Cloud and data protection: How the German digital law affects Swiss companies

Digital technologies and artificial intelligence are changing healthcare, for example through electronic patient records and video consultations. At the heart of digitalisation is medical data, which is exchanged between doctors and patients, but also between different service providers, with the help of modern technologies - mostly via cloud services. This enables new diagnostic and therapeutic approaches, improves communication in the healthcare system and gives patients the opportunity to more actively maintain and shape their health, for example through apps and online information. 

However, this development also raises new questions of data protection and information security, as cyber security risks in healthcare are constantly increasing. At the same time, more and more cloud-based applications (e.g. Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure) are being used to process sensitive health data, which leads to higher risks.

More digitisation, more data protection

Against this backdrop, the German Federal Ministry of Health presented the draft of the "Act to Accelerate the Digitisation of Health Care" (DigiG) on 13 July 2023 and the cabinet approved the drafts of the DigiG as well as an "Act on the Improved Use of Health Data" (GDNG) on 30 August 2023. The aim of these laws is to simplify everyday treatment for doctors and patients in Germany with digital solutions and to improve research opportunities in Germany.

Law with extraterritorial appeal

Even though the new laws only apply to Germany so far, Swiss providers of digital health services must check whether they are affected by them, because the requirements have extraterritorial appeal. All companies that use cloud services to process health data fall under the DigiG and the GDNG. The German branch of a Swiss provider of laboratory analyses, for example, will be just as affected by the new legislation as the research centre of a Swiss pharmaceutical company that collects patient data in Germany.

From July 2025, companies will only be allowed to use cloud services in connection with personal health data of German patients if the cloud provider has a C5 Type 2 audit report from the BSI (Federal Office for Information Security) on information security. The BSI Cloud Computing Compliance Criteria Catalogue (BSI C5) is a catalogue of criteria and describes minimum information security requirements for cloud services that must not be undercut.

Five steps to the audit report

To achieve compliance with the legal requirements in Germany and ensure that the cloud provider meets all the requirements of the Digital Act in a timely manner, companies should follow the following roadmap: 

• Now: Evaluate the applicability of the Digital Act for the cloud service in Switzerland.

• Now: Conduct BSI C5 gap assessment, prepare for BSI C5 exam.

• By the end of 2023: Audit the cloud service according to BSI C5 Type 1 (design and implementation).
  The auditor issues an audit opinion on whether the controls are appropriately designed and implemented to meet the C5 criteria at the time of the audit.
• By mid-2024: Audit the cloud service in accordance with BSI C5 Type 2 (design, implementation and operating effectiveness).
  In addition to assessing the adequacy, the effectiveness of the controls is tested by sampling over a specified period of time (usually one financial year).
• By 1 July 2025: Produce and publish the BSI C5 report.

#social#