Cloud for health – BSI C5:2020 is the benchmark

In this article you can read,

• how the Digital Act (DigiG) enables companies in the healthcare sector to use the cloud,
• what companies need to consider when using the cloud, 
• and why the Open Telekom Cloud is a good choice for the healthcare industry.

The cloud is becoming increasingly popular in regulated sectors. In December 2022, the BSI (German Federal Office for Information Security) issued guidelines for the use of external cloud services within public administration, in the first quarter of 2024, the healthcare sector has followed suit: the draft law “to accelerate the digitalization of the healthcare sector” (Digital Act, DigiG) now explicitly permits the use of the cloud for organizations in healthcare (which was previously prohibited). 

While the “BSI minimum standards” are decisive in the public sector, the legislator has opted for the C5 criteria catalog in the healthcare environment. Certification in accordance with BSI C5:2020 is the decisive criterion there. It seems as if two different standards are being established for the different sectors. But which certification or audit is better?

The answer is simpler than it first appears. Daniel Fussy, the security expert at Open Telekom Cloud: “If you look at the relevant documents, it becomes clear: BSI C5:2020 is the measure of all things”.

The BSI's minimum standards for the public sector actually do not require IT baseline protection certification, but refer to BSI C5:2020, e.g., in the comments on the planning and procurement phases. The “Security guideline for external cloud services” (NCD.2.1.02) explains: “The (note: cloud-using) institution MUST define in this security guideline at least the implementation of and compliance with the basic criteria according to the Cloud Computing Compliance Criteria Catalogue - C5 as special security requirements for the cloud service provider”. The procurement phase requires: “This security evidence SHOULD at least include appropriate and effective compliance with the basic criteria according to C5 ... and MAY be provided by the cloud service provider through the regular provision of up-to-date type 2 C5 reporting”.

One thing is clear: Organizations that want to use the cloud should make sure they are audited in accordance with BSI C5:2020. But BSI C5 is not BSI C5. It is important to take a second look. As with many other audits and certifications, the BSI C5 attestation from an auditor comes in two variants: Type 1 and Type 2. Currently (until July 2025), only a Type 1 attestation is required for the healthcare industry. With this trick, the legislator is giving healthcare companies a breather in the context of the short implementation period. The type 1 certificate essentially comprises a self-declaration by the cloud provider. This states that they have concepts, agreements and processes in place that meet the IT security requirements.

“The type 2 certificate is much more meaningful in terms of the effectiveness of the security measures and controls. While type 1 is at PowerPoint level, in a type 2 audit the auditor examines all these statements and checks their implementation,” says Fussy. Such an audit usually takes three months and results in a 200-page audit report. The in-depth sampling checks cover technology, but also management processes and personnel.

Although the Digital Act (DigiG) currently only requires the corresponding type 1 certificate, the requirements will increase in 2025: Type 2 certification will then become mandatory. Cloud users in the healthcare sector should therefore think about the future and choose a cloud provider now that meets the requirements of BSI C5:2020 Type 2 and can prove that it renews the certificate annually. This gives them long-term planning security.

“The Open Telekom Cloud has been audited according to C5 Type 2 since 2018,” explains Fussy, ”this was necessary in order to be approved as an operating platform for the Corona Warn App. Since then, we have met the current requirements every year and received the certificate”. In addition to this strong standard, the Open Telekom Cloud also meets the requirements of professional secrecy holders in accordance with §203 StGB and the requirements for social data processing in accordance with §35 SGB I.