Electronic Health Record Data Protection with MDR

Enabled by the Appointment Service and Supply Act of 2019, this mandate required all German health insurance funds to migrate to an electronic health record system (EHR). EHR systems extend access to policyholders. Policyholders establish access to their records and update the information without notifying the insurance provider.

Securing the data still falls upon the health insurance companies only if the record is an EHR. Most of Germany has a public health system, and less than 10% have private insurance. Connections between various digital health providers and the EHR holder continue to be a work in progress.

EHRs are still a choice. Others we choose to maintain their personal health record, or PHR.

Securing an EHR and a PHR still requires the insurance funds to enable a cross-section of cybersecurity controls to align EU and global compliance regulations, cybersecurity threats, and security gaps. Insurance firms struggling with hiring and keeping security operations talent should consider a managed detection and response (MDR) offering from security providers like ForeNova.

Overview of Electronic Health Records for Germany

The challenge continues with the ability of the EHR systems to extend granular access to the medical record based on the criteria set by the data owner. The lack of granularity created negativity towards the initiative.

Many also criticized EHR for the lack of technical standards regarding stability within critical infrastructure, interoperation with other systems, and the ability to support cross-border collaboration with other EU members.

The Office of Health Ministry discovered one challenge within the digital transformation strategy for EHR was the focus on too much technology and less on understanding the consumers of the solution. As part of the enrolling process, the patients were required to grant consent without clearly understanding the entire process. During the rollout of EHR, the health insurance providers offered no incentives for sensitive patients not trusting EHR solutions, thus resulting in a very low enrollment, especially from people who struggle to grasp the security-related questions.

Another issue that raised concerns among many in the German healthcare industry was the lack of public information provided to the patients surrounding how EHRs work and security protection.

Lack of interpretability, low patent turnout, and confusion about cross-border collaboration all resulted in the entire EHR becoming a target for hackers.

What Regulations Govern EHR In Germany?

“The German healthcare system has three levels: legal framework, self-administration, and individual players. Federal, state, and local governments manage the legal framework, with the Federal Ministry of Health overseeing health policy at the federal level.”

Multiple laws establish the digital framework for Germany’s healthcare system, specifically for EHR implementation and healthcare data usage. “The General Data Protection Regulation (GDPR) and Federal Data Protection Act (BDSG) also apply.” The E-Health Act, effective 29 December 2015, lays the foundation for digitalization in this sector.

Compliance with GDPR in EHR Management in Germany

GDPR plays a significant role regarding data ownership and protection for all citizens in Germany. People, not the Federal Ministry, own their data, and by law, they are the ones who extend permission for access.

Germany’s Federal Parliament, the Bundestag, enacted the Patient Data Protection Act (PSDG), which applies to all healthcare institutions—hospitals, doctors, insurers, and pharmacies—using the telematics infrastructure for patient data processing, regardless of organizational size.

Germany’s Federal Commissioner for Data Protection has warned health insurers that PSDG compliance doesn’t exempt them from GDPR. The Federal Health Ministry will ensure that German citizens retain their rights regarding health records under GDPR.

What is OpenEHR in Germany?

In Germany, OpenEHR is an open-standard platform for managing electronic health records (EHRs). It facilitates seamless data exchange among healthcare providers through standardized clinical models. This vendor-neutral approach enhances data interoperability and patient-centric care, which is vital to the country’s digital health infrastructure development.

• OpenEHR’s goal is to better assist German health insurance providers in rolling out EHRs, leveraging more open-source functions to improve the interoperability between platforms and providers and help promote better cross-border collaboration.
• OpenEHR employs a dual model approach for Hospital Information Systems, ensuring semantic interoperability and providing a holistic solution for Electronic Healthcare Record systems.
• “OpenEHR incorporates elements of interoperable, secure EHR software, and its proponents advocate it as the optimal approach for developing hospital information systems.”

There are 50 GDPR requirements and 8 OpenEHR design principles. OpenEHR principles meet 30% (15/50) of GDPR requirements and align with GDPR standards.

Top Security Challenges Protecting EHR in Germany?

Top cybersecurity challenges protecting EHR in Germany include ransomware, phishing, insider threats, data breaches, medical device vulnerabilities, legacy systems, complex data sharing, and healthcare professional awareness. GDPR and other compliance help reduce the risk of cybersecurity attacks against EHR by requiring extensive protection layers, consent, and continuous monitoring.

Fake authorizations between the data owner and the healthcare provider in Germany continue to be a concern. Even with the enablement of a PIN code, fake authorizations continue to cause unforeseen data breaches.

Top EHR Breach in Europe in 2024?

Cybercriminals target healthcare records for the vast personal data they hold, including protected health information, full names, birth dates, and home addresses.

Hackers can easily commit identity theft by accessing healthcare providers’ information and selling it because of its high value. Many healthcare organizations need to switch to digital records more quickly. Although many have already made the switch, some still use old technology and have weak cybersecurity.

Hospital Simone Veil in Cannes, France, 2024

Simone Veil, a regional hospital, manages 150,000 outpatients and 50,000 emergencies annually. Most services continued, but communication and data handling relied on outdated methods. Initially thought to be a ransomware attack, it took weeks for confirmation. On April 30, the hospital revealed the LockBit 3.0 group was behind the extortion attempt.

Hospital Simone Veil declined to pay.

Who Manages Telematics Infrastructure in Germany?

Telematics infrastructure (TI) and healthcare systems must guard against external threats and internal negligence. They must deploy and maintain cybersecurity measures like firewalls, antivirus software, and strong passwords. This mandate also includes preventing the unnecessary local storage of sensitive data and avoiding sharing through unauthorized channels like email or file sharing.

Specifically to EHR, the Federal Ministry of Health owns 51% of TI provider Gematik, which manages the telematics infrastructure, electronic health card, specialized applications, and an interoperability directory while overseeing data security.

Gematik GmbH coordinates its TI applications with the Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the BSI, following the German Social Security Code (SGB).

The Role of MDR in Protecting EHRs

Because of a cybersecurity talent gap, many organizations seek help to hire and keep skilled professionals. Because managing today’s complex cyber threats often requires expertise that is not readily available in-house, this lack of talent has led many businesses to outsource security functions.

Many MDR services tackle cybersecurity challenges. MDR provides external teams with specialized expertise, serving as an outsourced Security Operations Center (SOC). This solution enables organizations to leverage expert security operations without the costs and complexities of developing an internal team. It’s a strategic choice that meets today’s IT security needs, where agility and specialized skills are crucial against advanced threats.

TI providers, healthcare insurance funds, and medical providers in Germany continue to face resource shortages, overlapping and complex compliance mandates, and continuous alterations to the existing German regulatory mandates and new compliance frameworks coming in the current year.

MDR service engagements create opportunities to assist TTIs and health providers with various offerings that align with their business, compliance, and security operations needs.

• 24/7 continuous monitoring
• Automated detection and incident response
• Firewall deployment, management, and future-proof
• Endpoint security management
• Compliance reporting
• Access to Threat Intelligence

Beyond creating the various service offerings, ForeNova’s most important attribute is its people. The company takes pride in staffing experienced security operations engineers to support the complex world of the German healthcare system.

ForeNova also provides world-class cybersecurity security integration advisory services combined with technical offerings. Healthcare and tech companies that still use old technology and methods can use ForeNova’s consulting team to improve their cybersecurity. This helps them move from reacting to problems to preventing them.

Why ForeNova?

One key element that separates one MDR provided from another is experience. MDR providers that support every vertical market are more of a one-size-fits-all model. ForeNova’s unique ability to create an MDR engagement tailors it explicitly to their clients’ needs.

Want to see a demo of this incredible MDR offering? Click here to schedule a session with the ForeNova engineering team today!