The Hospital Future Act: Multi-Billion Grants for IT Security

There is good reason why erectile dysfunction, nose jobs and diagnostic findings should be treated with confidentiality. The problem is that hospital servers are not as discreet as your regular physician if not sufficiently protected against hacker attacks or data theft. As medical technology is advancing, the risk of sensitive patient data falling into the wrong hands is also increasing.

Enough is enough, says Health Minister Jens Spahn. With the Hospital Future Act (Krankenhauszukunftsgesetz or KHZG), the German government has approved billions in subsidies for the expansion of digital services and IT security in German hospitals.

The Hospital Future Act in 2023

The Hospital Future Act (KHZG) is the implementation of the project Future Program for Hospitals (“Zukunftsprogramm Krankenhäuser”), which was passed on June 3, 2020. The coalition’s primary goal is to support hospitals in building modern emergency response capacities and accelerating the adoption of digital processes and services.

The federal government is providing 3 billion euro for the funding period, while states contribute a further 1.3 billion euro. The Hospital Future Fund (Krankenhauszukunftsfonds, KHZF) which is being set up for this purpose at the Federal Office for Social Security, will thus provide a total of 4.3 billion euro in funding for 2020/21.

The grant process involves hospitals first submitting their applications to the state government, who will review it and submit it to the Federal Health Ministry on their behalf. Applications can be submitted from September 2, 2020 until December 31, 2021 at the latest. Payments will be made no earlier than January 01, 2021.

According to the latest statistics provided by the German health ministry, there were over 6,000 applications for government funding made through the Hospital Future Act, with digital record keeping, web portals for patients and IT security seeing the most interest.

As of January of 2023, roughly 2.9 billion Euro in project funds have been approved. However, many hospitals and boards report significant delays in the payout process. Any funds not claimed or not spent will be reclaimed by the German government in 2023.

Hospital Future Act – Funding Tied to IT Security

Eligible for funding are investments into modern emergency facilities, necessary HR measures and the establishment or expansion of digital infrastructures (e.g. patient portals, digital medication management, electronic documentation of care and treatment services, etc.). However, the 4.3 billion aid package is specifically tied to the funding of IT security.

Hospitals are only eligible to receive funding from the grant pool if they spend at least 15 percent of the money on improving IT security. What the German government is trying to achieve here is to prevent employees from being able to steal data, as it happened in a hospital in The Hague in 2018.

IT Security in Critical Infrastructures (KRITIS-Environments)

This decision by the federal government now finally addresses a problem which had already attracted media attention at the beginning of the year and has since become even more evident in the wake of the Corona crisis: the lack of adequate cybersecurity in many German hospitals.

Only in February, Andreas Sachs of the Bavarian State Office for Data Protection Supervision raised concern about the poor organization of IT security in individual hospitals (source only available in German) – despite the fact that clinics with an inpatient number of 30,000 or more per year are required to conform their IT security measures to an industry-specific security standard (B3S), as defined by the German Hospital Association for critical healthcare facilities.

Secure Protection for MIS

Every hospital must strive to protect patient data from being accessed by unauthorized persons. Any measures intended to improve IT security must therefore kick in precisely where the sensitive information is being recorded: in the medical information systems (MIS). Disruptions to central MIS infrastructure components or connected IT/medical technology/departmental subsystems may also lead to disruptions in the medical treatment process. That is why it is so important to ensure MIS are well-protected.

With all of this in mind, it may be worth considering investing into a structured Identity and Access Management system. An identity and access management software such as tenfold manages IT users and access rights centrally, which significantly minimizes the risk of data abuse in your company, while process automation will ensure that personnel costs and the rate of errors are massively reduced as well.

Compensation for Damages Caused by Corona Pandemic

The Hospital Future Act does not solely address the issue of cybersecurity and digitalization. While investing in the improvement of care, treatment and documentation structures, as well as the protection of patient data, the German government also recognizes the need to compensate Germany’s hospitals for some of the financial damages caused by the corona crisis.

On request by each individual hospital, the losses will be determined and compensated individually in negotiations with the cost units. The assessment will be made on the basis of the proceeds from the previous year.

Furthermore, hospitals will be able to apply for surcharges for additional expenses incurred in connection with the corona pandemic (e.g. costs for protective equipment or similar) that could not be covered by other means, between October 1, 2020, and the end of 2021.


Best Practices for Access Management In Microsoft® Environments

Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implementation, reporting and auditing.

About the Author: Nele Nikolaisen

Nele Nikolaisen is a content manager at tenfold. She is also a book lover, cineaste and passionate collector of curiosities.