BSI: IT security check of medical practices


Share post

The Health Situation Report 2022 from the BSI shows: The security situation in the network of the telematics infrastructure (TI) is very secure thanks to strict specifications. But what about IT security in medical practices? The BSI starts new research projects.

The strict controls and specifications of the telematics infrastructure have ensured that the number of security incidents in this area is very low. The Health Situation Report 2022 from the BSI shows the structure and specifications of the telematics infrastructure. The security situation in the connected networks, such as that of the doctor's office, has hardly been recorded, although it is essential for the processing of sensitive health data and patient safety.


BSI: Security project check for medical practices

🔎 Cyber ​​security in healthcare 2022 (Image: BSI).

For this reason, the Federal Office for Information Security - BSI for short - started three new projects to take a closer look at the current IT security in medical practices.

Project 1: CyberPraxMed

The aim of the CyberPraxMed project is to use a survey to record the network structure and the equipment in typical medical practices and to assess the security risks. In particular, a statistic should answer the question of how often the connector is in parallel operation with a private, conventional router and is therefore unable to fully develop its protective effect.


Subscribe to our newsletter now

Read the best news from B2B CYBER SECURITY once a month

By clicking on "Register" I agree to the processing and use of my data in accordance with the declaration of consent (please open for details). I can find more information in our Privacy policy. After registering, you will first receive a confirmation email so that no other person can order something you don't want.
Expand for details on your consent
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our Privacy policy. You can unsubscribe from the newsletter at any time. You will find a corresponding link in the newsletter. After you have unsubscribed, your data will be deleted as soon as possible. Recovery is not possible. If you would like to receive the newsletter again, simply order it again. Do the same if you want to use a different email address for your newsletter. If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only collected on a voluntary basis. We use newsletter service providers, which are described below, to process the newsletter.


This website uses CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter “CleverReach”). CleverReach is a service that can be used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter (e.g. email address) will be stored on the CleverReach servers in Germany or Ireland. Our newsletters sent with CleverReach enable us to analyze the behavior of the newsletter recipients. This can include It is analyzed how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a previously defined action (e.g. purchase of a product on this website) took place after clicking on the link in the newsletter. Further information on data analysis by CleverReach newsletter is available at: The data processing takes place on the basis of your consent (Art. 6 Para. 1 lit. a DSGVO). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation. If you do not want an analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you have canceled the newsletter. Data stored by us for other purposes remain unaffected. After you have been removed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You may object to the storage if your interests outweigh our legitimate interest. For more information, see the privacy policy of CleverReach at:

Data processing

We have concluded an order processing contract (AVV) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that the personal data of our website visitors is only processed according to our instructions and in compliance with the GDPR.

In addition, the technical expertise in the area of ​​IT security of the staff, the doctors and any IT service provider commissioned should be determined. In addition, correlations of IT security with the size of the practice, the type of practice and the geographical location are to be examined.

Project 2: SiPra

In addition to the survey of security in medical practices, the SiPra project is dedicated to the IT security of practice management systems (PVS). The aim of this project is to provide an assessment of the safe operation of various market-relevant PVS. This should be written in the form of an up-to-date overview of the German market situation, including the current IT security precautions from PVS and configuration recommendations for service providers.

The two projects are supplemented by a survey started in 2023 as part of the SiRiPrax project. This project is based on the BSI’s special statutory task of regularly assessing and adapting the IT security guideline in accordance with Section 75b SGB V, which was drawn up in 2020 together with the National Association of Statutory Health Insurance Physicians and the National Association of Statutory Health Insurance Dentists (KBV, KZBV). The aim is to sustainably strengthen IT security for resident doctors, dentists and psychotherapists.

Project 3: Online survey

With the help of an online survey in medical practices, the implementation of the requirements from the IT security guideline according to § 75b SGB V and the possible implementation difficulties are surveyed. At the same time, basic parameters for the IT security of the participating practices are analyzed. The results serve to further develop the guideline and to formulate concrete recommendations for action for service providers.

The results from these three projects enable the BSI to improve IT security in medical practices in a targeted manner through appropriate recommendations and specifications and thus make an essential contribution to the digitization of the healthcare system.

More at


About the Federal Office for Information Security (BSI)

The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.


Matching articles on the topic

E-mail attacks: HTML attachments most dangerous

HTML attachments are still the most dangerous file type in email attacks. Therefore, attackers rely more on HTML attachments: their share is inside ➡ Read more

Assess cyber resilience

Numerous cyberattacks and data breach headlines are a constant reminder to businesses that cybersecurity is fragile. The model of the location-independent ➡ Read more

EU Cyber ​​Solidarity Law: Building a protective shield

In April, the European Commission put forward a proposal for the EU's Cyber ​​Solidarity Law, a multi-billion dollar plan to strengthen cybersecurity ➡ Read more

Cloud security remains the top concern

Cloud security remains the top concern for cybersecurity professionals, a survey at this year's RSA Conference reveals. were ➡ Read more

XDR Innovation: Respond faster to advanced threats 

Cisco Extended Detection and Response (XDR) aims to accelerate and simplify security processes in cross-manufacturer, hybrid environments. Evidence-based automation prioritized ➡ Read more

New AI/ML powered threat protection platform

Proofpoint is bringing a number of new capabilities to its Aegis Threat Protection, Identity Threat Defense, and Sigma Information Protection platforms. This ➡ Read more

Microsoft can open encrypted ZIP files

Security researchers have found that Microsoft is probably able to open encrypted ZIP archives stored on Onedrive or Sharepoint and ➡ Read more

Economic weakness reduces cyber defences

A survey of 100 US cyber security experts by HackerOne showed: After budget cuts and layoffs in IT security, there are more unpatched vulnerabilities. ➡ Read more