Use of cloud services in the healthcare sector 

Section 393 SGB V sets new requirements for the use of cloud services in the healthcare sector

Since 1 July 2024, section 393 SGB V has been in force in the version revised by the Act to Accelerate the Digitisation of the Healthcare System (Digital Act (DigiG) Digital-Gesetz (DigiG) | BMG (bundesgesundheitsministerium.de)) and introduces specific requirements for the use of cloud services by healthcare providers as well as health and long-term care insurance funds. The updated regulation provides clearer data protection rules for the processing of personal health and social data through cloud services. Secure cloud connectivity also facilitates the use of AI applications and other digital services for healthcare providers.

Data processing agreements

Initially, the legislator clarifies in section 393 (1) SGB V that external cloud services should only be contracted or used within the role of a processor as defined by Art. 4 No. 8 GDPR.

Territorial restrictions

The health and social data may only be processed by cloud computing services

• within Germany,
• an EU member state,
• an EEA member state and Switzerland according to section 35 (7) SGB I,
• or a third country with an adequacy decision according to Art. 45 GDPR.
  

If health and social data is processed outside Germany, the data processing entity must also maintain a branch office within Germany. Although neither the Digital Act nor its explanatory memorandum precisely define "branch office," the term is used in a data processing context in section 35 (6) SGB I and refers to the actual place of processing. According to a ruling by the European Court of Justice (ECJ 1.10.2015 – C-230/14), a flexible understanding of "branch office" should be applied, according to which an organization may not only be considered as established at the place where it is registered. To determine whether a data-processing entity has a branch in Germany or exclusively in another member state, the stability of the establishment and the effective exercise of economic activities must be considered on a case-by-case basis.

Technical and organizational Requirements

To meet the requirements of the new section 393 (3) SGB V appropriate technical and organizational measures must be taken to ensure information security, reflecting the current state of technology. Additionally, cloud services or Software-as-a-Service and associated technologies are required to obtain a current C5 attestation (Cloud Computing Compliance Criteria Catalogue) and the C5 baseline criteria. The C5 criteria catalog issued by the Federal Office for Information Security specifies minimum requirements for secure cloud computing and offers cloud customers significant guidance in choosing a provider. It can also serve as a basis for an organization's risk management.

Industry-specific requirements apply to the technical and organizational measures per section 393 (5) SGB V. For contractual medical and dental care section 390 SGB V applies and for hospitals section 391 SGB V. Health insurance funds must comply with the Industry-Specific Security Standard for statutory health and long-term care insurers (B3S-GKV/PV).

Generally, measures are deemed adequate under section 393 (3) No. 1 SGB V if they are equivalent to those specified in section 391 SGB V. This standard of adequacy does not apply if processors or providers are already required to implement sufficient technical measures as operators of critical infrastructures per section 8a BSI laws.

Transitional Regulations and future Requirements

Until June 30, 2025, section 393 (4) SGB V allows a C5-Type 1 attestation to be sufficient. From July 1, 2025, a current C5-Type 2 attestation is required. A C5 attestation is considered current if regularly renewed and maintained up-to-date with technology. Additionally, data processing is permissible if an attestation or certification adhering to a comparable or higher security standard than C5 is available for the cloud systems and technology used. The Federal Ministry of Health is authorized to specify such standards by ordinance.

Transparency

Certified cloud systems and technologies will be listed on a platform by the Competence Center for Interoperability in Healthcare (KIG). The KIG promotes better standards in medicine and works closely with various institutions and stakeholders as mandated by the Digital Law.

Conclusion

The revised section 393 SGB V establishes security standards for using cloud computing services in healthcare, offering increased security for all parties. However, service providers under the SGB are required to carefully review, select, and ensure adequate contractual foundations with their cloud service providers. This will necessitate the development of a structured process, including:

• Compliance Assessment: Providers must thoroughly evaluate cloud services to ensure they meet section’s 393 SGB V requirements, including the presence of a branch office in Germany.
• Contractual Assurance: Contracts with cloud service providers must comply with Art. 28 GDPR and section 393 SGB V, involving regular review, updates, and potential audits.
• Technical and organizational measures: Providers must address cybersecurity concerns of cloud service providers, including implementing and documenting technical and organizational measures. Providers should seek an early C5 attestation if not already obtained, especially with the Federal Cabinet's NIS2 Implementation and Cybersecurity Strengthening Act draft signaling closer implementation of the NIS2 Directive in Germany.
• Risk management and due diligence: Using cloud services requires a risk management and due diligence system to ensure continuous legal compliance, including monitoring and evaluating cloud services' compliance with security standards. Cloud computing service providers should also apply for the C5 certificate at an early stage if they do not already have one if they want to offer their services in the healthcare sector. In view of the NIS 2 Implementation and Cyber Security Strengthening Act adopted by the Federal Cabinet on 24.07.2024, the implementation of the NIS 2 Directive in Germany is likely to be within reach and further measures to be implemented in the area of cyber security and risk management will therefore need to be considered.
• Training and awareness: Employees need to be aware and trained on the risks of using cloud services and the importance of compliance with data protection requirements.
  

Implementing these requirements will likely require expert guidance and support. Feel free to contact us – we are ready to assist you.