Get started
Clean & Elegant
Fully Responsive

KRITIS: The data exchange challenge for the health care sector

With advancing digitalization, information technology has made its way into our everyday lives. The linking of data and the networking of technical devices open up unique possibilities for using computer systems.

The Internet of things and the Industry 4.0 show the enormous development behind the digital change. However, it should not be forgotten that all these innovations are accompanied by an immense increase in security risks. The increasing networking of IT components and the resulting dependencies lead to an increased vulnerability of the systems in use. This is particularly “critical” for the companies that play a major role for the common good.

The term “Critical Infrastructures” (KRITIS for short) includes organizations or institutions that have an important significance for the state community. In the event of a failure or impairment with long lasting supply bottlenecks, considerable disruptions to public safety or other dramatic consequences are to be expected. Therefore, these organizations are subject to special protection that requires appropriate security measures.

Appointment of a contact point / functional mailbox

In general, KRITIS operators must designate a contact point within six months of the implementation of the BSI-KritisV. It must be a functional mailbox that is available 24/7.

Proof of appropriate IT
security measures

Every two years, affected hospitals must provide proof of appropriate information security measures.

Implementation of the technical standards

At the latest two years after the implementation of the regulation (i.e. the BSI-Kritis), „reasonable precautions to avoid disturbances of information technology systems, components and processes“ must be taken according to the „technical standard“ and be proven to the BSI.

Reporting of IT malfunctions

In the event of a reportable IT malfunction occurring, this must be reported to the BSI immediately.

Recommendation for implemtation:
State of the art – Data exchange / File Service

In order to prove „reasonable precautions to avoid disturbances of information technology systems, components and processes“ according to the “technical standard”, we recommend to consider the following:

With regard to the software used, it is helpful to choose a solution „Made & Hosted in Germany“. German providers are subject to the strict German data protection laws and at the same time ensure that the solution also complies with the EU GDPR. Corresponding certifications and awards, such as ISO27001, further underscore conformity.

Encryption also plays an important role. For example, only client-side data encryption ensures that the data is already encrypted at the end device. This means that not even the manufacturer / provider has the possibility to access stored information. It is also important - not only for the EU-GDPR - that authorized persons can check at any time which data was processed when and by whom. This is the only way to detect and prevent uncontrolled data outflows. A detailed rights system also clearly regulates who can access and process which data.

However, it becomes extremely difficult for KRITIS organizations in the healthcare sector when a so-called ransomware attack occurs: If a malicious program pentrates the internal network, this promptly leads to malfunctions in IT systems. The protection mechanisms of computer networks must be designed to ensure that a successful attack on a single system does not immediately affect the entire network. Ideally, used software should have ransomware protection, which allows damaged data to be restored promptly – best without having to pay the “ransom”.

In general, operators or their associations can specify in „sector-specific safety standards“ (B3S) how the „state of the art“ requirements can be met. Such B3S may be submitted to the BSI to determine suitability. There is no legal obligation to prepare such a B3S. The preparation of a B3S is, however, an opportunity for the industries to formulate their own „state of the art“ specifications based on their own expertise. In addition, it gives legal certainty to operators who have them tested in accordance with such a recognized B3S with regard to the „state of the art“ which is required and checked during an audit.

Request your whitepaper
including checklist!

Is your hospital affected by KRITIS?
What consequences does KRITIS entail for your hospital?
How well are your measures aligned with KRITIS?

In this whitepaper we describe clearly when a hospital is affected by KRITIS, what the challenges are and how to solve them.

In addition, you can also use our checklist to find out whether you are storing your data KRITIS-compliantly.

Request here:

Test DRACOON now

Save, share and manage your files in a GDPR-compliant manner for 14 days for free!

Try now