Press releases


IT Security in Hospitals | Overview and Outlook

According to the BSI report on the State of IT Security in Germany 2019, the number of reported IT security incidents in the reporting period from June 1, 2018 to May 31, 2019 for the KRITIS Sector Health is in third place in purely quantitative terms, with 47 reported IT security incidents. Most reported security incidents originate from the finance sector (60 cases), followed by IT+TK (59 cases).

IT Security Krankenhaus

And in the overall ranking of the Bertelsmann Stiftung's Digital Health Index, digitization in the healthcare sector in Germany is comparatively far behind in Group 4 of 4, in 16th place out of 17. One reason for this may certainly be the higher data protection regulations in this country, but there is also no uniform nationwide standard in Germany for certified IT security solutions and medical devices. There are many in Germany.

Nevertheless, we will have to deal with a large number of networked medical devices in the future. Respirators, defibrillators and pacemakers are already "smart" and able to collect and "communicate" data. In other words, to exchange data. This is traditionally done via interfaces and IT security is required for each of these interfaces. The number of these interfaces in the health sector is constantly increasing.

Companies in the healthcare industry that have reached or are close to reaching the CRITIS threshold are recommended to implement the industry-specific security standards, also known as B3S. According to the IT security law, those companies are considered Critical Infrastructure Protection (CIP) are obliged to provide special protection. The German Hospital Federation (DKG) has presented the B3S for this purpose, which applies to hospitals with a full inpatient case number of 30,000 or more per year. It aims to guarantee medical patient care, which includes IT as a fundamental part of this.

Important precautions that hospitals should take in the area of IT security - regardless of bed sizes and inpatient case numbers:

Network security

Firewalls in permanent use, securing wireless networks, encryption of external communication, network access controls, port management

Endpoint Security

Programs for detecting viruses and malware should be part of the basic equipment. In addition: measures for identifying unauthorized removable media and hard disk encryption

Protection of mobile devices

Securing WLAN connections, professional device, user and password management

Web security

Secure surfing, separation of intranet and internet, protection against harmful mail attachments, checking of potentially harmful attachments from office applications

Data security

Encryption and decentralized backup of databases

Protection of data and systems

Smartcards, two-factor authentication

General IT security recommendations for hospitals:

  • Separation of medical and non-medical networks
  • Increase interface security, especially in the HIS area
  • Separation of applications from the rest of the system
  • Secure connections to HIS and other systems
  • Secure, encrypted telematics infrastructure (secure electronic signatures, authentication, networking of various players) for the secure transmission of patient data between hospitals and registered doctors and therapists.


  • Networking - Hospitals network with the other sectors via the telematics infrastructure. Secure communication across sector boundaries
  • NFDM (emergency data management) and eMP (electronic medication plan) - Medical applications of the telematics infrastructure arrive in the area
  • Emergency data (for emergencies and unknown patients) and electronic medication plan
  • ePA (electronic patient file) - Health insurance companies are obliged to offer their insured persons an electronic patient file from 1.1.2021 onwards. Insured persons in turn grant service providers access to their data - including hospital data
  • DiGA (Digital Health Applications) - Could be "prescribed” to patients


Critical Infrastructure Protection thresholds Health

  • 30,000 patients per year in the area of inpatient medical care
  • 90.68 million Euro annual turnover for production facilities of directly life-sustaining medical devices
  • 4.65 million packages per year for production facilities for prescription drugs and blood and plasma concentrates for use in or on the human body
  • 34,000 products per year for equipment and systems for the collection and processing of blood donations
  • 1.5 million transmitted orders/ findings per year in laboratory diagnostics

Request information

Do you have questions or need additional information? Simply fill out this form and we will get right back to you.

Marketing permission

Your request has been sent successfully. We will contact you shortly.
An error is occurred, please try it again later.