heise PlusAbo
Anzeige

Consultants: Germany's hurdles for cloud use in healthcare are too high

Health data from Germany may only be processed in the cloud in the EU and 15 third countries. According to critics, this special approach is not GDPR-compliant.

listen Print view
Person in a white coat, with a stethoscope around his neck, points to a cloud sign. Surrounded by many symbols from the medical field.

(Image: Shutterstock.com/raker)

7 min. read
By
Contents

Gunnar Sachs, partner at the law firm Clifford Chance, has sharply criticized the requirements for cloud use in the healthcare sector as an innovation-inhibiting special path that is incompatible with EU law. Any – even theoretical – maintenance access by a third-party company, for example from traditional outsourcing countries such as India or China, is thus prevented, criticized the legal advisor on Wednesday at a symposium of the industry association Bitkom in Berlin. Even the General Data Protection Regulation (GDPR), which is already reviled globally as being completely over-regulated, is significantly more liberal.

As Germany is deviating from EU standards in this way, there is a threat of a “German nationalization of the system” in addition to a violation of the law, Sachs railed. And this is particularly true in the cloud, which is fundamentally designed to transcend national borders. This would hinder innovation in the healthcare sector. The violation of the GDPR that he identified also means that the local rules are inapplicable. An entrepreneur could therefore say: “I don't care about the German approach” and conclude a contractual agreement with a Chinese partner, for example. However, such a case would certainly go all the way to the European Court of Justice (ECJ):

The bone of contention is the comparatively recent Section 393 of the German Social Code (SGB) V. This states that social and health data may only be processed via a cloud computing service in Germany, in the EU or in a third country if an adequacy decision has been issued in accordance with the GDPR. The EU Commission must determine that these countries offer a level of data protection that is “essentially equivalent” to that in the EU. This applies to 15 countries, such as the USA as part of the EU-US data protection framework as the successor to the Privacy Shield overturned by the ECJ, Argentina, the UK, Japan, Canada, New Zealand, South Korea and Switzerland.

Similar “disaster” with apps on prescription

According to Section 393 SGB V, the data processing body must also have a branch in Germany, i.e., identify a responsible contact person in this country. This is also incompatible with “full EU harmonization”, criticizes Sachs. In general, the GDPR allows data processing and access from third countries if the client stipulates an equivalent level of protection abroad with the help of standard contractual clauses. Binding Corporate Rules (BCR) are also recognized, according to which groups commit to regulations comparable to the GDPR for all branches and subsidiaries. The ECJ has expressly identified these two instruments as alternatives, even after the Privacy Shield has been abandoned.

Videos by heise

National legislators in EU countries may only deviate from regulations such as the GDPR “under the strictest conditions”, the lawyer explained. For example, it must be based on important reasons of public interest, which in the healthcare sector must be assessed equally for all member states. In addition, the Commission must be expressly notified, which the German government has not done.

According to Sachs, a similar legal “disaster” had previously occurred with the German regulation for digital health applications (DiGA). In July 2023, 95 applications for entry in the relevant register at the Federal Institute for Drugs and Medical Devices (BfArM) were withdrawn due to the comparably strict requirements. At the time, the review authority had informed several large clients that US subsidiaries might be able to access health data and that inclusion in the list was therefore hardly conceivable. There are currently only around 65 DiGAs on the list. Sachs is annoyed: “The thing has gone completely wrong.”

C5 certificate also required

“We're talking about sensitive data,” countered Thomas Süptitz, Head of the Cybersecurity and Interoperability Unit at the Federal Ministry of Health (BMG). That is why minimum standards must be adhered to. Süptitz clarified that personal health information should only be processed in countries with a similar legal framework. If the data were to be stored in a cloud service in Ireland, for example, it would have to be contractually guaranteed that access from India would not take place. The legislator does not require data to be processed “in Germany or France” when relying on large providers such as Amazon with AWS, Google, or Microsoft. With these hyperscalers, however, they must be encrypted or secured via additional agreements and anonymization or pseudonymization techniques.

In addition, Section 393 of the German Social Security Code (SGB) V stipulates that the data processing body must comply with the Cloud Computing C5 criteria catalog of the German Federal Office for Information Security (BSI) and present a corresponding current certificate. An audit report for this comprises between 100 and 300 pages, explained Immo Regener from the auditing firm PwC. The cloud operator must first create a system description for the architecture, sub-service providers and processes (“controls”). Then it is important to prepare for the actual audit.

If a C5 Type 1 certificate is required, which according to the law is sufficient until June 30, 2025, a point-based audit is carried out, according to Regener. At best, this confirms that the control system is currently appropriately aligned. For the type 2 certificate, which must be presented from the middle of the year, an observation period of several months is defined, and random checks are carried out to test the effectiveness of the controls. In the future, the EU Cloud Certification Scheme (EUCS) is on the horizon, which will increase the number of certifying bodies, but also raise the level of security further. However, the controls will continue to be tested according to type 1 and 2.

Hyperscalers get into position

According to Süptitz, the BMG has launched a C5 equivalence regulation. The aim is to clarify which alternatives to the cloud criteria are acceptable and under what conditions. In many comments on this, it had been stated that the switch to the Type 2 test certificate could not be achieved by July. The BMG is therefore now discussing with the BSI which alternatives and deadlines make sense. In spring, all parties involved should be ready with an updated regulation. Many “community clouds”, i.e., infrastructures used by several companies with a limited number of users, have initiated a C5 audit, as this also has a high advertising effect.

“We helped create C5,” emphasized Peter Moll, healthcare expert at AWS. All services offered by the cloud market leader are GDPR-compliant, with 141 services certified as type 1 or 2. With the AWS European Sovereign Cloud, which would consist of at least three data centers in a separate region at secret locations in Brandenburg, a “fully sovereign cloud” is approaching. A Luxembourg or German company is expected to be the operator from the 4th quarter.

(olb)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten