Loading
BAYOOSOFT
  • Management Solutions
    • IT-Security
      • Access Manager
      • gpg4o
    • MedTech
      • BAYOOSOFT Themis
      • Risk Manager
      • MEDiLEX
    • Telesolutions
      • HospiX
  • About us
    • BAYOOSOFT
      • Software Made in Germany
      • The Co-thinker Team
      • Contact Us
    • News & Events
      • News
      • Events
      • Success Storys
    • BAYOONET Group
      • BAYOOTEC
      • BAYOOMED
  • Jobs & Career
  • Shop
  • Search
  • Menu

Risk management for IT networks with the BAYOOSOFT Risk Manager

CRITIS-Crux at hospitals

Hospitals with at least 30,000 full-time inpatient treatment cases belong to the so-called critical infrastructures (BSI-CritisV Annex 5 Table “Facility categories and threshold values”). They are thus obliged to set up a contact point and must report IT security incidents (§ 8b (3) BISG). To maintain the required security level and to establish necessary processes and structures, organizational and technical measures must be taken at an early stage. A transition period for these hospitals is expressly not provided for.

What does CRITIS mean?

“Critical infrastructures (CRITIS) are organizations and facilities of major importance to the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruption to public safety or other dramatic consequences”.

According to the law, critical infrastructures include energy, information technology and telecommunications, transport and traffic, health, water, food, media and culture, government and administration, and finance and insurance.

Legal requirements for operators of critical infrastructures can be found in the law on the Federal Office for Information Security (BSIG). The law aims to improve the security of information technology systems in Germany. The sectors of state and administration as well as media and culture do not fall under the legal obligations.

[Source]

If a hospital is classified as a critical infrastructure for two years in a row, the operator is obliged to keep a record of the technical and organizational measures taken to prevent disruptions to the availability, integrity, authenticity and confidentiality of the IT systems, components or processes. In addition to audits, certifications or similar proofs can also be considered.

A distinction must be made between measures that contribute

  • to increase the reliability of critical IT components

and / or

  • as a part of replacement measures to maintain critical processes in the event of an IT infrastructure failure

As soon as it becomes critical

When selecting such measures, the Federal Office for Information Security explicitly recommends the use of existing standards and best practice recommendations in its guideline “Critical Infrastructure Protection: Hospital IT Risk Analysis”.

These include international standards as well as the technical standard IEC 80001-1 for the integration of medical devices in IT networks.

The standard IEC 80001-1 describes the state of the art with regard to risk management of IT networks and defines 3 protection goals:

  • Safety for patients and employees

  • Data and system security

  • Effectiveness (orderly and uninterrupted process flows)

The software module “Risk Management according to IEC 80001-1” of the BAYOOSOFT Risk Manager allows operators of critical infrastructures to fulfill exactly these regulatory requirements and to operate a risk management considering the protection goals over the entire life cycle of their IT networks.

Digression: ISO 27002

Another existing standard recommended by the BSI is ISO 27002 as a guideline for information security management. The guidelines contain principles and orientation aids for the initiation, implementation, operation and improvement of information security management within an organization.

A separate chapter is dedicated to the topic of access control. Access control means taking measures that enable users to gain controlled access to (physical) and/or access to (logical) information. Rules and regulations are to be established to ensure that users only get the access they really need for their daily work (need-to-know principle). Also the allocation of passwords is to be controlled by a formal administration process.

The BAYOOSOFT ACCESS MANAGER can support you in implementing these requirements. The automated software solution for transparent and easy-to-understand permission and identity management improves information security while at the same time significantly reducing the operational effort in the IT department through self-service.

The process-oriented solution helps you to free yourself from the document jungle and let the software do the documentation work as far as possible. At a central location you store all requirements to be mapped, such as those for the manufacturers of medical devices and network components, make changes and monitor the process.

The principle of risk analysis and action management, which has been proven to comply with ISO 14971, is transferred to reduce possible hazards caused by the interconnection of IT networks and medical devices. The structured and field-tested user interface of the BAYOOSOFT Risk Manager supports you with the early detection of risks. The self-learning system dynamically links information in a fine-grained manner and avoids redundant data storage.

Structured risk management

The standard also describes the role of an IT risk manager, who collects the information and documents it in the form of a risk management file and reports to the top management as the person responsible.

It is precisely here that specialists from IT, risk management and medical technology must work together and pool their respective competencies. Risk management for critical network structures is particularly focused on the aspects of network reliability, data integrity and a strict assessment of risks. For the responsible risk managers, this aspect is often uncharted territory and there is a danger of losing the overview between information and contact persons.

“Thanks to the BAYOOSOFT Risk Manager we were able to avoid the time-consuming manual workload. The software guides us through the process without errors, you can’t deviate, you can’t forget anything and you get a perfect result”.

Knut Lauter

Klinikum recht der Isar of the Technical University Munich

Success Story

The proven structure in BAYOOSOFT Risk Manager simplifies and professionalizes this work without compromising the security and proper documentation of IT networks. The software solution provides a fixed order for the recording of individual IT components and manufacturers as well as for the definition of change authorizations and monitoring activities. All requirements for your medical IT networks, as well as for communication and monitoring, are systematically recorded and permanently connected in a traceable manner. Special attention is paid to ensuring the three protective goals of security, effectiveness, and data and system security.

Summary

As operators of critical infrastructures, clinics incur high personnel and organizational expenses for setting up a contact point, setting up a reporting system for IT security incidents, maintaining an appropriate security level and providing the necessary evidence.

At this point, the BAYOOSOFT Risk Manager supports you as a process accelerator to meet the requirements of IEC 80001-1 in an efficient and accurate way – of course taking into account the protection goals of safety for patients and employees, data and system security as well as effectiveness.

Instead of investing time in the form, you can concentrate on the content.

Learn more about using BAYOOSOFT Risk Manager in critical infrastructures!

Register now for one of our open webinars or an individual product presentation.

Next Medical Solution events

  • Digitize your processes with BAYOOSOFT management solution (ger) – October 25
    • Digitize your processes with BAYOOSOFT management solution (ger) – November 29
      • Digitize your processes with BAYOOSOFT management solution (ger) – December 13
        Note

        We are currently experiencing problems with our forms. If you receive an error message, please send an email with your request directly to [email protected].

        Click or drag a file to this area to upload.
        Please accept marketing cookies to submit the form.
        Click here to allow marketing cookies.
        Loading
        • Privacy Policy

        Latest News

        • Cybersecurity, Identity and Access ManagementHow IT security advances digitalization20. September 2023 - 16:40
        • Klinische Bewertung von MedizinproduktenClinical evaluation of medical devices and in vitro diagnostics: Why it is so important15. September 2023 - 16:40
        • Ultrasound medical deviceMDR transition: Save time with complete technical documentation17. August 2023 - 12:50
        Contacts at BAYOOSOFT 

        Svenja Winkler
        CEO
        [email protected]

         

         

        Franziska Weiß
        Head of Sales
        [email protected]

        Darmstadt
        Lise-Meitner-Straße 10
        64293 Darmstadt

        Munich
        Aidenbachstraße 54
        81379 München

        Berlin 
        Mariendorfer Damm 1-3
        12099 Berlin

        Product Specific Inquiries: via Contact Form
        Contact:         [email protected]
        Jobs: [email protected]
        Press: [email protected]

        Phone: +49 (0) 6151 – 86 18 – 0
        Fax: +49 (0) 6151 – 86 18 – 150

        Contact support
        • Privacy Policy
        • Legal
        Software development according to IEC 62304: Which requirements do you have... Partnership with HEX Approach
        Scroll to top