- By Miriam Friedmann
C5 certification: why it is essential for hospitals
The security of sensitive healthcare data should be a top priority for hospitals - the keywords here are data protection and data security. This is because, at the latest in the event of a data breach, they must expect serious legal consequences - in addition to reputational damage - if they have not protected their data in accordance with the law Against this background, modern cloud solutions have often only been used hesitantly in hospitals because their security was questioned. The C5 certificate, which is mandatory for cloud solutions in the healthcare sector, now provides proof of their security. Hospitals can now reconcile modern technology with data security and implement robust IT security strategies with cloud solutions.
KRITIS companies in particular should keep an eye on C5 testing in 2025. This is because the upcoming KRITIS audit will directly reveal whether and how they protect sensitive patient data - and not just within their own infrastructure, but across the entire data pathway from the operating theater to the patient.
A massive task for any IT department and the management. Outsourcing approaches are therefore very welcome. C5-certified cloud providers play an important role here, as the certificate is based on the KRITIS requirements. Conversely, it is also necessary to check whether all cloud applications already in use are C5-certified, as this is mandatory in the healthcare sector.
Telepaxx Medical Data hat das C5-Testat bereits als einer der ersten Cloud-Anbieter für Gesundheitsdaten in Deutschland erfolgreich durchlaufen.
But what exactly is this C5 certification, why is it so important for the healthcare industry - and what benefits does it offer hospitals in particular? In this article, we provide answers to the most frequently asked questions that we encountered during the testing process and that are important for hospital decision-makers and IT managers.
Why is C5 certification important for hospitals?
Hospitals manage an enormous amount of confidential data, including patient records and medical image data. Working with a C5-certified cloud provider not only offers protection against cyber attacks, but also legal and regulatory security. With the Federal Ministry of Health's Digital Act, all cloud services in the healthcare sector must provide proof of C5 certification.
For example, the next KRITIS audits are due in 2025. All KRITIS hospitals with a cloud connection will then have to prove that their cloud partner meets the C5 criteria. This means that if a hospital stores or processes sensitive patient data with an external provider, it must be able to prove that the data is secured there in accordance with the C5 criteria catalog.
Hospitals can check this with the help of the C5 test report, which they can request from their cloud service providers at any time and from which they can transparently see which and how well the C5 criteria are met. We are happy to send our customers the Telepaxx C5 test certificate.
Was ist das C5-Testat?
A C5 certification is a testing standard that defines the security requirements for cloud services and is used in all sectors. The German Federal Office for Information Security (BSI) has developed the extensive and extremely detailed C5 criteria catalog for this purpose. On 132 pages, it lists all the security measures that need to be taken to make the processing of data using cloud technology as secure as possible.
However, the C5 certificate is not just a seal of approval, but a detailed certificate. It evaluates the company's performance in 17 areas. These include, for example, the organization of information security (OIS), security policies and procedures (SP), asset management (AM), cryptography and key management (CRY), communication security (COS) and the handling of security incidents (SIM).
Within each area, highly specialized auditors check and analyse the criteria defined down to the smallest detail on site at the company.
The C5 criteria catalog therefore goes far beyond the general requirements of ISO certification 27001, which has been the standard in the healthcare sector to date.
Cloud providers that can provide evidence of C5 certification or the C5 test certificate therefore fulfill security measures in accordance with the highest legal standards. During the certification process, experts systematically check all processes and their technical implementation according to the requirements of the C5 criteria catalog.
How does C5 certification work?
To obtain the C5 certificate, an auditor spends several days combing through the processes, guidelines and implementation of all the requirements of the C5 criteria catalog. If the tested company fulfills a criterion, the auditors make a note of this. If, on the other hand, implementation according to the C5 criteria has not yet been completed, the testers transparently note the current status - and note what the company is doing to completely fulfill the criterion as soon as possible.
The certified cloud providers then receive the official C5 test report as a PDF if the auditors come to the conclusion that the provider fulfills the requirements sufficiently well. Customers can request this PDF at any time. In our example, these are currently mainly hospitals and radiologists in private practice.
This means that our customers now have a standardized overview created by a neutral authority as to whether we meet all requirements in terms of information security and data protection when processing data in the cloud. This strengthens trust and also protects our customers from legal risks.
Conclusion: Why hospitals should rely on C5-certified providers
The C5 certificate is more than a simple security standard - it is an official seal of quality for cloud service providers that meet the highest standards of information security and data protection. Gleichzeitig bietet es maximale Transparenz durch den ausführlichen Prüfbericht, den Kunden dieser Cloud-Dienstleister jederzeit als PDF-Datei anfordern können.
Hospitals that work with C5-certified providers benefit from maximum data security, transparency and compliance. The result: a secure IT infrastructure that protects patients and hospital staff alike.
Interested in how Telepaxx can support you with its C5-tested software solutions for medical image data management? Contact us for more information about our certified cloud solutions.
Examples of the level of detail in the C5 catalog compared to ISO 27001
The C5 criteria catalog defines specific measures and processes that cloud providers must implement in order to meet the highest security standards.
Example 1: The communication of sensitive data, i.e. from a server in the hospital to the data center.
- Among other things, the C5 catalog explicitly requires data traffic for administration and monitoring to run in separate networks. In addition, approved network and application protocols must be explicitly defined and regularly checked.
- For comparison: ISO 27001 only generally requires that information services and users should be separated from each other in the network.
Example 2: Product security, in particular the confidentiality of authentication information.
- For example, the C5 criteria contain precise requirements for passwords and their management.
- For comparison: ISO 27001 only stipulates that authentication information should be controlled by a management process.
FAQs
Many well-known cloud providers, including market leaders such as Amazon Web Services (AWS) and specialized providers for the healthcare sector such as Telepaxx or doctolib, have C5 certification. However, there are also many software providers that do not yet have the certificate - because they do not meet the criteria or the implementation period was too short.
Hospitals do not need their own certification. However, KRITIS audits for the healthcare sector are due in 2025. By then at the latest, KRITIS hospitals will have to prove that their cloud service providers have a C5 certificate. All other healthcare facilities are also obliged under the DigiG to only use C5-tested cloud solutions.
A C5 certificate is usually valid for one year. After that, a new audit must be carried out.
Cloud providers must undergo an independent audit in which they demonstrate that they meet the requirements of the C5 criteria catalog. For the healthcare sector, the DigiG stipulates that only auditing companies may certify the C5 certification for cloud solutions for the healthcare sector. Customers can request the certificate from their cloud provider at any time.
The C5 audit is the audit process in which independent auditors check compliance with the C5 criteria catalog.
Other articles that may interest you
Cybersecurity in KRITIS facilities
Cyberattacks are a major threat to hospitals - regardless of whether they are a KRITIS organisation or not. This article summarises the costs of a ransomware attack, how you can protect yourself and what many facilities forget.
Reliability in hospitals: the benefits of NIS-2
How can hospitals strengthen data security and protect themselves against cyber attacks? The NIS 2 regulation means that small and medium-sized hospitals now also have to deal with this issue.
10 reasons for the use of the cloud in hospitals
Discover ten reasons why cloud technology is not only efficiency-enhancing for hospitals, but also indispensable for modern healthcare IT - at the latest with the DigiG. Read our argumentation guide.