MarketplaceCommunityDEENDEENProductsCore ServicesRoadmapRelease NotesService descriptionCertifications and attestationsPrivate CloudManaged ServicesBenefitsSecurity/DSGVOSustainabilityOpenStackMarket leaderPricesPricing modelsComputing & ContainersStorageNetworkDatabase & AnalysisSecurityManagement & ApplicationsPrice calculatorSolutionsIndustriesHealthcarePublic SectorScience and researchAutomotiveMedia and broadcastingRetailUse CasesArtificial intelligenceHigh Performance ComputingBig data and analyticsInternet of ThingsDisaster RecoveryData StorageTurnkey solutionsTelekom cloud solutionsPartner cloud solutionsSwiss Open Telekom CloudReferencesPartnerCIRCLE PartnerTECH PartnerBecome a partnerAcademyTraining & certificationsEssentials trainingFundamentals training coursePractitioner online self-trainingArchitect training courseCertificationsCommunityCommunity blogsCommunity eventsLibraryStudies and whitepaperWebinarsBusiness NavigatorMarketplaceSupportSupport from expertsAI chatbotShared ResponsibilityGuidelines for Security Testing (Penetration Tests)Mobile AppHelp toolsFirst stepsTutorialStatus DashboardFAQTechnical documentationNewsBlogFairs & eventsTrade pressPress inquiriesMarketplaceCommunity

0800 3304477 24 hours a day, seven days a week

Write an E-mail 

Book now and claim starting credit of EUR 250
ProductsCore ServicesPrivate CloudManaged ServicesBenefitsPricesPricing modelsPrice calculatorSolutionsIndustriesUse CasesTurnkey solutionsSwiss Open Telekom CloudReferencesPartnerCIRCLE PartnerTECH PartnerBecome a partnerAcademyTraining & certificationsCommunityLibraryBusiness NavigatorMarketplaceSupportSupport from expertsHelp toolsTechnical documentationNewsBlogFairs & eventsTrade pressPress inquiries
  • 0800 330447724 hours a day, seven days a week
  • Write an E-mail 
Book now and claim starting credit of EUR 250

Cloud for health – BSI C5:2020 is the benchmark

by Redaktion
Illustration of Cloud for Health - BSI C5:2020 is the benchmark
The Digital Act makes it possible for the healthcare sector to use the cloud.
 

In this article you can read,

  • how the Digital Act (DigiG) enables companies in the healthcare sector to use the cloud,
  • what companies need to consider when using the cloud, 
  • and why the Open Telekom Cloud is a good choice for the healthcare industry.


The cloud is becoming increasingly popular in regulated sectors. In December 2022, the BSI (German Federal Office for Information Security) issued guidelines for the use of external cloud services within public administration, in the first quarter of 2024, the healthcare sector has followed suit: the draft law “to accelerate the digitalization of the healthcare sector” (Digital Act, DigiG) now explicitly permits the use of the cloud for organizations in healthcare (which was previously prohibited). 

Minimum standards or BSI C5:2020?

While the “BSI minimum standards” are decisive in the public sector, the legislator has opted for the C5 criteria catalog in the healthcare environment. Certification in accordance with BSI C5:2020 is the decisive criterion there. It seems as if two different standards are being established for the different sectors. But which certification or audit is better?

The answer is simpler than it first appears. Daniel Fussy, the security expert at Open Telekom Cloud: “If you look at the relevant documents, it becomes clear: BSI C5:2020 is the measure of all things”.

The BSI's minimum standards for the public sector actually do not require IT baseline protection certification, but refer to BSI C5:2020, e.g., in the comments on the planning and procurement phases. The “Security guideline for external cloud services” (NCD.2.1.02) explains: “The (note: cloud-using) institution MUST define in this security guideline at least the implementation of and compliance with the basic criteria according to the Cloud Computing Compliance Criteria Catalogue - C5 as special security requirements for the cloud service provider”. The procurement phase requires: “This security evidence SHOULD at least include appropriate and effective compliance with the basic criteria according to C5 ... and MAY be provided by the cloud service provider through the regular provision of up-to-date type 2 C5 reporting”.

Type 1 or type 2?

One thing is clear: Organizations that want to use the cloud should make sure they are audited in accordance with BSI C5:2020. But BSI C5 is not BSI C5. It is important to take a second look. As with many other audits and certifications, the BSI C5 attestation from an auditor comes in two variants: Type 1 and Type 2. Currently (until July 2025), only a Type 1 attestation is required for the healthcare industry. With this trick, the legislator is giving healthcare companies a breather in the context of the short implementation period. The type 1 certificate essentially comprises a self-declaration by the cloud provider. This states that they have concepts, agreements and processes in place that meet the IT security requirements.

“The type 2 certificate is much more meaningful in terms of the effectiveness of the security measures and controls. While type 1 is at PowerPoint level, in a type 2 audit the auditor examines all these statements and checks their implementation,” says Fussy. Such an audit usually takes three months and results in a 200-page audit report. The in-depth sampling checks cover technology, but also management processes and personnel.

 
Daniel Fussy, Security & Privacy Consultant bei T-Systems
 

The BSI C5:2020 Type 2 report is currently the highest quality test and best proof of effective and efficient cloud security management. It is only issued if the cloud provider is successful in all tested criteria.

– Daniel Fussy, Security & Privacy Consultant at T-Systems

Long-term planning: attach importance to BSI 
C5:2020 Type 2

Although the Digital Act (DigiG) currently only requires the corresponding type 1 certificate, the requirements will increase in 2025: Type 2 certification will then become mandatory. Cloud users in the healthcare sector should therefore think about the future and choose a cloud provider now that meets the requirements of BSI C5:2020 Type 2 and can prove that it renews the certificate annually. This gives them long-term planning security.

“The Open Telekom Cloud has been audited according to C5 Type 2 since 2018,” explains Fussy, ”this was necessary in order to be approved as an operating platform for the Corona Warn App. Since then, we have met the current requirements every year and received the certificate”. In addition to this strong standard, the Open Telekom Cloud also meets the requirements of professional secrecy holders in accordance with §203 StGB and the requirements for social data processing in accordance with §35 SGB I.


This content might also interest you
 

A woman and a man hold a tablet together on which an evaluation is displayed

Secure cloud for social service providers

Social service providers can host data that falls under the social service data secrecy law in the Open Telekom Cloud as standard.

 
Representation of a European flag with a lock icon in the center of the stars

Sovereign with a European Cloud

European companies that want to position themselves for the digital future are increasingly incorporating sovereignty aspects into their decision-making.

 
Digital cloud symbolizes IT security thanks to BSI C5 certification

BSI minimum requirements for external cloud deployment

IT security for public institutions: The Open Telekom Cloud meets the minimum requirements of the BSI for external cloud providers in public administration.

The Open Telekom Cloud Community

This is where users, developers and product owners meet to help each other, share knowledge and discuss.

Discover now

Free expert hotline

Our certified cloud experts provide you with personal service free of charge.

 0800 3304477 (from Germany)

 +800 33044770 (from abroad)

 24 hours a day, seven days a week

Write an E-Mail

Our customer service is available free of charge via E-Mail

Write an E-Mail

AIssistant Cloudia

Our AI-powered search helps with your cloud needs.