The area of eHealth deals with the digitalisation of healthcare. The subjects it covers can be separated into different sections. These include Germany's electronic health insurance card (eGK), the corresponding telematics infrastructure (TI), and the cyber security of the medical technology used in Germany.

The BSI as the Federal Cyber Security Authority shapes information security in digitalization through prevention, detection and response for government, business and society. Within the healthcare sector, all regulatory and economic actors face multiple challenges. For the first time this “ Lagebild Gesundheit 2022” (only available in German) describes the cyber security status of Germany’s healthcare sector from a BSI perspective. The topics are the German telematics infrastructure, digital health applications, medical devices, pandemic-related digital applications and ambulatory care. Supplementing the “ Lagebild Gesundheit 2022”, the “ Tätigkeitsbericht Gesundheit 2023” (only available in German) describes BSI’s current activities within eHealth. The range of topics are: ongoing development of the telematics infrastructure, security for ambulatory care and an overview regarding activities in the medical device sector.

Modern Healthcare Provision: Digital and Secure

The provision of healthcare affects everyone in Germany. It is also a yardstick with which the prosperity, strength and solidarity of a society can be measured. Around the world, Germany's healthcare system is considered among the best -- not least because it is digitalised in many areas. Electronic patient records; app-based measurement, storage and analysis of health data; and video consultations are just some examples of the digital technologies that are currently changing the face of the German healthcare sector. Digitalisation benefits all the stakeholders in healthcare -- from patients and doctor's practices to hospitals and health insurance companies. Digital healthcare provision can make life easier for people by minimising travel and waiting times and ensuring help is provided quickly in the case of sickness or an emergency.

Yet for all its benefits, e-health is inconceivable without information security. Digitalisation generally goes hand-in-hand with a higher risk of IT security incidents and cyber attacks, and healthcare is no exception. What this can lead to has been shown by numerous incidents over the last few months and years: Some hospitals have been forced to switch to emergency services, and millions of sensitive patient data records have been stolen or left exposed online with no password protection over long periods of time. There are also frequent reports of vulnerabilities in networked medical devices such as insulin pumps, patient monitors or ventilators. In the worst case, the failure or manipulation of these devices by unauthorised third parties can have direct -- even fatal -- consequences for patients.

Ensuring the security of digitalisation

All these incidents pose an existential threat to a modern society. This is one of the reasons why healthcare facilities form part of Germany's critical infrastructure. As the country's centre of excellence for information security, the BSI has responsibility as a key architect of secure digitalisation in an area of fundamental importance to society.

When the 2015 German IT Security Act took effect, the BSI was also assigned the role of supervisory authority for operators of critical infrastructure (KRITIS), which includes those in the healthcare sector. In this sector, critical infrastructure includes hospitals and clinics that handle more than 30,000 cases of in-patient treatment every year, as well as pharmaceutical manufacturers that bring more than 4.65 million units to market on an annual basis.
As Germany's federal agency for cyber security, the BSI plays a leading role in designing and structuring major digitalisation projects in German healthcare. Currently, the BSI is involved in the further development of the country's electronic health insurance card, emergency data management and the electronic medication plan in the context of safety in drug therapy, electronic patient records, telematics infrastructure and the IT security of medical devices -- one example being the ManiMed project, which is investigating the manipulation of medical devices. The BSI was also responsible for ensuring that the federal Corona-Warn-App meets a high standard of information security, which is a critical factor in achieving widespread usage among citizens.

The BSI supports IT application fields in healthcare with criteria, security standards in the form of Technical Guidelines or 'IT-Grundschutz' (IT baseline security) modules, and subject-specific help and advice for government agencies and businesses to ensure applications can be implemented quickly with a high degree of usability and security. An important factor in this work is the BSI's close cooperation with partners such as gematik, the Federal Ministry of Health (BMG), the Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the Federal Institute for Drugs and Medical Devices (BfArM).