CRITIS Hospital: Protecting sensitive systems

Because of their importance for the common good, hospitals are indispensable for a functioning society. This is undisputed. A high, up-to-date safety standard is expected of all hospitals and is prescribed by law. Particularly strict requirements - especially with regard to IT security - must be met above all by those facilities which, due to their size, belong to the so-called critical infrastructures (CRITIS). According to the German Federal Office for Information Security (BSI), about 100 of the 1,900 hospitals in Germany with more than 30,000 in-patient treatment cases per year are currently CRITIS hospitals.

With the help of modern security systems such as prime SecurityManagement (pSM) from primion, both the operators of CRITIS hospitals and smaller hospitals are supported in meeting current and future security requirements.

Implementing industry-specific security standards with modern systems

According to the BSI-CRITIS-Ordinance in Germany (BSI-KritisV), the information security of a CRITIS hospital must be "state of the art". Disruptions as well as failures of the information technology systems, components and processes must be avoided - after all, secure IT processes are crucial for reliable patient care. In order to establish reliable protection mechanisms for hospitals as critical infrastructures, the German Hospital Federation (Deutsche Krankenhausgesellschaft e.V.) has defined the industry-specific security standard (B3S) on the basis of the German IT Security Act. Among other things, operators of CRITIS hospitals must implement the following specifications and systems in order to maintain their critical services at all times: 

• digital access and locking systems
• reliable video surveillance
• constant power and electrical supply. 

In particular, the physical security of buildings in which core systems such as the computer centre or medical treatment rooms are housed must, according to the standard, be a mandatory part of the information security concept of hospitals and are subject to strict risk management.

With the pSM security control centre system, primion has developed a system that can be adapted and implemented to suit individual sectors. For example, it ensures accelerated processes in everyday hospital life and at the same time helps to fulfil the requirements for CRITIS hospitals. In the pSM, various systems such as the intrusion alarm system, the intercom system or the official building radio are brought together and can be controlled centrally; the status is monitored around the clock on large monitors. The sensible networking of access control systems and security monitoring ensures optimal all-round protection of sensitive areas.

Automated processes for rapid response in a crisis

In dangerous situations such as attempted unauthorised access, attacks from outside or a fire, all relevant security processes are controlled automatically via the pSM: rescue and emergency forces as well as technical staff are alerted, and the silent alarm is triggered in the affected wards for initial information. The sprinkler system and the building management system also come together in the pSM - thanks to numerous interfaces, third-party trades can also be easily implemented in the control centre system. 

Stricter requirements for non-CRITIS hospitals

Information security in particular is also increasingly coming into focus for hospitals below the threshold of the German BSI-KritisV Ordinance. The German Patient Data Protection Act (PDSG), which came into force in October 2020, is intended to advance digitisation in the healthcare sector. For the security of patient data, new requirements for data protection and data security will apply to hospitals, doctors and the like in the future. From January 2022, even smaller hospitals will have to implement technical and organisational measures for IT security in accordance with the current state of the art.

Those hospitals that already rely on state-of-the-art security technology and comprehensive risk management will probably have an easier time of it. After all, in order to meet the new legal requirements, new technical systems for protection do not necessarily have to be installed. Instead, existing requirements should be checked and, for example, linked to other systems. The systems from primion support CRITIS hospitals as well as smaller clinics and care facilities, regardless of size - always with the aim of guaranteeing the security of people as well as intangible and tangible assets and data at all times.