Ein großes Krankenhaus ist als Organisation wie ein Dienstleistungsunternehmen zu betrachten, das jedoch bei seinen Leistungen hohen Anforderungen des Datenschutzes und Risiken der Patientengesundheit unterliegt. Dabei ist nicht nur der Einsatz medizinischer IT-Systeme relevant, auch bei der Verwaltung ist die Informationstechnik nicht wegzudenken. Der § 75c SGB V fordert, dass sich alle Krankenhäuser ab dem 01.01.2022 um Informationssicherheit kümmern müssen und dies bspw. durch Implementierung des B3S (des branchenspezifischen Sicherheitsstandards der DKG e.V.) angehen. Die auf Basis des B3S mögliche Verbesserung der Resilienz, d.h. der Widerstandsfähigkeit der IT und Schutz vertraulicher Informationen dient damit im Ergebnis der Etablierung eines angemessenen Sicherheitsniveaus bei gleichzeitiger Wahrung des üblichen Niveaus der Patientenversorgung und der Verhältnismäßigkeit der umzusetzenden Maßnahmen. Zudem sind Fördermittel für Maßnahmen aus dem KHZG verfügbar, diese fördern das ISMS und § 75c fordert es.
01
GAP analysis
Survey, analysis and assessment of the status quo of organization and technology based on the requirements of B3S
02
goal definition and planning
Preparation of a reliable cost estimate of the necessary measures as well as development of a plan for implementation and its integration within the framework of the projects under the funding guidelines of the KHZG (funding item 10).
03
implementation and introduction of an ISMS solution
Design and operational implementation of an information security management system (ISMS) with introduction of ISMS software
04
Promoting industry-focused resilience
Design and implementation of a business continuity management system (BCM), including emergency concepts, recovery plans, tests and exercises
The steps to B3S
The proven process at a glance
Our partners
I would be happy to work with Mr. Salvador and his team again on the next project. Thank you and all the best!
Andreas Freitag, BMW AG
My TISAX® audit went smoothly and was successful right from the start. We were able to demonstrate our information security in accordance with TISAX® and can now win new automotive customers.
Gaps in our preparation and testing were closed promptly and high-quality documents were delivered by Opexa. I can only recommend the team around Klaus Höllerer, Klaus Kilvinger and Thomas Salvador.
Dr. Samir Kadunic, MAASU GmbH
When reviewing customer requirements in the area of TISAX®, the company urgently needed advice. Thanks to the help of Opexa Advisory GmbH, we were able to meet our customer requirements and also achieve our goals with significant cost savings.
Opexa Advisory is the ideal partner due to its many years of automotive experience, project know-how and competent, efficient and uncomplicated support.
Herbert Schmidt, Dennemeyer & Co. GmbH
Was unsere Kunden sagen
Frequently Asked Questions
What financial and time expenditure can be expected?
How can the numerous requirements of the B3S be implemented and demonstrated?
The basic standard ISO/IEC 27001 was first published in 2005 and last updated in 2022, so it is established. Since the B3S is based on this standard and also uses other existing proven concepts and standards (e.g. process view analogous to ISO 9001), the methods already established in many industries can be applied.
What has been in use for years in many industries - from small companies to large corporations - has proven itself. The usual tools, methods and procedures (hazard analysis, risk assessment, risk management, requirements implementation, documentation, incident management, reporting, control systems, etc.) can be used.
Patients, staff, facilities, the healthcare system and therefore the general public all benefit from this!
In jedem Falle ist initial eine Investition erforderlich, um die gesetzlichen Anforderungen zu erfüllen. Der Bedarf wird im Rahmen einer Gap-Analyse ermittelt und anhand einer Maßnahmenplanung geschätzt. Als Mindestdurchlaufzeit sind 4-6 Monate nicht unrealistisch, die ganze Organisation muss sich ebenso anpassen.
Die Kostenbelastung kann über Mittel des Bundes und der Länder abgemildert werden. Die Maßnahmen folgen dem KHZG-Fördertatbestand 10, der Prävention, Detektion, Mitigation und Awareness gegenüber Informationssicherheitsvorfällen - also solcher Vorfälle, bei denen wichtige Informationen gefährdet sind, dabei ist es egal, ob diese auf Papier oder digital vorliegen.
Durch die Anwendung von Informationssicherheitsmanagement-Software mit bereits vorkonfigurierten Richtlinien und Prozessen wird sowohl die Einführung, Anwendung und der Nachweis besser, schneller, nachhaltiger für die Zukunft und kostengünstiger!
Does a healthcare facility need to have an information security officer and an ISMS?
ISB? Yes! This is clearly regulated in the B3S; management must clearly assign responsibility for monitoring the achievement of information security management objectives and for implementing the measures agreed in the IT security process. The specific setup of the role of the information security officer is not specified; this can be full-time, part-time, internal or external. The person must have the specialist knowledge and the necessary time capacity; they must also be integrated into the organization in order to be able to do justice to their tasks.
ISMS? Yes! It is the core for the implementation of technical and organizational measures that can result from the assessment of identified risks to information security. The establishment and operation of an information security management system (ISMS) is required for the B3S scope.
Are there any further benefits from setting up structures and introducing an ISMS?
The likelihood of data breaches occurring is reduced, the possibilities and risks of cyber attacks on the facility's information systems are reduced, and thus the possibility of personal injury to patients. The ongoing review of the organization according to the B3S requirements results in ongoing optimization of information security; it gradually becomes part of a continuous improvement process in medical care. This means that the entire framework processes are continuously optimized, which also serves to increase the profitability of the operation.