top of page

Information and Operation

Security in the Healthcare Sector

A large hospital, as an organization, is to be regarded as a service-oriented company. However, in its services, it is subject to high data protection requirements and risks to patient health. Not only is the use of medical IT systems relevant, but information technology is also indispensable in administration. Section §75c of the Social Security Code V (SGB V) requires that all hospitals must address information security starting from January 1, 2022. This is, for example, to be achieved by implementing the B3S (industry-specific security standard of the German Hospital Federation - DKG e.V.). The potential improvement of resilience based on the B3S, meaning the IT's ability to resist and protect confidential information, ultimately serves to establish an appropriate level of security while maintaining the usual level of patient care and proportionality of the measures to be implemented. Furthermore, funding is available for measures under the Hospital Future Act (KHZG), which supports the Information Security Management System (ISMS) as required by section §75c.



Assessment, Analysis, and Evaluation of the Current Status of Organization and Technology Based on B3S Requirements


Goal Definition and Planning

Creation of a Reliable Effort Estimation for Necessary Measures and Development of a Implementation Plan, including Integration within Projects under the Funding Guidelines of the Hospital Future Act (Funding Clause 10).


Implementation and Introduction of an ISMS Solution

Design and Operational Implementation of an Information Security Management System (ISMS) with Introduction of ISMS Software


Promoting Industry-Focused Resilience

Design and Implementation of a Business Continuity Management System (BCM), including Emergency Concepts, Recovery Plans, as well as Testing and Drills.

The Steps to B3S

The tried-and-tested process at a fixed price at a glance

Our Partners 

I would be delighted to work with Mr. Salvador and the team again on the next project. Thank you and all the best!

Andreas Freitag, BMW AG

My TISAX® audit went smoothly and was successful right from the start. We were able to demonstrate our information security according to TISAX® and can now attract new automotive clients.

Any gaps in our preparation or examination were promptly addressed, and Opexa provided documents of high quality. I can highly recommend the team led by Klaus Höllerer, Klaus Kilvinger, and Thomas Salvador.

Dr. Samir Kadunic, MAASU GmbH

During the examination of customer requirements in the TISAX® domain, there was an urgent need for consultation within the company. Thanks to the assistance of Opexa Advisory GmbH, we were able to fulfill our customer requirements and achieve our goals with significant cost savings.

Opexa Advisory is the ideal partner due to their extensive automotive experience, project know-how, and their competent, efficient, and straightforward support.

Herbert Schmidt, Dennemeyer & Co. GmbH

What our clients have to say

Frequently Asked Questions

What financial and time investment can be expected?

How can the numerous requirements of B3S be implemented and demonstrated?

The foundational standard ISO/IEC 27001 was first published in 2005 and last updated in 2022, showcasing its established nature. As the B3S is built upon this standard and incorporates other proven concepts and norms (such as a process-oriented approach akin to ISO 9001), the well-established methods already present in numerous industries can be applied.

Because what has been in use for years across various industries – from small businesses to large corporations – has proven its worth. The customary tools, methods, and procedures (hazard analysis, risk assessment, risk management, requirement implementation, documentation, incident management, reporting, control systems, etc.) are applicable.

This benefits patients, staff, facilities, the healthcare sector, and thereby the general public as well!

In any case, an initial investment is required to meet the legal requirements. The necessity is determined through a gap analysis and estimated based on an action plan. A minimum duration of 4-6 months is not unrealistic, and the entire organization must also adapt.

The cost burden can be alleviated through federal and state funding. The measures follow the KHZG funding criterion 10, which focuses on prevention, detection, mitigation, and awareness of information security incidents - incidents in which vital information is at risk, whether in paper or digital form.

By utilizing information security management software with preconfigured policies and processes, both the implementation, application, and verification become more effective, quicker, sustainable for the future, and cost-efficient!

Is it necessary for a healthcare facility to have an Information Security Officer and an Information Security Management System (ISMS)?

ISO? Yes! This is clearly regulated in B3S. The management must allocate responsibility for monitoring the achievement of information security management objectives and for the implementation of measures agreed upon in the IT security process. The specific establishment of the role of the Information Security Officer is not specified; this can be done on a full-time, part-time, internal, or external basis. The individual must possess the necessary expertise and time capacity, and they must also be integrated into the organization to fulfill their duties effectively.

ISMS? Yes! It forms the core for implementing technical and organizational measures that can arise from the assessment of identified information security risks. The establishment and operation of an Information Security Management System (ISMS) are required within the scope of B3S.

Do further advantages arise from establishing structures and implementing an ISMS?

The probability of data breaches occurring is reduced, possibilities and risks of cyber attacks on the institution's information systems are mitigated, thus also minimizing the potential for personal harm to patients. The ongoing evaluation of the organization according to B3S guidelines leads to a continuous enhancement of information security. It gradually becomes a part of the continuous improvement process in medical care. Consequently, all overarching processes are continuously optimized, further contributing to the operational efficiency of the facility.

bottom of page