No Match Found
Direktor & Leiter Trust and Transparency Solutions
Partner, Risk and Compliance Management Services
In mid-July 2023, the Federal Ministry of Health in Germany presented the draft law on the Digital Act. It brings with it far-reaching requirements for digital health data used in Germany and thus for the information security of cloud-based services. What does this mean for Swiss companies?
Digital technologies and artificial intelligence are changing healthcare, for example through electronic patient records and video consultations. At the heart of digitalisation is medical data, which is exchanged between doctors and patients, but also between different service providers, with the help of modern technologies - mostly via cloud services. This enables new diagnostic and therapeutic approaches, improves communication in the healthcare system and gives patients the opportunity to more actively maintain and shape their health, for example through apps and online information.
However, this development also raises new questions of data protection and information security, as cyber security risks in healthcare are constantly increasing. At the same time, more and more cloud-based applications (e.g. Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure) are being used to process sensitive health data, which leads to higher risks.
Against this backdrop, the German Federal Ministry of Health presented the draft of the "Act to Accelerate the Digitisation of Health Care" (DigiG) on 13 July 2023 and the cabinet approved the drafts of the DigiG as well as an "Act on the Improved Use of Health Data" (GDNG) on 30 August 2023. The aim of these laws is to simplify everyday treatment for doctors and patients in Germany with digital solutions and to improve research opportunities in Germany.
Even though the new laws only apply to Germany so far, Swiss providers of digital health services must check whether they are affected by them, because the requirements have extraterritorial appeal. All companies that use cloud services to process health data fall under the DigiG and the GDNG. The German branch of a Swiss provider of laboratory analyses, for example, will be just as affected by the new legislation as the research centre of a Swiss pharmaceutical company that collects patient data in Germany.
From July 2025, companies will only be allowed to use cloud services in connection with personal health data of German patients if the cloud provider has a C5 Type 2 audit report from the BSI (Federal Office for Information Security) on information security. The BSI Cloud Computing Compliance Criteria Catalogue (BSI C5) is a catalogue of criteria and describes minimum information security requirements for cloud services that must not be undercut.
To achieve compliance with the legal requirements in Germany and ensure that the cloud provider meets all the requirements of the Digital Act in a timely manner, companies should follow the following roadmap:
The timetable for compliance with the new regulations is very tight and affected companies should react as quickly as possible. The first important steps are to identify these regulations issued in Germany and to clarify the exact requirements and legal risks for Swiss companies. We can competently accompany you every step of the way to digital law compliance.
Partner for Risk and Compliance Management Services, PwC Switzerland
Tel: +41 58 792 56 68