Several successful cyber attacks on hospitals in the recent past illustrate how important IT security is for maintaining regular hospital operations. If hospitals are paralyzed for days or weeks due to attacks on the IT infrastructure, this has far-reaching consequences for healthcare in the region and it is literally a matter of life and death.
It is therefore essential to effectively protect hospital IT systems from damage and threats. Ensuring the availability, integrity and confidentiality of IT systems and the data they contain is a top priority. After all, health data on medical history, medications taken or past treatments is among the most sensitive information of all.
Contents and goals of the KHGZ
The Hospital Future Act (Krankenhauszukunftsgesetz, KHZG) formulates clear guidelines regarding IT security. The KHZG is a federal investment program with a volume of up to 4.3 billion euros. While the federal government is contributing three billion euros, the states and hospital operators are contributing 1.3 billion euros.
The aim of the KHZG is for hospitals to invest in modern emergency capacities, digitization and IT security to ensure improved patient care. The German healthcare system is to be digitized as quickly as possible so that challenges such as the Corona pandemic can be met more efficiently in the future.
Improving the IT infrastructure plays a key role in this. The funding program supports projects for the procurement, construction, expansion or development of information technology or communications technology equipment, systems or processes. Hospitals must take appropriate organizational and technical precautions to avoid disruptions in operations and ensure the functionality of IT systems.
15% of funds must go to IT security
When implementing projects approved under the KHZG, hospitals are required to earmark 15% of the funding to improve information security. A digital maturity model determines how far hospitals are on the path toward digitization and is used to review the progress and effectiveness of measures. The next digital maturity evaluation is scheduled for July 2023.
Doing your homework on cyber security
Regarding cyber security, hospitals are well advised to address basic topics such as authentication, authorization and permissions as soon as possible. Revising authorizations on the basis of an overarching authorization concept has a positive impact on IT security. Features such as single sign-on or multi-factor authentication (MFA) additionally increase cyber and data security and can prevent attacks on the IT infrastructure.
The question of which users can access which data is highly relevant in terms of both data protection and cyber security. Identity & Access Management solutions not only help to keep track of existing authorizations, but also offer the possibility of automating a wide range of processes required for user management – for example, the allocation and revocation of authorizations in the event of department changes.
Conclusion: Hospitals must implement measures by 2025
The KHZG provides an important boost to get new or already planned projects off the ground with funding and to increase the level of digitization in the German healthcare system. Hospitals need to act quickly to plan and implement the required measures. If the requirements formulated in the law are not implemented by 2025, there is a threat of fines amounting to 2% of annual hospital revenue – regardless of whether the hospitals have received funding from the KHZG or not.