C5 certificates are relevant for service providers and, where applicable, for medical device manufacturers. The German Digital Act (DigiG), which came into force at the beginning of 2024, redefines the requirements for cloud services in the healthcare sector.
This article explains the most important aspects of C5 certification for medical device manufacturers and service providers such as hospitals.
1. Basics of C5 certification
1.1 Objectives
The C5 criteria catalogue (Cloud Computing Compliance Criteria Catalogue) is a standard developed by the German Federal Office for Information Security (BSI). These criteria enable providers and customers to assess the IT security of cloud services.
The C5 standard also regulates how tests are to be carried out and the results reported.
Auditors may issue a C5 certificate upon successful completion of the test.
1.2 Structure of the criteria catalogue
The criteria catalogue comprises 17 subject areas with a total of 125 test criteria. These are divided into basic criteria for fundamental security and additional criteria for increased protection requirements for each subject area.
The subject area “Physical Security (PS)” requires as basic criteria that hazards such as “unauthorized access,” “insufficient air conditioning,” “water,” and “power failure” be “addressed.”
Additional criteria include, for example, “time constraints for self-sufficient operation in the event of exceptional events (e.g., prolonged power outage, heat waves, low water in cold river water supply) and maximum tolerable utility downtime.“
1.3 Relation to other standards
The BSI derived the C5 criteria catalogue from the requirements of ISO 27001. The authority has published a cross-reference table between C5 and ISO 27001:2022 (only available in German).
ISO 27001 certification is neither necessary nor sufficient to comply with the requirements for a C5 audit. The conclusion provides more information.
However, the C5 Equivalence Regulation (only available in German) allows alternative evidence on a temporary basis:
- ISO/IEC 27001
- ISO 27001 with IT baseline protection
- Cloud Controls Matrix 4.0
The following are also required:
- Detailed action plan
- Gap documentation
- Implementation plan (max. 12 months)
- C5 Type 1 certificate within 18 months
- C5 Type 2 certificate within 24 months
2. Necessity of C5 certificates
The positive test result via a secure cloud computing service based on the C5 criteria catalogue (Cloud Computing Compliance Criteria Catalogue) of the German Federal Office for Information Security in its currently valid version.
Translated from § 384 (6) SGB V
2.1 Legal requirements
§ 393 of the German Social Code, Book V (SGB V) is relevant for service providers/operators and, where applicable, manufacturers of medical devices. This section was added as a result of the German Digital Act (DigiG) and stipulates C5 certification for cloud services in the healthcare sector.
(1) Service providers within the meaning of Chapter IV and health insurance funds and long-term care insurance funds, as well as their respective processors, may also process social data and health data using cloud computing services, provided that the conditions set out in Sections 2 to 4 are met.
(3) Processing in accordance with Section 1 is only permitted if, in addition to the requirements of Section 2
1. state-of-the-art technical and organizational measures have been taken to ensure information security,
2. a current C5 certificate has been issued to the data processing entity with regard to the C5 basic criteria for the cloud systems used in the context of the cloud computing service and the technology used, and
3. the corresponding criteria for customers contained in the test report of the certificate have been implemented.
In addition, § 393 of the German Social Security Code V (SGB V) requires that data processing take place in the EU or in a country for which an “adequacy decision” has been made in accordance with Article 45 of the General Data Protection Regulation. This restriction is not found in the C5 criteria catalogue.
2.2 Requirements for operators
2.2.1 Overview of requirements
According to § 393 SGB V Section (4), operators require a current C5 certificate if they process health data in the cloud or have it processed. That would be the case, for example, if they
- operate medical information systems in the cloud,
- store medical data in the cloud, or
- use software as a service (SaaS) for health data.
A C5 Type 1 certificate is sufficient until June 30, 2025, after which a C5 Type 2 certificate is required. Alternative certificates or attestations with a comparable or higher level of security are still permitted.
C5 Type 1 certificates refer to the time the testing was carried out and require proof of implementation. C5 Type 2 certificates refer to a period to be tested and also require proof of effectiveness.
Operators must, therefore, request these certificates from their providers. However, § 393 SGB V does not insist that the additional criteria of the C5 criteria catalogue must also be met.
1. If subcontractors are used, both the main provider and the cloud service provider must have a C5 certificate, or the main provider must integrate the subcontractor’s assessment into his C5 assessment. More information on this can be found below in the section on “carve-in and carve-out.”
2. Operators must also comply with the requirements for technical and organizational measures in accordance with § 393 and § 391 SGB V.
2.2.2 Uncertainty about requirements
Legal experts currently disagree on whether a hospital needs a C5 certificate or whether it is sufficient to submit the cloud provider’s C5 certificate.
The answer to this question also depends on how the data processing entity is defined.
Arguments that the hospital itself needs a certificate
There are arguments in favor of the hospital (also) being considered a data processing entity, as Section (1) of § 393 SGB V stipulates that health service providers may only process data via cloud computing if certain requirements are met. These include the certificate.
It can also be argued that legislators generally want to protect the security of health data. Many hospitals need to catch up, which is why the C5 certification of the hospital itself is sensible and intended by the law.
Arguments that the hospital itself does NOT require a certificate
Others argue that the legislator only targets data processing by cloud computing service providers. That would be clear from Section (2) of § 393 SGB V, which refers to data processing locations. This location is only relevant for service providers because the law only applies to German hospitals.
The reasoning of the legislator itself would also show that the service provider’s certificate is sufficient (source):
“Within the framework of § 393 SGB V, companies wishing to use cloud-based IT applications may initially incur minor additional costs in the low five-digit range for carrying out a C5 test, provided that the specific provider of the cloud service does not already have a C5 certificate.”
Translated from BT printed paper 20/9048, page 78
2.3 Requirements for manufacturers
2.3.1 Case distinction
The requirements for manufacturers depend on which case applies:
- In the first case, a manufacturer offers patients cloud-based software “as a service.” In this case, the manufacturers themselves may become operators.
- In the second case, a manufacturer offers health service providers cloud-based software “as a service” (see Fig. 2).
- In the third case, a manufacturer sells or leases software to health service providers, which the health service providers themselves operate in the cloud (see Fig. 2).
It is not possible to determine which of the three cases applies solely based on the location where the software is developed, operated, and used. Therefore, manufacturers should clearly define the respective roles in a contract with their customers.
2.3.2 Case 1: Manufacturer is also health service provider
A manufacturer of medical devices or IVD that uses cloud computing services for patients is directly affected: He is considered a health service provider and must meet the requirements of § 393 SGB V. Therefore, he must provide a C5 certificate or, if necessary, several C5 certificates.
A digital service that enables on-demand management and comprehensive remote access to a scalable and elastic pool of shared computing resources, even if these resources are distributed across multiple locations.
Translated from § 384 (5) SGB V
In the German healthcare system, health service providers include all groups of people who provide services for those insured by health insurance funds.
A DiGA manufacturer uses a hyperscaler for his mobile app. Operating his own server would not count as a cloud computing service.
If a manufacturer subcontracts a cloud service provider for his offering, he must either submit the latter’s certificate or include his subcontractor (cloud service provider) in his own assessment and testing.
2.3.3 Case 2: Manufacturer offers his devices to health service providers as SaaS
If a manufacturer offers his software as a service, § 393 SGB V applies to him at least indirectly. This is because many of his customers, the health service providers, will require a C5 certificate from him. That means, for example, that the manufacturer is obliged to:
- Search for vulnerabilities through static and dynamic code analyses, code reviews, and penetration tests by qualified external third parties (the latter is an additional criterion)
- Active search for vulnerabilities, including in libraries used, and informing customers about vulnerabilities
- Requirements for customers regarding legally compliant operation, such as secure configuration
- Implementation of audit logs/protocols
- Implementation of suitable authentication and authorization mechanisms
If the manufacturer uses a cloud service for his SaaS offering, the cloud service provider is considered a subcontractor of the manufacturer. In this case, the manufacturer is directly affected and must submit a C5 certificate, including that of his cloud service provider, if necessary. That is because § 393 SGB V only judges whether health data is processed with a cloud computing service – regardless of the contractual relationships.
The C5 criteria catalogue does not distinguish between the software development activities of cloud providers and those of manufacturers whose software is operated in the cloud.
2.3.4 Case 3: Manufacturer is not operator/health service provider
A manufacturer may also be indirectly affected if he sells devices that his customers, the health service providers, operate (or have operated) in a third-party cloud.
In this case, they must develop and design their devices so that their customers can provide the necessary evidence. The requirements are, therefore, similar to those in case 2, even if the manufacturer does not have to comply with these requirements himself.
2.3.5 Further requirements
MDR and IVDR require state-of-the-art IT security. That makes the BSI C5 criteria catalogue virtually mandatory.
In addition, manufacturers should observe and comply with the future harmonized standard IEC 81001-5-1.
Manufacturers who want to market their devices in the US must comply with the FDA’s IT security requirements.
3. Practical implementation
3.1 Carve-in versus carve-out
If a data processing company that requires a C5 certificate subcontracts data processing to another company, it has two options:
- Carve-in method: The company reviews all security measures at its own premises and the subcontractor’s. That involves more effort but also gives the company complete control.
- Carve-out method: The company refers to the C5 certificates of its subcontractors. The consequences are less effort but also greater dependence.
The C5 criteria catalogue describes the two variants in more detail.
3.2 Challenges and costs
The main challenges typically include:
- Complex coordination between multiple cloud service providers and integration of international service providers. The latter is particularly fraught with uncertainty in the US.
- Requirements that go beyond ISO 27001 and a wide variety of certificates and attestations (e.g., BSI Grundschutz, ISO 27001, SOC2, Trusted Cloud)
- High documentation and continuous monitoring costs
- Availability of auditors who can issue the certificates
- Legal uncertainties and authorities or operators who, in case of doubt, request too many or too few C5 certificates
In most cases, operators have to coordinate several departments: purchasing, IT (e.g., CISO), and legal.
The costs also pose challenges. These arise from:
- External consulting
- Review, certification, testing
- Internal resources
- Ongoing monitoring
4. Conslusion and summary
4.1 Impact on health service providers
Health service providers must comply with the requirements of § 393 SGB V. Therefore, they must submit a C5 certificate from their cloud service provider. Medical device manufacturers can also be considered cloud service providers.
In addition, health service providers must observe territorial restrictions when selecting their cloud service provider.
Whether health service providers (hospitals) require their own certificates is still being discussed (see section 2.2.2). Therefore, they should follow the discussion closely.
In its free Medical Device Briefings, the Johner Institute provides weekly information on regulatory changes that affect both manufacturers and operators.
4.2 Impact on manufacturers of medical and IVD medical devices
Manufacturers must ensure absolute clarity regarding the role they offer their devices and services to operators. They must also be prepared for customer demands for a C5 certificate, regardless of whether these demands are justified.
C5 certification has become indispensable for manufacturers offering cloud services.
4.3 Impact on the healthcare system
The security of health data is important. So is providing patients with medical and IVD medical devices.
The additional requirements threaten to overwhelm smaller and medium-sized manufacturers and operators and tie up resources important for manufacturing devices and providing patient care.
The enormous financial and organizational effort required to obtain a C5 certificate, especially for smaller companies and start-ups, is disproportionate to the benefits.
Source: translated from Bitkom
Wouldn’t ISO 27001 certification have been sufficient?
“A review of the C5 criteria catalogue in combination with the cross-reference tables created by the BSI shows that the BSI only finds a comparable or higher level of security in the referenced international standards in a few places. Furthermore, many criteria from C5 are not found in the referenced international standards.
Consequently, implementing the C5 criteria involves more work for a cloud provider than simply implementing an ISMS in accordance with ISO/IEC 27001, for example.”
Translated from Source
4.4 Impact on the political system
Auditors being given a prominent role may lead to suspicions that their representatives were involved in drafting the legislation. Such suspicions alone are harmful to confidence in the political system and the usefulness of the legal requirements.
A sharp criticism of the C5 criteria catalog can be found at Golem (only available in German).
The legislator has not taken up Bitkom’s targeted proposals (only available in German) on the C5 equivalence regulation.
The Johner Institute supports manufacturers in the legally compliant development and monitoring of their medical and IVD medical devices:
- Review to ensure that product requirements cover all regulatory requirements for IT security
- IT security risk analysis and threat modeling
- Penetration testing
- Reviewing, improving, and creating the standard operating procedures and work instructions necessary for IT security and setting up IT security management systems
Contact us to get further information.
