Cloud ser­vices in healthcare

C5 cer­ti­fi­ca­te as the key to compliance

The Ger­man Digi­tal Act (Digital-Gesetz) allows the use of cloud ser­vices in the health­ca­re sec­tor, but only under strict con­di­ti­ons. Cloud pro­vi­ders may only offer their ser­vices if they have obtai­ned a C5 cer­ti­fi­ca­te from the Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI). If a cloud pro­vi­der uses the ser­vices of third par­ties, it must be che­cked whe­ther a C5 cer­ti­fi­ca­te is required.

C5 cer­ti­fi­ca­te

Accor­ding to Sec­tion 393 (3) No. 2 of Book V of the Ger­man Social Code (SGB V), cloud pro­vi­ders must pre­sent a C5 cer­ti­fi­ca­te for their cloud sys­tems and tech­no­lo­gies. The cer­ti­fi­ca­te con­firms that all rele­vant secu­ri­ty and data pro­tec­tion requi­re­ments have been met. The cer­ti­fi­ca­te is based on the BSI C5:2020 cri­te­ria cata­lo­gue, which com­pri­ses a total of 125 cri­te­ria from 17 sub­ject are­as and is divi­ded into basic and addi­tio­nal requirements.

Who is responsible?

The pri­ma­ry addres­sees of the SGB V obli­ga­ti­on are cloud pro­vi­ders. The­se often use third-party ser­vices for various com­pon­ents. The­re is a deba­te as to whe­ther a cloud pro­vi­der must pro­vi­de a cer­ti­fi­ca­te from the third par­ty or an addi­tio­nal cer­ti­fi­ca­te of its own.  Alt­hough the wor­ding of the pro­vi­si­on of SGB V is open and the­re are dif­fe­ring opi­ni­ons, the spi­rit and pur­po­se of the regu­la­ti­on, which is to ensu­re com­pre­hen­si­ve data pro­tec­tion, and the C5 cri­te­ria cata­lo­gue, which con­ta­ins spe­ci­fic requi­re­ments for the use of sub­ser­vice pro­vi­ders, pro­vi­de an over­all solu­ti­on. It requi­res both the cloud pro­vi­der and the sub­ser­vice pro­vi­der used to be C5 certified.

Prac­ti­cal implementation

Cloud pro­vi­ders have two opti­ons for sub­mit­ting a C5 cer­ti­fi­ca­te: With the inclu­si­ve method, the pro­vi­der includes the sub­ser­vice pro­vi­der’s secu­ri­ty mea­su­res in its own C5 audit. With the carve-out method, the secu­ri­ty mea­su­res of the sub­ser­vice pro­vi­der are excluded and veri­fied by a cer­ti­fi­ca­te from the sub­ser­vice pro­vi­der. In prac­ti­ce, the carve-out approach is recom­men­ded. It allows cloud pro­vi­ders to focus on their own secu­ri­ty mea­su­res, which has bene­fits such as mini­mi­zing cost and effort.

With the Ger­man C5 equi­va­lence regu­la­ti­on, alter­na­ti­ve secu­ri­ty cer­ti­fi­ca­tes can now be reco­gni­zed as equi­va­lent to the C5 cer­ti­fi­ca­te. Alter­na­ti­ves are ISO/IEC 27001, ISO 27001 (based on the BSI stan­dard “IT-Grundschutz”) or the Cloud Con­trols Matrix ver­si­on 4.0. An addi­tio­nal requi­re­ment is the sub­mis­si­on of a detail­ed action plan.

Addi­tio­nal requi­re­ment: Trans­fer to third countries

In addi­ti­on to the C5 cer­ti­fi­ca­te, Sec­tion 393 SGB V con­ta­ins a ter­ri­to­ri­al rest­ric­tion on data pro­ces­sing. Health data may only be pro­ces­sed within the Euro­pean Uni­on (EU), the Euro­pean Eco­no­mic Area, Switz­er­land, or count­ries for which the EU Com­mis­si­on has issued an ade­quacy decis­i­on. For US cloud pro­vi­ders, cer­ti­fi­ca­ti­on under the Data Pri­va­cy Frame­work Pro­gram is also requi­red, even if the cur­rent ade­quacy decis­i­on for the US is in place.

Fazit

Cloud pro­vi­ders need their own C5 cer­ti­fi­ca­te. The C5 cer­ti­fi­ca­ti­on of sub­pro­vi­ders must also be che­cked. The pri­va­te­ly main­tai­ned list ‘BSI C5 Atte­sta­ti­ons’ pro­vi­des an over­view of which pro­vi­ders hold a C5 certificate.