Digital Health: "Most people don't realize how existential IT security is"

For real progress in the digitalization of healthcare, IT security must become a central component – yet despite billions in investment, practice often sees frustration instead of progress. The statement on NIS 2 implementation by the Association of Hospital IT clarifies that central obligations also apply to hospitals, medical supply centers (Medizinische Versorgungszentren, MVZ), and rehabilitation facilities. These include, for example, risk analyses, maintenance, and restoration of IT systems, backup management, multi-factor authentication, secure communication, and training. Practically all hospitals are affected by the rules.

Reporting obligations to the Federal Office for Information Security, regular audits, and management training increase the pressure. However, they also create the foundation for solid cyber resilience, as explained by Lars Forchheim, IT manager at Städtisches Klinikum Dresden, and Jürgen Flemming from the KH-IT association. They also refer to support services such as the Industry-Specific Security Standard "Medical Care" (PDF) from the German Hospital Association, the IT security services of the National Association of Statutory Health Insurance Physicians, and practical examples such as the Smart Hospitals project at the University of the Bundeswehr Munich provide useful guidance.

From the perspective of Andreas Becker, a hospital consultant and risk management expert, it's about more than just technology – it's about real processes, security culture, and clear responsibilities. He is a hospital consultant and risk management expert with many years of experience in hospitals and practices. In an interview, he explains why technology alone doesn't solve problems, where the biggest security risks lie, and what causes constant stress.

heise online: You've been to many hospitals and specialized departments. What's working in terms of digitalization – and what isn't?

Becker: The differences are enormous. In radiology or radiotherapy, much is at a high technical level. But as soon as you go to the ward, it gets complicated: too many clicks, too many systems, too little time. Many employees develop workarounds that are not formally permitted – and that is dangerous.

What's the biggest bottleneck?

The process. In many hospitals, the focus is first on software, rather than on what the process should achieve. Old structures are digitized without being reviewed. The result is often more effort instead of simplification – and that's exactly what frustrates people.

How big is this frustration?

Quite big. When someone says: "I need ten clicks to find a document," something is wrong. Digitalization must not be an additional burden. And if doctors pass on their credentials because the login takes too long, it's also clear: the system doesn't fit everyday life.

With the NIS 2 Implementation Act, managing directors are now held more personally liable. Has this reached the executive floors yet?

Yes, attention has increased. Most people now know that cybersecurity is a top management issue. But uncertainty remains because politicians constantly change the rules – subsidies today, austerity tomorrow. No one can plan like this. Smaller facilities in particular are under constant stress.

The Telematics Infrastructure (TI) is currently not considered "critical infrastructure." How do you assess that?

Legally speaking, that is utterly incomprehensible. If hospitals are critical, then central systems that transmit or store patient data must be even more so. End-to-end encryption helps little if the target system is inadequately secured.

How do you find the right priorities despite this situation?

Through risk assessment, not gut feeling. Not every system needs the most expensive firewall. What matters is what happens if something fails. I need to know which processes I can replace and for how long – and what impact that would have on care.

Smaller clinics in particular often seek external help. Is their uncertainty being exploited?

There are certainly providers who exaggerate – that's like in any industry. Typically, however, the problem is more helplessness on the hospital's side. If you don't have time for a thorough selection, you are susceptible to grand promises. Structured selection processes, preferably with independent support, are advisable.

And doctor's practices?

They are even less prepared. I repeatedly see login details on post-its there. Many completely underestimate the threat. If patient data is encrypted and billing is no longer possible, the practice is economically finished. Most people simply don't realize how existential IT security is.

How can this awareness be strengthened?

With realistic scenarios and short, concrete training. Nobody wants to hear abstract security guidelines. But if you show what happens in an emergency – how to react, who has to do what and when – then it clicks. This applies to hospitals as well as to practices.

What needs to change in healthcare?

Continuity. The biggest progress would be if we had a legislative period without new digital reforms. Hospitals need planning security; then digitalization will also work.

(mack)