This law introduces, among other things, the new Section 393 of the SGB V, which sets specific requirements for the processing of health and social data by cloud service providers. The legislator aims to explicitly allow the processing of health and social data in the cloud while simultaneously increasing IT security requirements. In the following article, we have summarized the most important changes for you.
What is the legal text of the new Section 393 SGB V?
Section 393 Cloud use in the healthcare sector
(1) Service providers within the meaning of Chapter Four and health and long-term care insurance funds and their respective contract data processors may also process social data and health data by means of the cloud computing service, provided that the requirements of paragraphs 2 to 4 are met.
(2) The processing of social and health data by means of the cloud computing service may only
- domestic,
- in a member state of the European Union or
- in a country treated as equivalent to this pursuant to Section 35 (7) of Book I or, if an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 exists, in a third country
and if the data processing body has an establishment in Germany.
(3) Processing in accordance with paragraph 1 is only permitted if, in addition to the requirements of paragraph 2
- appropriate technical and organizational measures have been taken in accordance with the state of the art to ensure information security,
- a current C5 test certificate from the data processing body with regard to the C5 basic criteria for the cloud systems and technology used as part of the cloud computing service is available and
- the corresponding criteria for customers contained in the test report of the test certificate are implemented.
(4) Until June 30, 2025, a C5 type 1 certificate shall be deemed to be a current C5 certificate within the meaning of paragraph 3 number 2. From July 1, 2025, a current C5 type 2 certificate shall be deemed to be a current C5 certificate within the meaning of paragraph 3 number 2. Processing pursuant to paragraph 3 number 2 shall also be permitted if, instead of a current C5 certificate, the cloud systems and cloud technology used as part of the cloud computing service have a certificate or certificate in accordance with a standard whose compliance ensures a comparable or higher level of security than the C5 standard. The Federal Ministry of Health is authorized to determine by statutory order without the consent of the Bundesrat, in agreement with the Federal Office for Information Security, which standards meet the requirements pursuant to sentence 3.
(...)
What will change compared to the previous legal situation under the GDPR?
To date, the GDPR has generally permitted the processing of health data in the cloud. However, on the one hand, numerous individual laws apply in addition to the GDPR and, on the other, differing views have led to massive legal uncertainty in the past. While the GDPR did not in principle prevent the processing of health data in the cloud, data protection authorities often took a critical view of this. [2] [3]
The new Act to Accelerate the Digitalisation of the Healthcare System (DigiG) now provides clarity here by expressly permitting the processing of healthcare data in the cloud.
As a result, however, the requirements for cloud service providers in the healthcare sector have been significantly tightened. They must now present a C5 certificate in order to be authorised to process healthcare data in the cloud on behalf of healthcare providers in accordance with the law.
Who is affected by the new law?
The new regulation in Section 393 SGB V affects healthcare providers and health and long-term care insurances on the one hand and their respective data processors on the other.
Who are healthcare providers?
Healthcare providers within the meaning of the fourth chapter of SGB V are all natural and legal persons and institutions that are authorized to provide statutory health insurance benefits.
These include:
- Doctors, dentists and psychotherapists
- Hospitals
- Prevention and rehabilitation facilities
- Facilities of the Mothers' Convalescent Home
- Service providers of remedies
- Pharmacies and pharmaceutical entrepreneurs
- Providers of domestic help
- Home nursing care
- Sociotherapy
- Socio-medical aftercare measures
- Specialized outpatient palliative care
- Ambulance services
- Midwifery assistance
Who is a processor on behalf of a healthcare provider?
Processors are companies that process health data for their customers as service providers (e.g. doctors, hospitals, rehabilitation facilities). Examples include providers of software-as-a-service for appointment booking systems for doctors, software for digital patient management or IT service providers in the healthcare sector, particulary:
- Hospital information systems (HIS)
- Practice management systems (PVS)
- Electronic patient file (ePA)
- Cloud storage solutions
- Cloud-based picture archiving systems
- Telemedicine and video consultation platforms
- Billing software and management solutions
- E-prescription and e-health platforms
What obligations apply to processors from 01.07.2024?
The change in the law brings with it a number of obligations for processors. In addition to the obligation to take technical and organisational measures (TOMs), special requirements are also placed on the location of data processing and the establishment of the data processor. However, the main regulation is likely to be that processors now require a so-called C5 certificate.
Place of processing and establishment
In accordance with Section 393 (2) SGB V, the processing of social and health data by means of the cloud computing service is only permitted
- in Germany,
- in a member state of the European Union,
- in a country that is treated as a Member State pursuant to Section 35 (7) of Book I, or
- in a third country, provided that an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 has been issued.
The law does not stipulate that a transfer to a third country may be carried out under further conditions (e.g. EU standard contractual clauses and transfer impact assessment). According to the new legal requirements, no health data may be processed in the USA.
In addition, there must be a branch in Germany.
Requirement for C5 Attestation
From July 1, 2024, companies will also be required to obtain a C5 certificate for their cloud systems. This legal requirement aims to ensure compliance with the security requirements of the "Cloud Computing Compliance Criteria Catalogue" (C5), developed by the German Federal Office for Information Security (BSI).
The C5 certificate certifies that the cloud service providers have taken specific technical and organizational measures to ensure the security and protection of the processed health and social data. The C5 criteria include requirements for data protection, information security, the technical security of the infrastructure and the processes and procedures for handling security incidents.
These measures are intended to ensure that the cloud systems meet the high IT security standards that the legislator considers appropriate for the processing of health data.
What is a C5 certificate?
A C5 certificate is based on the "Cloud Computing Compliance Criteria Catalogue" (C5), which was developed by the German Federal Office for Information Security (BSI). This catalog serves as a framework for the security requirements of cloud services and was first published in 2016, with an updated version in 2020. The C5 certificate is a standardized certificate that confirms compliance with specific security criteria by cloud service providers.
Until now, C5 certificates were regularly obtained by hosting providers or infrastructure providers in the cloud. However, the new law now also requires SaaS providers to undergo C5 testing. This leads to an extensive expansion of the organizations that must comply with the C5 requirements.
What is the difference between type 1 and type 2 certificates?
The audits as part of C5 testing can be carried out in the form of an adequacy test (type 1) or an effectiveness test (type 2). In a type 1 audit, the adequacy of the controls of an internal control system (ICS) is assessed at a specific point in time. The auditor checks whether the security controls are appropriately designed and implemented to fulfil the C5 criteria. This form of attestation is particularly relevant for the initial audit of a cloud service, as it represents an initial assessment of the IT security precautions at the time of the audit.
In contrast, the type 2 audit not only includes an assessment of the adequacy of the controls, but also their operational effectiveness over a defined audit period (usually 6 or 12 months). Here, it is checked whether the security controls are not only in place, but also function effectively and continuously. This type of audit provides greater validity with regard to the actual effectiveness of the IT security controls over the entire audit period.
In addition, Section 393 (4) SGB V allows an attestation or certificate according to a standard that ensures an equivalent or higher level of security compared to the C5 standard to be recognised instead of a C5 attestation. Such a standard is not yet available at the present time.
What requirements must be met in order to obtain a C5 test certificate?
In order to obtain a C5 certificate in accordance with the type 1 audit, the cloud service provider must commission a certified auditor to carry out the audit. This audit is based on the catalogue of criteria drawn up by the German Federal Office for Information Security (BSI), which consists of 125 criteria divided into 17 subject areas.
The subject matter of the audit comprises the cloud provider's service-related internal control system for the provision of the cloud service, including the principles, procedures and measures as well as the controls established for this purpose in its organizational and operational structure.
In order to meet the C5 criteria, a large number of legal, technical and organizational data security measures must be implemented. These include the creation of the cloud provider's system description, an internal pre-audit of the fulfillment of the C5 criteria and the performance of the actual audit by a certified auditor.
How long does it take to obtain a C5 certificate?
The planning and implementation phase can take more than 6 months. The pure testing phase is estimated at 20 weeks. The law was passed in March 2024 and comes into force in July 2024. This is (rightly) considered unrealistic by professional associations. Many processors will probably not be able to meet the legal requirements by the deadline.
What are the costs for a C5 attestation?
The budget depends on the size of the company, the audited IT infrastructure and the existing structures (management systems). The budget can typically be in the mid five-figure to low or mid six-figure range. The German Health IT Association (bvitg) states that the costs for a C5 certification often amount to more than 100,000 euros, while the draft law assumes lower costs in the low five-figure range.
How can Simpliant support you with the implementation?
We offer comprehensive support in assessing the new legal requirements of the Digital Law (DigiG) and Section 393 SGB V, as well as their impact on your organization. We are happy to assist you in preparing for C5 certification, including identifying and implementing necessary IT security measures, creating the system description, and selecting a certified auditor.
Contact us via email at info@simpliant.eu or use our contact form to schedule a non-binding initial consultation.
Sources
[1]: Act to accelerate the digitalisation of the healthcare system.
[2]: Guidance on data protection for health data, Federal Ministry for Economic Affairs and Climate Protection: Link, p . 52 et seq.
[3]: One example of this is a position paper from the German Data Protection Conference (DSK), which demands that providers of cloud-based healthcare applications must also offer local storage: Link, p. 3.
Simpliant Legal Memo - Health data in the cloud - 1.0
This legal memo assesses the admissibility of processing health data by SaaS providers under the new § 393 SGB V in Germany. The download is only available in German.