Authorisation management for CRITIS

What does the IT Security Act require?

Hospitals with at least 30,000 full inpatient treatment cases count as so-called critical infrastructures (BSI-CritisV Annex 5 table “Facility categories and threshold values”). They are thus obliged to set up a contact point and must report IT security incidents (§ 8b (3) BISG). In order to comply with the required security level and to establish necessary processes and structures, organisational and technical measures must be taken at an early stage. A transition period for these hospitals is explicitly not provided for.

What does CRITIS mean?

“Critical infrastructures (CRITIS) are organisations and facilities with important significance for the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences”.

According to the law, critical infrastructures include the sectors of energy, information technology and telecommunications, transport and traffic, health, water, food, media and culture, state and administration as well as finance and insurance.

Legal requirements for operators of critical infrastructures can be found in the Federal Office for Information Security Act (BSIG). The law aims to improve the security of information technology systems in Germany. The sectors of state and administration as well as media and culture are not covered by the legal obligations. [Source]

If a hospital is classified as a critical infrastructure for two years in a row, operators are obliged to provide evidence of the technical and organisational measures taken to prevent disruptions to the availability, integrity, authenticity and confidentiality of the IT systems, components or processes. In addition to audits, certifications or similar evidence can also be considered.

A distinction must be made between measures that

to increase the failure safety of the critical IT components and / or
contribute as part of replacement measures to maintain critical processes in the event of a failure of the IT infrastructure.

When selecting such measures, the German Federal Office for Information Security (BSI) explicitly recommends using existing standards and best practice recommendations in its guideline “Critical Infrastructure Protection: Risk Analysis Hospital IT”.

One existing standard recommended by the BSI is ISO 27002 as a guideline for information security management. The guidelines contain principles and orientation aids for the initiation, implementation, operation and improvement of information security management within an organisation.

A separate chapter is dedicated to the topic of access control. Access control means taking measures that enable users to gain controlled access to (physical) and / or access to (logical). Rules should be established according to which users only get the access they really need for their daily work (need-to-know principle).

The BAYOOSOFT Access Manager can support you in implementing these requirements. The automated software solution for transparent and easy-to-understand authorisation and identity management improves information security and conserves resources. Through the centralised and standardised administration of user and access rights, you also reduce potential error rates that can quickly arise through manual allocation.

Always know who has access to which data: Information security also arises when processes are traceable. In addition to a complete overview of all authorisations, the right software solution enables the automatic granting or revoking of access rights at the desired start and/or end times.

Maintaining an overview - not always easy!

Are you struggling with historically grown authorisation structures? Our experts support you by means of tool-supported analysis to identify possible weak points and evaluate them from a risk perspective.

Learn more.

The BSI also recommends controlling the assignment of passwords by means of a formal administration process within the framework of the guidelines for the protection of critical infrastructures. Directory systems with the single sign-on (SSO) function in particular promote medical workflows by granting users access after a single login. In this way, time-consuming multiple logins and careless handling of passwords can be avoided.

Password propagation enables users to operate various application systems with a master password. This is a self-service module that allows employees to manage their own passwords and at the same time significantly reduces the operational effort in the IT department.

The Password Reset module is already being used successfully by the University Hospital of Tübingen. Read the experience report here.

Success Story

Conclusion

Access controls – physical as well as logical – enable information security management according to ISO 27002 in hospitals. Standardised authorisation management not only provides IT officers with an overview of existing access rights, but also relieves the IT department at the same time.

As an automated software solution for transparent and easy-to-understand authorisation management, the BAYOOSOFT Access Manager supports you at this point. In compliance with the IT Security Act, the user-friendly solution also offers flexibility, cost and time savings as well as audit-proof documentation.

Would you like to learn more about authorisation management and supporting tools?

Then get to know the BAYOOSOFT Access Manager now as part of a product presentation.

Do you have specific questions? Please feel free to use our contact form.

Request

Authorisation management for CRITIS

Conclusion

Folgen Sie uns schon?

News