Healthcare: BSI generally rates IT security level as positive

Experts often give the German healthcare sector a poor report card when it comes to IT security. The German Federal Office for Information Security (BSI) comes to a different conclusion in a recently published assessment for the year 2024: Overall, "the level of information security in the digital healthcare sector can generally be rated as positive". This is despite the fact that "the threat situation for digitalization projects" has increased.

However, the BSI admits that the past year was "challenging" in view of the ongoing digitalization of the healthcare system. For example, the BSI was involved in the development of the security architecture for the ePA. In doing so, it – partly together with Gematik –, which is responsible for the telematics infrastructure (TI), investigated all reports of possible vulnerabilities. This led to adjustments in the specifications, for example.

At the annual congress of the Chaos Computer Club (CCC) last December, security researchers pointed out various security flaws in the electronic patient record (ePA). However, these have not been taken into account in this report.

Diversity of IT solutions in practices is not a disadvantage

According to the report, the security of traditional medical products is "at a consistently high level", even though an investigation of hospital information systems has identified problems in this area. According to the Bonn authority, one area that is difficult to assess is the security of the almost 140,000 medical practices in Germany. This is due to the wide heterogeneity of IT equipment and the lack of standardized reporting channels for security incidents.

The fact that practices do not procure standardized hardware and software is, in principle, an advantage for IT security, the authors note. Security gaps that are discovered are therefore hardly transferable. At the same time, however, the colorful IT salad requires "a broad understanding of IT security technology in the respective medical practice".

After examining medical facilities and conducting a survey among medical professionals, the BSI came to the conclusion "that the key to successfully establishing information security in outpatient care is not so much technical equipment as information".

Communicating basic security mechanisms to support secure day-to-day digital practice with the involvement of local service providers will be "a task for the coming years". The Office wants to continue to contribute its expertise in prevention, detection and response together with the supervisory authorities, manufacturers, service providers and practice staff.

(wpl)