Germany tightens control of cloud-computing in healthcare
03/09/2024
Germany has instigated stricter requirements to establish a uniform standard for the use of cloud-computing services in the healthcare system which covers around 90% of the population.
The new Section 393 SGB V “Cloud-Use in the Healthcare System“, applies to healthcare providers, health insurances and their data processors and cloud-computing service providers that offer services to these groups. The new rules may also impact certain medical research projects that process health data using cloud-computing.
As a result, the processing of health data using cloud-computing services is subject to special requirements which state the data may only be processed in certain geographical regions and technical and organisational measures must be taken to ensure providers meet certain security requirements.
The health and social data may only be processed by cloud computing services
· within Germany,
· an EU member state,
· an EEA member state and Switzerland according to section 35 (7) SGB I,
· or a third country with an adequacy decision according to Art. 45 GDPR.
If health and social data is processed outside Germany, the data processing entity must also maintain a branch office within Germany.
According to the German legislator, the provision aims to enable the secure use of cloud services as a “modern, generally widespread technology in the healthcare sector and to create minimum technical standards for the use of IT systems based on cloud-computing”.
In contrast to the EU GDPR legislation , the German requirement does not recognise the execution of the EU Standard Contractual Clauses (SCCs) or other means such as Binding Corporate Rules as adequate guarantees for cloud-computing services when personal data is processed in a third country that is not subject to an adequacy decision by the European Commission.
The new requirements apply to data processing using cloud-computing irrespective of whether the cloud-computing is offered by an external vendor or utilises a tool that the healthcare providers or health insurance has developed on their own.
Data processing using cloud-computing services must have appropriate technical and organisational measures implemented to ensure data security requiring a current C5 certificate is issued to the data processing entity and the cloud-computing customer must implement the C5 conditions and criteria.
W Denis Europe arranges comprehensive insurance for EEA based businesses, large and small, including, Data Protection Infringement Cover, Cyber, Errors & Omissions, Directors & Officers Liability and much more. If you wish to discuss your insurance requirements, please visit www.wdenis.eu or contact
Eastern Europe
Southern Europe
Christos.Hadjisotiris@wdenis.com
Western Europe &/or elsewhere worldwide