Statutory health insurance doctors start IT security campaign for practices

Contents

The National Association of Statutory Health Insurance Physicians (KBV) wants to ensure greater IT security in medical practices and is therefore launching an information offensive at the beginning of July. Regular information and training courses on protection against cybercrime are intended to help. According to the KBV, the topics range from dealing with phishing emails, "secure passwords, virus protection, software updates and using a cloud to basic protection for practice IT or what to do in the event of a security incident". Practices need to be made more aware of IT security, especially considering the connection to the telematics infrastructure (TI), which is intended for the secure exchange of health data.

More training for cybersecurity

To improve IT security, the KBV recently updated its IT security guideline, which now also provides for increased security awareness in medical practices. "We are legally obliged to set out requirements for ensuring IT security in practices in a guideline and to update these regularly," said Steiner.

"The threat to IT security is growing worldwide. Medical and psychotherapeutic practices are also affected by this and must protect their IT against unauthorized access," said KBV board member Dr. Sibylle Steiner. The "IT Security" booklet (PDF) is intended to provide a compact introduction, but there is also further information and sample documents – such as an example of a confidentiality agreement for employees and external service providers.

Nursing demands IT security and user-friendly TI products

The German Nursing Council (DPR) is also calling for "clear legal requirements" for IT security in the care sector. Due to increasing cyberattacks and growing digitalization, it also sees an urgent need for action to better protect care facilities from attacks. "Even outside the KRITIS categories, players in the healthcare sector, including care facilities, are increasingly being targeted – by ransomware, DDoS attacks (Distributed Denial of Service) or social engineering, for example," the paper states.

"With the planned connection of care facilities to the telematics infrastructure and thus a higher degree of IT penetration, it is all the more important to define industry-specific security standards [...] for "nursing care". According to the DPR, IT manufacturers must also be obliged to meet certified security standards. With the implementation of the EU NIS2 Directive and the Cyber Resilience Act, the market for IT solutions will be restructured and streamlined.

IT security should not be left to chance

"The care sector needs binding and industry-specific IT security standards. It can no longer be left to chance how well care facilities are protected against cyberattacks", said Thomas Meißner, Head of the DPR Expert Commission "Digitalization in Care". According to the DPR, the requirements should be enshrined in law in the Health Data Usage Act (GDNG) and the Digital Care and Nursing Modernization Act (DVPMG).

In addition, the care sector itself wants to define what is considered state of the art. "Care facilities need practical, safe products [...]. This also helps to streamline the market, as inferior or unsafe products are permanently excluded". At least in doctors' surgeries and hospitals, there is regular criticism about the lack of user-friendliness of the applications. Soon, nursing care will also have to be connected to the telematics infrastructure, but so far, it does not look as if the requirements will be met by the beginning of July.

(mack)