New Requirements for German Healthcare Data Protection

DigiG and BSI C5

As more technology moves to the cloud, ensuring data security becomes essential from a regulatory perspective. Healthcare data is no exception and can cause significant harm if exposed by a malicious actor. Germany is expanding legislation to protect healthcare data privacy. Per the Digital Act (nicknamed DigiG), companies in the healthcare sector with a data processing branch in Germany or a member state of the EU and processing social or health data will need to meet additional requirements to continue to operate.

DigiG includes new healthcare requirements, such as ensuring patients have access to their information and simplifying the digital relationship between patients and their medical providers using an electronic patient file. Organizations are required to meet the requirements of DigiG and C5 to address new risks that cloud technology introduces.

Who is affected by this legislation?

According to the language in the regulation, companies processing health or personal data using cloud-based information systems in Germany or a member state of the EU are affected. Additionally, health insurance companies have the right to request that companies providing a service to them related to processing healthcare adhere to the regulation. Until the finalized language of the regulation is signed into law, there could be changes to these definitions.

What are the new requirements?

All companies that meet the current definition must have a German Federal Office for Information Security (BSI) Cloud Computing Compliance Criteria Catalogue (C5) audit that demonstrates continuous compliance with the standard. BSI C5 has 17 criteria areas that assess the minimum-security level a cloud-based service must offer to demonstrate they adequately protect customer data. These criteria areas exist in several other assessment frameworks, including ISO/IEC 27001:2013, 2016, and 2022, ISO/IEC 27017:2015, BSI – IT-Grundschutz Kompendium 2019, CSA CCM 3.0, SOC 2, SecNumCloud, and RS FAIT 5. Companies can assess possible gaps against other international standards using the BSI-provided matrix found here.

The BSI C5 Type 1 is a point-in-time assessment where a company confirms that the designed controls are in place. The wording “as of [date]” is used where the date listed is the date that all evidence is confirmed to be in place. Therefore, all evidence must be submitted to the assessor before the "as of [date]" listed. All controls must be functioning by this date; there are no exceptions in a Type 1 report.

A Type 2, in contrast, assesses whether the controls were in place and operating effectively during an explicit review period. The wording “from [start date] to [end date]” is used. The generation of evidence must occur during the review period. Evidence may be submitted to the assessor shortly after, so long as they can prove that the control was in place during the review period, such as using timestamps that confirm the completion time. Because this looks over time, exceptions are possible for design issues or control operating ineffectiveness.

The current proposal requires companies to have a BSI C5 Type 1 in place when the legislation goes into effect. By July 1, 2025, companies must have a Type 2 in place with a review period occurring right after the date of the Type 1. A gap in this period will be insufficient to show the continuous compliance requirement.

What are the next steps?

If a company has completed a C5 (either Type 1 or Type 2) assessment, this is sufficient until July 1, 2025, as long as there is no gap in the review periods. If C5 is a new framework for an organization's environment, obtaining a C5 Type 1 is generally the first step. The C5 Type 1 attestation ensures the deployment of the required controls. All controls must be in place as of the date on the report. 

Issuance of the report is not possible until every required control is in place. Once a C5 Type 1 is issued, the review period for the Type 2 will begin. Six months is the recommended review period for a first Type 2 report, as it balances the need to have the report quickly with being able to show all controls are operating effectively. Once the first report is issued, a recommended twelve-month review period allows for demonstrated continuous compliance.

How can Coalfire help?

Undertaking BSI C5 compliance can be challenging. Coalfire offers both Type 1 and Type 2 assessments, readiness assessment that companies can use to identify gaps requiring remediation before starting an assessment. For companies just starting their compliance journey, Coalfire can also support by helping build and advise on the controls that are in place. Compliance has a demanding timeline, especially since the regulation did not provide an adoption period and a Type 1 audit requires that all controls be in place, and certification is not possible before that.

If you have questions, contact us or learn more about Coalfire Assessment services. We can assist wherever you may be in the BSI C5 process.