Sustain all data’s integrity, confidentiality, and availability.
Hospitals in Germany that have already implemented ISO 27001 and an ISMS are the most prepared to meet BSI and IT-SIG 2.0 security act requirements.
Key Differences Between KRITIS and B3S
KRITIS is simply a designator for a hospital based on the number of cases to enable “state-of-the-art” cybersecurity capabilities that align with BSI directives. The KRITIS directive also states that the hospital needs to deploy an ISMS system aligned with the ISO 270001 framework. B3S provides additional standards hospitals need to enable to become compliant with BSI directives.
B3S Impact on Smaller Hospitals
Smaller hospitals not classified under KRITIS have a crucial deadline of January 1, 2022, to ensure their IT security meets state-of-the-art standards. The Social Code (SGB V) § 75c introduces new IT security regulations for hospitals aligned with BSI law, effective January 1, 2022. From this date, all hospitals must adhere to strict KRITIS IT security requirements, regardless of size.
- “Starting in January 2022, small hospitals must introduce electronic patient records (ePA), digital referrals, and e-prescriptions.”
- These changes will raise challenges in storing and managing patient data, a common target of cyberattacks. They must implement suitable data processing systems while adhering to strict data protection guidelines.
- KRITIS hospitals must provide evidence to the BSI, but small hospitals have no such requirement under Section 75c SGB V or the PDSG.
- “In October 2020, Germany enacted the Patient Data Protection Act (PDSG), which affects all hospitals and refers to IT security.”
Preparing For an Attack Requires a Preventive Mindset
Aligning with B3S standards for IT security measures is crucial for compliance because most incidents lead to data protection breaches. These breaches can occur because of cyberattacks or mishandling of personal data.
- A common breach involves inadequate role and authorization systems for patient data; for example, a hospital in The Hague was fined 460,000 euros for allowing all employees access to patient records without proper authorization.
- Similarly, a Portuguese hospital was fined 400,000 euros in 2018 for the same issue.
- The German States Rhineland-Palatinate also fined a hospital 105,000 euros for multiple data protection violations related to patient admissions.
Funding Availability for Hospitals
“From 2019 to 2024, 500 million euros per year—totaling four billion euros—will be allocated to meet KRITIS requirements for large hospitals. Additionally, 4.3 billion euros are available via the Hospital Future Fund for smaller hospitals, with funding applications open until December 2021.”
Operators must invest at least 15 percent of their funds in IT security improvements.
What is the Importance of IT-SIG 2.0 with German Healthcare Facilities?
IT-SIG 2.0, the German IT Security Act 2.0, is essential for healthcare facilities as it mandates stricter cybersecurity for critical infrastructure, including hospitals. This regulation ensures the protection of sensitive patient data and the availability of medical systems against cyberattacks, which could disrupt patient care and endanger lives. It compels healthcare facilities to prioritize strong cybersecurity practices for operational resilience.
IT-SIG 2.0 also plays a critical role in mandating hospitals implement required adaptive controls, including intrusion detection, or face considerable fines. This mandate also provides additional security requirements for hospitals by creating additional reporting and data protection in alignment with GDPR.
Stricter Compliance Requirements
IT-SIG 2.0 mandates hospitals to implement necessary adaptive controls like intrusion detection or risk significant fines.
Protection of Patient Data
IT-SIG 2.0 enforces strong cybersecurity to protect sensitive patient records from unauthorized access or breaches.
Operational Continuity
The act seeks to ensure IT systems’ resilience against cyberattacks, minimize downtime, and maintain access to patient data in critical healthcare services.
Increased Accountability
Healthcare facilities must show compliance with IT-SIG 2.0 regulations, facing penalties for non-compliance.
Note: Companies should leverage Security Information Event Management (SIEM) for attack detection, case management, and playbook distribution to meet IT-SIG 2.0 security operations requirements, which include continuous monitoring, incident response, and compliance notification reporting.
The Role of MDR In Assisting Hospitals With KRITIS and B3S Compliance Mandates?
KRITIS and non-KRITIS healthcare providers struggling with staffing shortages will benefit from a partnership with an MDR provider like ForeNova. MDR helps health providers regardless of size. All healthcare providers must monitor their various security controls, protecting their digital assets, patient information, and employee data.
Here are some essential points regarding the value of MDR and B3S:
- B3S standards for healthcare require security monitoring of all healthcare-related applications, networks, devices, databases, and portals.
- Healthcare providers required under IT-SIG 2.0 must ensure proper intrusion detection and security operations, continuous monitoring, and reporting are operational 24/7.
- As defined within B3S, it mandates that all hospitals have incident response plans and processes for responding to all cybersecurity events, including data breaches.
Conclusion
Ultimately, hacks in healthcare endanger lives and civic society. Minimum IT security standards, such as the KRITIS requirements, can help improve hospital security. Facility operators must follow these guidelines to ensure long-term protection against threats. The primary purpose is to keep cyber attacks from affecting hospital operations.
ForeNova, an EU-based MDR supplier, knows the complexities of healthcare compliance. All health providers, including hospitals, face overlapping mandates, redundant security controls, and cost overruns. These hospitals struggle to save security operations costs while maintaining BSI, IT-SIG 2.0, and KRITIS compliance. Staying current with B3S’s continual developments will benefit greatly from having a relationship with ForeNova.
