On 18 September 2020, the German Federal Government (Bundestag) passed the Hospital Future Act (Krankenhauszukunftsgesetz or KHZG) to support the digitalization of the national healthcare system. The law makes EUR 3 billion available for this purpose through an associated financing program, the Hospital Future Fund (Krankenhauszukunftsfonds or KHZF) set up by the Federal Office for Social Security (BAS). A further EUR 1.3 billion will be provided through co-funding by federal states and hospital operators themselves.
All hospitals included in a German state’s hospital plan can apply for KHZG funding. University hospitals can also submit a request, but only 10% of the resources available to the state can be allocated to projects involving university hospitals. KRITIS facilities that are considered part of critical infrastructure are excluded from KHZG funding as they are already eligible for IT security funding through the Hospital Structural Fund. Private hospitals cannot apply either.
Projects Eligible for KHZG Funding
There are eleven categories of projects considered eligible for KHZG funding:
- Modernization of hospital emergency room technical/IT equipment
- Development of patient portals for digital admission and discharge management
- Introduction of electronic documentation of care and treatment services
- Establishment of partially or fully automated clinical decision support systems
- Digital medication management systems
- Introduction of in-hospital digital processes for requesting services
- Implementation of cloud computing systems and coordination of services offered by several hospitals through joint service structures
- Digital bed management systems to improve collaboration between hospitals and other care facilities
- The procurement, expansion or development of information technology, communication technology and robotics-based facilities, systems or processes needed for treating patients and establishing telemedical network structures
- The procurement, expansion or development of information technology or communication technology equipment, systems or methods to avoid disruptions to availability, integrity and confidentiality of information technology systems, components or processes which are necessary for the functionality of a hospital and the security of the processed patient information
- Adaptation of patient rooms to special treatment requirements in the event of an epidemic.
Application for KHZG funding has been open since the Hospital Future Act was passed in September 2020. German hospitals and clinical care facilities have until 31 December 2021 to submit their applications for funding at the state level. At least 15% of the funding requested must be used to improve IT security.
Hospitals’ digital maturity was evaluated on 30 June 2021 and will be assessed again on 30 June 2023. The aim of these evaluations is to determine whether the investment program has improved the digital maturity of hospitals receiving funding and created incentives for further digitalization.
While there is no deadline for the implementation of the projects that receive funding, hospitals will face a penalty of 2% on the invoice amount for every full and partial inpatient case starting 1 January 2025. To avoid penalties, hospitals should therefore finalize their digitalization projects until 31 December 2024.
Data Protection and the Hospital Future Act
While digitalization brings with it a wealth of benefits for both hospitals and their patients, it also means healthcare facilities in Germany will have to face the risks that come with it. Digital patient records are more vulnerable to theft and loss than physical records and, as a consequence, are protected under various data protection laws. Hospitals undergoing digitalization will therefore face a further challenge: compliance.
In Germany, personal information is protected under the EU’s General Data Protection Regulation and its national complementary law, the German Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG). Hospitals are subject to further data protection regulations under State laws and health sector-specific legislation such as the German Medicines Act, the Patient Data Protection Act or the Social Security Code. Noncompliance can lead to heavy fines and reputational damage. It is therefore important for hospitals to think ahead when putting together their digitalization plans.
Using Data Loss Prevention to Protect Digital Patient Information
Data Loss Prevention (DLP) solutions have become an essential part of companies’ data protection and compliance efforts. They often come with predefined profiles for specific data protection legislation such as GDPR, but also for particular categories of sensitive data such as personally identifiable information (PII) or health records. Hospitals can also customize these definitions depending on their needs. Once definitions are in place, policies that identify, monitor and control sensitive data can be applied.
DLP solutions allow hospitals to ensure that sensitive data is blocked from being transferred outside the hospital network or via insecure channels such as messaging apps, personal emails or file-sharing services. DLP also comes with device control features that allow hospitals to block employees or outsiders from copying sensitive files onto removable devices. This can be done by blocking USB and peripheral ports as well as Bluetooth connections or limiting their use to pre-approved devices.
Some DLP solutions like Endpoint Protector also come with an enforced encryption module that ensures that any data copied onto USB devices will be automatically encrypted with 256bit AES CBC-mode encryption. Admins also have the option of resetting passwords in case they have been compromised and wiping USBs remotely by resetting the device, erasing all the files on them. Easy to use and highly efficient, such solutions ensure that any USB stolen or lost will not be accessed by third parties.
Procurement of data protection solutions can easily be included in funding applications under KHZG’s 10th project eligibility criteria that includes the procurement, expansion or development of information technology, systems or methods that are necessary for the security of processed patient information. Data protection plays a crucial role in the implementation of KHZG and is a way of securing new digital health records resulting from it against future risk of theft or loss.
Explore More on Compliance
Interested in diving deeper into the world of Compliance? Check out these hand-picked resources to expand your knowledge:
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.