Cyber security incidents in the healthcare sector have increased enormously in recent years due to global crises and new types of attacks. The law of IT security, data security or information security has now gained the attention of practical legal advisors and company management. The interlocking of healthcare law and cybersecurity law in a legal handbook with a presentation of the relevant regulations is highly relevant in practice in view of the complex regulatory situation and progressive digitalization in the healthcare sector. MedLabPortal spoke with Dr. Tilmann Dittrich, co-editor of the standard work“Legal Handbook on Cyber Security in Healthcare“, about the current state of affairs in the field of cyber security, healthcare and laboratory medicine.

MedLabPortal: Mr. Dittrich, the “Legal Handbook on Cyber Security in the Healthcare Sector” has been on the market since 2024. Why is this book needed?

Dittrich: The healthcare sector is the second most vulnerable critical infrastructure sector when it comes to the risk of cyberattacks. In addition, with digitalization, the dangers from other security gaps – outside of attacks – are continuously increasing. This applies to the importance of cyber security in the healthcare sector: Protecting highly sensitive information and, in the worst case, human lives. There is therefore a high level of risk that meets the immense impact of cyber incidents. This requires the legal classification of all sub-sectors of the healthcare system.

MedLabPortal: The book has an interesting structure. Right at the beginning, you give an overview of the legal situation in Germany and mention the Basic Law in the context of cyber security in the healthcare sector. What’s that all about?

Dittrich: The regulation of cyber security is not an issue that can only be found in specialist legislation. Cyber security issues can be found in many general regulations. Of course, this also includes the German Basic Law, for example when it comes to protecting a patient’s right to self-determination over their personal data. Or also in criminal law, if a cyber attack on a healthcare facility could have at least contributed to the death of a patient, as recently became known in the UK. We wanted to show that cyber security needs to be understood broadly across all conceivable areas of law.

MedLabPortal: Anyone who asks at this point why they should know all this will be informed in your book about the threat situation by sector. Did you have to start talking about university clinics and hospitals being hacked? Many patients and hospital managers will feel unsettled.

Dittrich: The threat situation is presented very soberly in the book, neither dramatized nor trivialized. But it is of course understandable that reports can lead to uncertainty among the population. The cyber threat situation is still relatively new. A great deal of public communication work is still required here in order to understand the importance of cyber security and the risks associated with digitalization. In the case of hospitals, however, it must also be said that the press reports and thus publicly available information are very comprehensive. This can then be easily evaluated in order to draw lessons for the risk situation. However, I hope that we have not unsettled most hospital managers with the scenarios because they were aware of the situation.

MedLabPortal: And it goes on. Your book lists health insurance companies, self-administration, telematics facilities and pharmacies as potential targets of cyber attacks. What about the BMG as the primary target?

Dittrich: Little is known about the risk situation for the ministries themselves. But these are also at risk, especially as state institutions due to the geopolitical situation. The examples you mentioned illustrate very well why the book had to take a broad view of the healthcare system. I can’t think of any sub-sector in the healthcare system that is not at risk. It’s just that the awareness that this threat exists has not yet reached everyone. Take the ambulance service, for example, which is a fundamental part of the rescue chain. If this link fails, healthcare is seriously jeopardized. Nevertheless, a recent study by the German Federal Office for Information Security concluded that IT security management processes are not nearly adequately established in this sub-sector.

MedLabPortal: Now the authors also explain in the book how NIS-2 is supposed to help against such attacks. What do you think of this guideline?

Dittrich: The EU’s Second Network and Information Security Directive (NIS-2) is the further development of a first directive in the IT security sector, so it is nothing completely new, but simply a further development. Even though there will always be a need for discussion in certain areas of both the directive itself and the impending transposition into German law, I believe that the directive makes sense. The directive greatly increases the number of companies and public institutions that belong to the so-called critical infrastructures and therefore have to take IT security measures in order to remain operational in the long term. The level of IT security in the European Union will thus be adapted to the risk situation, even if the directive will certainly not be the last set of regulations here. Both the technical status and the risk situation are always changing.

MedLabPortal: What about the laboratory sector, what applies here and what does NIS-2 mean for laboratories?

Dittrich: Large medical laboratories already count as critical infrastructure and must take IT security measures. In addition, all laboratories, regardless of their size, are only allowed to process personal data with the appropriate level of security. It is not yet entirely clear how exactly the NIS 2 Directive will affect the laboratory sector. What is certain is that the so-called EU reference laboratories will be among the facilities affected in future. I also assume that the large laboratories already covered will also be subject to the stricter security catalog in the future.

MedLabPortal: We were impressed by the chapter on “Cybercrime in the healthcare sector”. You could spin that part off as a screenplay for a Hollywood thriller. Unfortunately, everything you describe is real. Can you tell us more about it?

Dittrich: It’s actually very real. Cyber groups operate in a highly professional manner. When cyber criminals are associated with “hackers in hoodies in the basement”, this image does not reflect reality. There are criminal groups all over the world that now also make their malware available to others, who can use the malware for hire, so to speak, if they are not technically capable of creating it themselves. It is a game of “cat and mouse” between law enforcement authorities and cyber groups. The healthcare sector in particular is an attractive target due to the high importance of cyber security. The groups do not shy away from harming health, even though some groups even prohibit such attacks under so-called “codes of honor”.

MedLabPortal: The healthcare sector in Germany is a market with an annual turnover of over 500 billion euros. The “bad guys and gals” will pounce on it in a very organized and criminal manner. And the worst-case scenario would be realistic, whereby patient data ends up somewhere on the darknet. What can an affected patient do in such a case?

Dittrich: It will not be possible to regain control of the data. Those affected should therefore take immediate security measures: for example, change access data and passwords and monitor accounts. There is of course also the option of claiming damages from the data processor, for example on the basis of the General Data Protection Regulation.

MedLabPortal : By contrast, the expectations of AI applications in hospitals are very positive. Why is that?

Dittrich: The enormous potential of artificial intelligence has probably not escaped the attention of most private users. AI can optimize processes in the healthcare sector, make them safer and also have a positive impact on the shortage of skilled workers. In addition, AI can also make an important contribution to ensuring cyber security, for example by supporting the search for malware. However, the potential of AI must not blind us to the fact that it cannot replace effective crisis processes. So anyone who relies on AI for detection but does not have any crisis concepts for security systems detected by AI will gain nothing.

MedLabPortal: Our last question: Do you have the feeling that anyone looked at even a fraction of the relationships described in detail in the book when the EPR was introduced?

Dittrich: Of course, I hope that the chapter on telematics infrastructure and the comments on the ePA have reached as many readers as possible. There are legal requirements for the security of applications here. This has certainly not been ideal in the past, with reports from the IT security community repeatedly pointing out security gaps. It is clear that the ePA will only be able to fulfill its potential if policyholders can trust it. Security gaps must therefore be taken seriously.

MedLabPortal: Mr. Dittrich, thank you very much for your time.

The questions were asked by MedLabPortal editor Vlad Georgescu

Read also:

INQUIRY about NIS-2: “The cyber cent would make laboratories fit for the current threats” – MedLabPortal

National Strategic Plan for Laboratory Medicine: “We must be prepared for the next pandemic” – MedLabPortal

Nationwide model character: DGKL and constitutional protection in exchange – MedLabPortal

_{The articles in the news section are produced by X-Press journalist office}

Gender note. The personal designations used in this text always refer equally to female, male and diverse persons. Double/triple references and gendered designations are avoided in favor of better readability. t