Contents and objectives of the KHZG

Digitalization has reached German hospitals and the entire healthcare sector, but until now there has been a lack of financial support to promote information technology projects and measures. However, this is particularly important for hospitals, which as critical infrastructures (KRITIS) must meet the requirements of the Office for Information Security. Those responsible in the hospitals are now faced with the challenge of using the financial resources of the Hospital Future Act (KHZG) for the digitization measures of their own infrastructures and at the same time overcoming the influences of the corona pandemic.

According to the current law, investments in modern emergency facilities, necessary personnel measures and the development and expansion of infrastructure are eligible for funding. This includes patient portals, the digital management of medication and the electronic documentation of treatment and care services. Above all, the new law emphasizes the importance of IT security in hospitals.

The law also stipulates that clinics are to carry out investments in the area of care and nursing and optimize care by integrating digital structures. Detailed information on this can be found on the website of the Federal Ministry of Health. Click here to go to the BfG website.

In terms of the measures to be supported, the future fund for hospitals does not differ significantly from the previous hospital structural funds. What is new, however, is that this 4.3 billion aid package from 2020 is largely linked to the promotion of IT security in hospitals, including in higher education institutions.

A hospital can only receive funding from this fund if at least 15 percent of the money submitted is invested in improving IT security.

The eligibility of critical facilities (KRITIS)

Hospitals with an inpatient case load of 30,000 or more per year are considered critical facilities and must align all IT security measures in accordance with the KHZG with the industry-specific standard(B3S for hospitals).

In general, KRITIS hospitals are to be supported within the framework of the KHZG. An exception is made for projects that are absolutely necessary to optimize the security of the IT area. Such projects are already eligible for funding under the Hospital Structural Fund. The Office for Social Security would like to prevent double funding.

If a KRITIS hospital receives funding for other measures under the KHZG, at least 15 percent of the funding must still be used for steps to optimize information security. This means that KRITIS hospitals can also cover a certain proportion of investments in IT security with money from the Future Fund.

The aim of every hospital should be to protect patient data from unauthorized access. Measures to improve IT security must therefore start where such sensitive data is documented. This takes place in a corresponding hospital information system (HIS). Obstructions to the infrastructure components or to the medical technology, IT or departmental subsystems can also lead to the treatment process in the hospital being disrupted.

In this case, proper patient care would no longer be guaranteed. It is therefore important to secure the information system in the clinic as thoroughly as possible. A sensible investment in this context is an authorization management system.

The role of information security in the Hospital Future Act?

One of the most important requirements of the KHZG (Section 14a (3)) is therefore that 15 percent of the funds applied for must be used for measures that lead to the optimization of information security. According to a study conducted by the Roland Berger Foundation in 2017, 6 percent of all German hospitals have already been victims of various cyber attacks and the trend is still rising. Due to the very high financial pressure, clinics are not adequately protected against cyber attacks. One of the aims of the digitization renewal is to ensure that specific security standards contribute to the optimization of IT security in hospitals and Germany. These primarily include securing IT methods and protecting patient data at the same time. The clinics undertake to comply with data protection regulations in order to be eligible for funding.

The improvement of IT and cyber security in hospitals, which are critical structures, also includes university hospitals. Measures to optimize IT and cyber security have so far been excluded from funding under the Structural Fund. This is stated in funding item 10, which includes individual measures and a combination of these options.

This includes the introduction of an information security system in accordance with ISO 27001 or BSI IT baseline protection as well as various prevention steps. It also includes network segmentation systems, firewalls, authentication systems, sandbox systems, micro-virtualization and interface control.

Intrusion prevention systems such as network access control, software version management and vulnerability scanners are also included in the funding under the new law.

Non-binding consultation on the KHZG and IT security

The objective of the security projects

In accordance with the Hospital Future Act, Section 19 of the Hospital Structural Fund Ordinance is supplemented to include eligible intentions, among other things. In the area of information security in particular, this means that the construction, procurement, development and expansion of communication and information technology systems, facilities or processes must be implemented in accordance with the latest technical and organizational precautions to prevent disruptions. In addition, the availability, reliability and confidentiality of the hospital operator's systems, processes and components, which are essential for the functionality of the hospital and the security of patient information, must be ensured.

 These digitization projects are being funded

First and foremost, the security of IT systems and, at the same time, the information processed in the healthcare sector is of great importance. It must be ensured that the availability, confidentiality and integrity of IT components, systems and processes are not compromised in any way. This also applies to the authenticity of the available information. In this way, the security of patient data and treatment effectiveness and the functionality of the clinic can be maintained and valued at the same time.

It is therefore clear that IT and cyber security is a necessary condition for advancing digitalization measures in hospitals and sanatoriums in Germany. The Hospital Future Act and the necessary funding have now laid the important foundation for this.

This new funding programme opens up a wide range of opportunities for clinics to optimize their own IT infrastructure and drive forward automation in general. From the entry into force of this new law until 31.12.2021, the federal states can submit their funding applications to the Office for Social Security. Please note the different deadlines of the federal states.

IT security projects in the hospital

In order to be able to use the Future Law for Hospitals as an upgrade for IT security, the intentional projects must supplement the capabilities of prevention, mitigation, detection and awareness.

This includes the prevention of network segmentation, firewalls and vulnerability management.

Detection deals with log management systems, security information event management systems, malware protection and intrusion detection systems.

Mitigation is the mitigation of technical and organizational measures in preparation for forensic analysis and automatic backup systems. This also includes local malware protection with central control.

Awareness is concerned with regular risk analysis, training measures, awareness measurements and information campaigns.

In this context, it is important to recognize that targeted IT security projects are always eligible for funding if the relevant state of the art is taken into account without exception and data protection regulations are complied with.

At the same time, the application procedure is described in detail in the guidelines of the Hospital Structure Fund Ordinance from 2020. The money from the funding is distributed to the hospitals by the Office for Social Security from the established Hospital Future Fund.

Example: The protection of e-mail communication

An improvement in IT security has come at just the right time, as many hackers are using the current situation and the very high pressure on clinics to perform to their own advantage. Analysts have also noted that the healthcare sector in particular is threatened by a high number of cyber attacks. The criminals expect the affected clinics to comply with ransom demands in order to guarantee secure patient care. Email communication is sometimes the most efficient and most common method used by hackers to gain access to hospital systems. There are a large number of reasons for this, as an email is the direct means of contacting employees and accessing the internal infrastructure of the IT system. For this reason, malicious programs such as ransomware are usually found in attachments to emails so that they can be activated quickly and easily with just a few clicks.

IT protection of hospital systems and communication with emails is therefore necessary and of great importance. The Office for Social Security defines this aspect very precisely in the guidelines for the Hospital Future Fund.

Fact 10 on funding therefore states that impediments to availability and integrity must be avoided at all costs and the confidentiality of systems, processes and IT components must be guaranteed. Various requirements must be met to ensure that the work performed by the hospital operator for its own IT security measures is also eligible for funding under the Future Fund. First and foremost, the projects must have the objective of protecting against information security incidents. These include, for example, sandbox systems, authentication programs, secure and encrypted data transmission and software protection against malicious systems in e-mail programs.

The suitability of the information technology measures

According to Section 21 (5), the Office for Social Affairs authorizes the employees of IT service providers to check whether the planned information technology steps meet the requirements for the approval of funds. An assessment of whether the projects can be implemented in terms of the financial, content and time frame is also part of this review.

From 2021, IT service providers and hospital operators will be able to receive free training on how to submit applications on the website of the Office for Social Affairs in accordance with Section 21 KHSVF. Such training consists of four individual units and takes just 1.5 hours.

Which companies are allowed to implement the measures?

For planned projects in accordance with Section 19 (1), only IT service providers who are to implement the funded digitization projects for the clinic are authorized to be commissioned by the university clinics and hospital operators who are authorized by the Office for Social Affairs in accordance with Section 21 KHSFV. Employees of the cyber and IT security service providers must have completed training and various tests.

Particular caution is required if the IT service provider has access to patient and health data. In accordance with the data protection provisions of the Future Act, a data protection agreement is required here.

Based on the nationwide Hospital Financing Act and the state hospital laws, each federal state has the power to decide which hospitals are included in the hospital planning. All facilities have the opportunity to submit an application, but this does not mean that applicants are entitled to funding. The hospital operator submits a notification of need and the respective federal state determines the purposes for which funding is to be applied for from the Office for Social Affairs. Ultimately, the office decides on the funding and the approval of the funding. Rehabilitation and preventive clinics and private clinics are excluded from funding for the new measures.

The application procedure for funds from the KHZG

The application process always begins at the state level. The university hospitals and hospital operators submit the requirements and applications to the authority specified by the state ministry for approval. The Office for Social Security is the upstream approval authority vis-à-vis the federal states.

Important general steps in the procedure for projects eligible for funding are the determination of the current state of the security architecture in the IT sector and, based on this, a preference for the optimization measures to be decided on.

IT service providers authorized by the Office for Social Affairs assess the suitability of the project with one of the Future Fund's key funding portfolios.

The notification of need is made using the forms of the Office for Social Security with detailed explanations and reasons for the planned project.

Proof that the funds granted are used for the intended purpose must also be provided.

Proof of the use of funds for security in the IT sector is also required. The applicant must submit various proofs of the extent to which and that a share of at least 15 percent is used for measures to optimize information security.

The service provider to be commissioned must also confirm this. When applying for the eligible security project, the service provider must confirm that the measure is necessary to bring the hospital's IT systems up to the current state of the art.

All steps at a glance:

1. Here you can find the application form from the Federal Social Security Office (BAS)
2. The respective federal state may require additional forms
3. Submission of the forms to the respective federal state:
   In the case of transnational projects, the application is submitted jointly with one institution named as the main responsible party.
4. The state will now decide which of your projects will be funded.
5. If a project is to be funded, the state will submit an application for funding to the BAS:
   The prerequisite for this is that you contribute at least 30% of the costs.
   The state will submit the application to the BAS within three months of the notification of need.
6. The federal states must submit their decision on the funding of the respective project to the BAS no later than 15 months after notification of the payment decision.
7. Hospitals that receive funding must participate in the above-mentioned evaluation research for the maturity model(§14b KHG).