Skip to content
SecTepe Mit Sicherheit gut aufgestellt!
DE
Compliance

Hospitals & Critical Infrastructure: B3S, NIS-2 Extension, and Smart Use of KHZG Funds

SecTepe Editorial
|
|
7 min read

German hospital CIOs in 2026 have a desk full of obligations: sector-specific security standard B3S, NIS-2 extension to all hospitals, mandatory ePA (electronic patient record) connection, KHZG funding usage proof, and – in the background – an undiminished ransomware wave against the sector since 2023.

The Regulatory Combination 2026

  • B3S Hospital (BSI-certified): mandatory for hospitals with 30,000+ inpatient cases per year, voluntary for smaller ones – but often a precondition for insurance coverage and auditor acceptance.
  • NIS-2 Implementation Act: extends critical infrastructure obligations to all hospitals, regardless of bed count. Management bodies (board, GmbH leadership) are personally responsible.
  • Patient Data Protection Act (PDSG) + ePA: technical connection obligations, authentication via TI connector, patient access rights digitally provable.
  • KHZG funds: federal funding program for cyber security with mandatory usage proof. 15 % of the funds must flow into IT security.

The Typical Hospital CIO Pain Points

1. Heterogeneous Device Landscape, Old Standards

MRI machines on Windows 7, OR robots on non-updateable Linux, patient monitoring on serial connections. Asset inventory often incomplete, protection-need rating rarely documented.

Solution with structured asset management: medical devices modeled as their own class, vendor contracts linked, patch status realistic (often "compensating control: network segmentation").

2. Ransomware Risk With Patient Safety Consequence

A surgery not performable because the patient record is encrypted – that's not "IT incident", that's patient harm with liability dimension. NIS-2 Art. 23 demands early warning within 24 h, which during a running OR program must be documented before being discussed.

Solution with 72h crisis communication plan: prepared templates for patient information, OR transfer workflow, regulator early warning rehearsed in the crisis team.

3. ePA Connection as Compliance Discipline

The TI connector links hospital IT with the gematik telematics infrastructure. Authentication via electronic health professional ID (eHBA), audit trail required for every patient data access. An integrated Keycloak IAM solution can include eHBA as a second factor – instead of maintaining three separate systems.

4. Supplier Risks in Clinic Operations

Lab providers, imaging cloud, nursing documentation as SaaS, medical device vendors with remote maintenance. Each is a potential entry path; NIS-2 Art. 21(2)(d) makes TPRM mandatory. Supplier portal with self-service questionnaire dramatically cuts maintenance effort.

5. KHZG Usage Proof

Funds must be used for the specified purpose, with usage proof up to 6 months after disbursement. "Cyber security platform" as a collective line doesn't work – every investment needs a clear risk reduction justification. The risk register with treatment mapping delivers the required proof.

Recommended KHZG Investment Priority

  1. Asset inventory with protection-need rating – prerequisite for everything else; without this foundation, no clean B3S audit.
  2. Mail security with CAPE sandboxphishing remains the main entry path into hospitals in 2026. CAPE detonates attachments automatically.
  3. Identity platform with eHBA integration – compliance + SSO + account lifecycle in one step.
  4. SIEM with forensic depth – ransomware forensics needs 12 months of logs, not 30 days.
  5. Risk management platform – B3S audit + KHZG usage proof + board reporting from one source.

How a Platform Solution Addresses the Sector

SecTepe.Core delivers the ISMS and risk management foundation, SecTepe.Comm the operational security tooling. Both are self-hosted in the hospital's own data center or with a German municipal hoster. Patient data never leaves the house. Multiple hospitals of one carrier can share central tooling without data flowing between them.

Realistic Setup Expectation

  • 200-bed hospital, medium IT maturity: 6 months B3S foundation, 12 months B3S audit readiness, ~€120 k initial platform investment (KHZG-eligible).
  • Hospital network with 5 sites: 9 months parallel foundation, 15 months network-wide audit program, ~€250 k initial – but per site significantly cheaper.

Compliance Mapping

  • B3S Hospital (BSI-certified): 5 protection objectives, 30+ requirements, 2-year audit cycle.
  • NIS-2 Art. 20–23: management duty + minimum measures + 24h early warning.
  • SGB V §75c, PDSG: TI connection, ePA obligations, eHBA authentication.
  • KHZG funding category 10: IT security, with usage proof.
  • ISO 27001: often required by insurers and carrier audits.

Conclusion

Hospitals in 2026 stand in a regulatory combo wave that can no longer be solved with Excel and good intentions. An integrated ISMS and security platform, smartly prioritized with KHZG funds, covers B3S, NIS-2, and ePA requirements from one source – and simultaneously reduces ransomware risk with patient safety implications.

View all articles More in this category