Security Awareness Measures are becoming Mandatory in Healthcare

In March 2024, the legislature created a new regulation on IT security for various stakeholders in the healthcare sector through §§ 390, 391, and 392 SGB V. In addition to general requirements for maintaining IT security, this marks the first explicit mention of awareness-raising measures in law. Consequently, security awareness measures are now legally required in general medical and dental care, as well as in hospitals and for health insurance companies.

For contract practitioners and dentists, § 390 SGB V states:

"The associations of statutory health insurance physicians shall define in a directive the requirements for ensuring IT security in general medical and dental care." (Para. 1)

"The directive [...] shall include in particular [...] measures to raise awareness among employees regarding information security (increasing security awareness)." (Para. 2 No. 2, emphasis added)

Hospitals are subject to explicit regulations on IT security in § 391 SGB V:

"Hospitals are obliged to take appropriate organisational and technical measures, in according with the state of the art, to prevent disruptions to the availability, integrity, and confidentiality of their information technology systems, components, or processes that are relevant to the functionality of the respective hospital and the need to protect the patient information processed." (Para. 1)

"Precautions in accordance with paragraph 1 are also mandatory measures to increase the security awareness of employees." (Para. 2, emphasis added)

Explicit obligations also arise for statutory health insurance companies from § 392 SGB V. Here,

"suitable measures to increase cybersecurity awareness" (Para. 4. No. 1)

are required. 

What should be done now? 

From a data protection perspective, health data is a special category of data and particularly worthy of protection. Therefore, the newly imposed legal obligation for increased IT security in the interest of patients is welcome.

The mentioned stakeholders or institutions in the healthcare sector should now, at the latest, address the issue of training strategies to increase security awareness, as well as the organisation of training and accountability for such awareness measures.

We have outlined the points that need to be considered, among other things, in our article Handling Mandatory Training Courses from a Compliance Perspective.

Please feel free to contact us, and we will plan the necessary steps together with you. With our Learning Management System (LMS), you can efficiently deliver mandatory training via eLearning to a large number of employees, organise and maintain it. In the present context, the following eLearning courses from our portfolio are particularly suitable:

• Basic Training Security Awareness
  
• Protection against Phishing
  
• Protection against Ransomware
  
• Protection against Social Engineering
  

Through our learning platform, you can import employees' email addresses via an interface, and we have also considered employees without email addresses. The training can thus be delivered to all employees, and our learning platform generates automated training records so that you can meet your accountability obligations.

Furthermore, we are happy to support you with on-site training, penetration tests, vulnerability scans, security audits, or the establishment of an Information Security Management System (ISMS) – for example, according to ISO/IEC 27001 or based on the industry standard B3S. Drawing on over 20 years of experience in data protection and information security as part of the DSN GROUP, we look forward to your inquiry and are happy to develop the right solution for you – smartly, with a sense of proportion, and with a practical focus.