Skip to main content
Unsere Website gibt es auch auf Deutsch - würden Sie gerne zu dieser Version wechseln?Zur deutschen Version wechseln
MADE & HOSTED IN GERMANY
ISO 27001 CERTIFIED, BSI C5
EN
Login Start a free trial Menu
c5-certificate-healthcare

The C5 certificate in the healthcare sector: Why you can't be without

6 min read

Digitalization in the healthcare sector is advancing. Hospitals, physicians and health insurance companies are increasingly relying on cloud solutions to manage data efficiently and in compliance with data protection regulations as well as to work together securely. This also increases the responsibility of cloud providers: They must meet high security standards in order to protect sensitive healthcare data.

With the Act to Accelerate the Digitization of the Healthcare System (called "DigiG" in Germany), the legislator has already set the course for companies and organizations in the healthcare sector. The message is clear: cloud providers who want to make their services available to companies in the healthcare sector need a C5 certificate from the German Federal Office for Information Security (BSI).

The requirement to comply with these high standards has been in place since July 2023 and is set to be tightened again in mid-2025. What exactly the C5 certificate means for the healthcare sector, which industries are affected by this obligation and why Stackfield is already a secure choice for the healthcare sector as a collaboration tool will be discussed in the following article.

What does the C5 certificate obligation mean for the healthcare sector?

Cloud services such as practice or project management software have become an integral part of the healthcare sector. They enable fast and flexible data processing, but also entail risks. To ensure the security of IT systems, German legislation in the Act to Accelerate the Digitization of the Healthcare System (DigiG) therefore requires standardized proof, including in the form of a C5 certificate. The C5 certificate (Cloud Computing Compliance Criteria Catalogue) defines binding minimum standards for cloud providers.

This certificate is intended to provide reliable proof that providers have taken appropriate technical and organizational measures to protect health data from unauthorized access. The legal anchoring creates transparency and makes it easier for healthcare organizations to select a secure cloud service provider.

Why is personal data in the healthcare sector particularly worthy of protection?

Medical data is some of the most sensitive information that can be processed. It contains personal and often intimate details about illnesses, treatments or genetic conditions. Unauthorized access or misuse can have serious consequences – both for the individuals concerned as well as for the trust in the healthcare system.

The General Data Protection Regulation (GDPR) classifies medical data as a special category of personal data. This means that particularly strict protective measures apply to its processing. According to Article 9 GDPR, the processing of such data is generally prohibited – unless the data subject has given their express consent or a legal exception applies.

Why is this protection so important?

  • Risk of misuse: Medical data could be used for discrimination – by insurance companies or employers, for example. An unsecured cloud infrastructure increases the risk of data leaks and cyberattacks.
  • Obligation of confidentiality and integrity: According to Article 32 GDPR, organizations must take technical and organizational measures to protect data against unauthorized access, loss or manipulation. The C5 certificate helps to implement these requirements and demonstrate compliance in a reporting period.
  • High fines for violations: Data protection violations can be punished with fines of up to 20 million euros or four percent of annual global turnover in accordance with Article 83 GDPR. Companies in the healthcare sector must therefore ensure that cloud service providers meet the highest security standards.

Who is affected by this legal obligation?

The fifth German Social Code clearly defines which areas are affected by the regulations on cloud use in the healthcare sector:

"Service providers within the meaning of Chapter Four and health and long-term care insurance funds as well as their respective contract data processors [...]"
§ 393, Abs. 1, SGB V (available in German)

In the German healthcare system, the term "service providers" refers to all those groups that provide services for those insured by the health insurance funds. These service providers include, for example:

  • Hospitals
  • Panel physicians
  • Pharmacies
  • Pharmaceutical companies
  • the statutory health and long-term care insurance funds themselves

However, the C5 test certificate obligation not only applies to service providers, but also to all cloud services that work with sensitive healthcare data in this context. This includes not only organizations that use cloud services, but also the IT providers that make these services available. Hospitals, doctors' surgeries and health insurance companies in particular are legally obliged to ensure that their service providers have a valid C5 certificate.

For cloud providers, this means a comprehensive security check in order to meet the high requirements. Anyone working as a service provider for people and / or organizations in the healthcare sector must meet the requirements in order to avoid being excluded from the supply chain.

When is a C5 certificate mandatory for cloud providers?

A C5 certificate has been mandatory for cloud service providers in the healthcare sector since July 1, 2023. Until June 30, 2025, a so-called Type 1 Certificate, which assesses the security measures at a certain point in time, will be sufficient.

From July 1, 2025, the requirements will become even stricter: cloud providers will then require a mandatory C5 Type 2 Certificate.

This extension is crucial, as a Type 2 Certificate not only confirms the existence of security measures, but also checks their continuous implementation over a longer period of time. This translates into considerable additional work for cloud providers.

What is the difference between a Type 1 and a Type 2 certificate?

The most important difference between the two types of C5 test certificate lies in the type of test:

  • C5 Type 1 Certificate Checks once during a so-called key date test whether all security measures have been implemented.
  • C5 Type 2 Certificate Evaluates over a longer period of time whether the security measures are being adhered to in practice.

A Type 1 certificate therefore only confirms that security mechanisms are in place. The Type 2 certificate goes further and ensures that these measures are also permanently effective. The obligation to obtain Type 2 Certification from July 2025 therefore represents a significant increase in security standards.

  • Organization of information security: Are there clear security guidelines and responsibilities?
  • Security incidents and emergency management: Are there mechanisms in place for detecting, reporting and resolving security incidents?
  • Data security audit: Are modern encryption methods and protective measures used for stored and transmitted data?
  • Audit of physical security: How are data centers protected against unauthorized access and physical threats?
  • Auditability and traceability: Are measures implemented to continuously monitor and log security?

Is Stackfield suitable for use in the healthcare sector?

Short answer: Yes!

At Stackfield, we adapted to the new legal requirements at an early stage and received our C5 Type 2 certificate at the end of 2024. This means that we now have proof that Stackfield not only meets the high standards of the BSI and has all the necessary security measures in place, such as true end-to-end encryption, but has also consistently implemented them over a long period of time and continues to do so. Our customers can therefore rest assured that all legal requirements are implemented and that sensitive health data is protected in the best possible way.

Reading suggestion: "The next milestone: Stackfield receives C5 certification from the BSI"

Conclusion: Cloud providers in the healthcare sector cannot do without a C5 certificate

The security of personal data is an essential part of healthcare – both from a legal and ethical perspective. The GDPR places strict requirements on the handling of sensitive healthcare data, and breaches can have serious consequences. With the tightening of the C5 certificate obligation from July 2025, the responsibility for cloud providers increases further.

The C5 certificate provides healthcare organizations with a reliable basis for selecting secure cloud services. In particular, the mandatory Type 2 certification ensures that security measures not only exist, but are also consistently adhered to. Companies like Stackfield, which responded to these requirements at an early stage, give their customers the assurance that they are fully compliant with the statutory framework conditions.

Rate this article?
3 Reviews / 4.7 Stars
Ready to try Stackfield?Over 10.000 companies joined Stackfield
Try Stackfield for free
Almost finished...Please click the link in the email and confirm your email adress to complete the subscription process.
Never miss a post. Get awesome insights in your inbox.
Your Email
Subscribe
Christopher Diesing
About the Author:
Christopher Diesing is the COO of Stackfield. He loves all kinds of marketing, product design as well as photography.
Display Comments (powered by Disqus)