As of 1 July 2024, new regulations are in effect for all manufacturers offering cloud services in Germany’s healthcare sector. Providers must now present a C5 certification and meet strict territorial requirements. Although these changes may have slipped under the radar for some, they are highly significant. It’s crucial for manufacturers interested in the EU market to quickly familiarise themselves with the new rules to ensure compliance.
On 1 July 2024, Germany enacted § 393 SGB V, introducing new regulations for cloud services in the healthcare industry. While many may not have noticed the change, it has already caused significant disruption. Some projects have stalled as the German Federal Office for Information Security (BSI) determined that certain providers are failing to meet the updated standards. Providers are particularly struggling with the requirement to obtain a valid C5 certification, leading to rising costs and operational challenges.
For companies offering or operating cloud services in the healthcare sector, now is the time to ensure compliance. Under § 393 SGB V, only cloud services that meet these strict requirements are permitted to process and handle healthcare data in Germany.
What Are the New Requirements?
Several key requirements now apply to cloud service providers in the healthcare sector under the new regulations. These include:
- Territorial restrictions on data processing
- The necessity of having a local branch or presence
- Mandatory C5 certification
These changes introduce stricter compliance measures that all providers must meet to operate legally in Germany.
Who Does This Affect?
These regulations are especially relevant for providers of cloud services in Germany’s healthcare sector. Without the necessary certification, cloud systems are prohibited from processing healthcare data. This applies not only to traditional cloud service providers but also to those offering cloud computing or Software-as-a-Service (SaaS) solutions within the life sciences sector. Companies offering cloud services to healthcare providers—such as hospitals, medical practices, and health or nursing insurance funds—are directly impacted and must ensure their systems meet the new requirements.
Territorial Restrictions and Domestic Presence
The new § 393 of the SGB V significantly limits where healthcare data can be processed. Under the regulation, data processing is only allowed in specific regions:
- Germany
- EU member states
- Countries within the European Economic Area (EEA) and Switzerland
- Third countries with an adequacy decision under Article 45 of the GDPR
In addition to territorial restrictions, another key requirement is that the data processing entity must have a physical presence within Germany. Even if data is processed outside of Germany, such as in the EU or EEA, the company responsible for processing must still maintain a branch within the country.
The C5 Certification (C5-Testat): What’s Required for Cloud Providers in Healthcare
A C5 certification (C5-Testat) is now mandatory for cloud service providers in Germany’s healthcare sector under the new § 393 SGB V. It ensures that providers meet specific security standards set by the German Federal Office for Information Security (BSI). This certification is a key requirement for legally processing healthcare data in the country. Here’s a breakdown of what this entails, why it matters, and how companies can navigate these new obligations.
What is the C5 Certification?
The C5 (Cloud Computing Compliance Criteria Catalogue) is a security framework designed to assess and ensure the security of cloud services. It defines minimum requirements that cloud providers must meet to guarantee the protection of sensitive data, especially in sectors like healthcare, where data security is critical. These requirements go beyond general security standards, as the C5 is specifically tailored for cloud environments.
The C5 certification is based on internationally recognised standards such as ISO/IEC 27001, but it also includes cloud-specific criteria that address the unique risks and challenges of cloud computing. By passing a C5 audit, a provider demonstrates compliance with stringent security protocols, offering transparency and trust to their customers.
Are Other Standards Like ISO/IEC 27001 Sufficient?
While ISO/IEC 27001 is a widely recognised benchmark for information security, it alone does not fully satisfy the new legal requirements. Under § 393 SGB V, the law technically allows for equivalent or higher security standards, but in practice, the C5 certification will often be necessary in many cases to meet the BSI’s expectations.
The C5 framework builds on several well-established standards, including ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017, and others like the Cloud Controls Matrix (CSA) and ANSSI’s SecNumCloud. Companies that comply with these standards may already meet some of the baseline requirements. However, the C5 criteria go beyond these standards, introducing additional cloud-specific controls to ensure a higher level of security. As a result, even if a provider complies with ISO/IEC 27001, they will still need to undergo a C5 audit to fully meet the new regulations in Germany.
Who Can Issue a C5 Certification ?
Only certified public auditors (Wirtschaftsprüfer) are authorised to conduct C5 audits and issue certifications. The process is rigorous and thorough, involving a comprehensive review of the provider’s security measures and their cloud infrastructure. With the legal requirement now in effect, many providers are scrambling to secure certification, which might lead to increased demand and delays in obtaining the necessary audit.
Where Can You Find More Information?
For those seeking more details on C5 certification, the BSI has created a comprehensive FAQ section. This guide provides in-depth information on the certification process, security requirements, and how companies can comply with the new law. It is a valuable resource for cloud providers looking to better understand the steps they need to take to achieve certification. The FAQ can be found on the BSI’s official website here.
Key Takeaways for Cloud Service Providers
The introduction of § 393 SGB V has set a new standard for cloud services in Germany’s healthcare sector. Key requirements include territorial restrictions on data processing, the need for a local presence in Germany, and the mandatory C5 certification.
The C5 certification, in particular, is essential for demonstrating compliance with the BSI’s strict security standards. While other frameworks like ISO/IEC 27001 may form part of the foundation, they are not sufficient on their own. Providers must obtain the C5 certification to legally process healthcare data in Germany, with the audit only conducted by certified public auditors and often carrying significant costs.
For manufacturers and cloud service providers, these new requirements mean careful evaluation of current systems and swift action to meet compliance. The stakes are high, as non-compliance could result in delays, increased costs, or the inability to operate in the German market.
Acting now to secure certification and adapt to the new rules will be critical for providers looking to remain competitive and compliant in the healthcare sector.