Data protection and IT risk analysis for KRITIS operators in hospitals


Hospitals are considered as critical infrastructures because of their importance for the well-being of the society.

With the IT Security Law the legislator has defined minimum requirements for the security of critical infrastructures and the German Hospital Association has developed the B3S Standard Medical Care on the basis of these requirements to improve IT security in German hospitals. The B3S standard is also accessible to hospitals that are not regulated as KRITIS operators.

The information technology in modern hospitals supports among others the following

  • the hospital processes
  • the administration of patient data and
  • the performance of medical procedures.

This infrastructure faces critical risks, which must be met by the hospital operators.
The core of the implementation of the B3S is the implementation and operation of an information security management system (ISMS) in accordance with the requirements of the ISO 27001 standard supplemented by the industry-specific requirements of ISO 27799.

Thus the requirements from these standards and the B3S can be combined to

  • Data Protection,
  • Risk Management and
  • Information Security

and can be completely implemented, analized, evaluated, monitored and permanently improved.

QSEC® – ISMS for hospitals

QSEC supports the establishment and operation of an information security management system according to the requirements of the

  • ISO 27001,
  • ISO 27799,
  • ISO 13485,
  • B3S Hospital,
  • BSI standard (IT-Grundschutz) and
  • Data protection according to GDPR

and can be integrated into the existing IT landscape.

In addition, QSEC can also work according to the requirements of other standards, such as ISO 9001, ISO 20000, ISO 14001.

Get to know QSEC and convince yourself of the efficiency of our solution.


References & case studies


QSEC Online-Demo