Contract medical care: New IT security guideline published

Contents

Healthcare facilities are increasingly exposed to cyber threats. This no longer only affects hospitals, but also smaller outpatient service providers and even local GP practices. Legislators also recognized this in 2019 and introduced a regulation on “IT security in contract medical and dental care” with the Digital Care Act. It can now be found in Section 390 SGB V (Fifth Social Code). The legislator has obliged the National Associations of Statutory Health Insurance Physicians and Dentists (KBV and KZBV) to specify the requirements for ensuring IT security in a guideline. The KBV has now updated its guideline on April 1, 2025.

Status of the guidelines

The first KBV and KZBV guidelines were published in 2020. The legally prescribed revision cycle of two years has not yet been observed. The revision of the KBV guideline was only published on April 1, 2025, although large parts of it will apply from the following day. The guideline grants a preparation period for the newly added requirements –. The affected practices have until October 1, 2025, to implement them. The renewal of the KZBV guideline is also expected soon.

The KBV guideline contains a total of five annexes with extensive, detailed regulations that are intended to reflect the state of the art in IT security. However, only a few service providers have to comply with all the annexes – Which annexes a service provider actually has to comply with depends on its size. All service providers must comply with the basic requirements in Annex 1 and the requirements for the telematics infrastructure in Annex 5. For medium-sized and large practices and when using large devices, the other annexes also apply.

Focus on the “human” security factor

The new KBV guideline places a stronger focus on the “human” safety factor. Regardless of their size, practices should take targeted measures to sensitize their employees to IT security and thus increase “security awareness”. The KBV guideline places the onus for this on the practice management, which is required to raise awareness of security issues. They have a role model function: The practice management must support all training measures and security campaigns.

The new KBV guideline also attaches particular importance to the development of IT skills. Employees and external users must be instructed in the secure use of IT components and sensitized to risks. Employees should also be trained in information security issues regarding their tasks and responsibilities. In addition, it is recommended that the management level itself also ensures that it has specialist knowledge in this area through training to be able to fulfill its duties – However, the directive does not stipulate any obligation to do so.

The new KBV guideline also tightens the safety precautions in personnel management. This ranges from the regulated induction of employees to dealing with employees who leave a medical practice. Medical practices must pay particular attention to these requirements to counter the threat posed by former or departing employees, who can cause serious damage due to their access authorizations and IT knowledge.

Security when using the cloud in the healthcare sector

Finally, cloud computing has also made it into the KBV guideline. A clarifying provision has been included that considers the fact that, since the Digital Act 2024, healthcare and social data may only be processed subject to special security requirements. Practices may therefore only use cloud services from providers that have a so-called C5 certificate from the Federal Office for Information Security. In this context, however, the C5 Equivalence Regulation, which recently came into force, must be observed if a cloud service does not (yet) have such a certificate.

No law without a sanction

The regulation on the KBV guideline in SGB V does not provide for any consequences for practices that do not adequately implement IT security. Nevertheless, disregarding IT security is not without risk. In addition to the threat of cyberattacks, practices run the risk of being sanctioned under data protection law if they do not comply with the directive. This is because, according to its preamble, the directive is intended to standardize the “state of the art” of data security in accordance with the General Data Protection Regulation (GDPR) for medical practices. This interpretation is remarkable, as it cannot be clearly derived from the legal text itself or from the materials used to draft it. Anyone who fails to implement the data security requirements could potentially come under the scrutiny of the data protection supervisory authorities and face a considerable fine.

Medical practices are also obliged to maintain confidentiality – If a cyberattack leads to a leak of patient data, this can result in fines as well as claims for damages. In the worst-case scenario of patient harm, even criminal prosecution cannot be ruled out.

Note: The authors Dr. Tilmann Dittrich, LL.M. (Medical Law) and Christian Heinelt are lawyers at the law firm Wessing & Partner Rechtsanwälte mbB in Düsseldorf, which specializes in IT and medical criminal law.

(dahe)