ISO 27001 and BSI C5: What Hospital IT Managers Need to Consider When Selecting Digital Patient Intake Software

ByMag. iur. Alexander Viehhauser Hours Erstmalig veröffentlicht am Hours Zuletzt aktualisiert am

Factors to Consider When Selecting Digital Patient Registration Software

Anyone responsible for IT security at a hospital is familiar with this situation: A department or the administrative leadership wants to implement a new cloud solution. The provider’s sales materials are professionally designed. ISO 27001 is mentioned somewhere—sometimes as a logo, sometimes as a sentence. What that actually means remains unclear. And the questions that really matter—Where is patient data processed? Are there transfers to third countries? How is client isolation handled?—often remain unanswered until the data processing agreement has already been signed.

This article is intended for hospital IT managers and data protection officers who are evaluating cloud-based software for preoperative patient registration. It explains what these certification terms mean, lists specific criteria to consider—and reveals where medudoc stands today.

Health data is not ordinary data

Preoperative patient registration systematically collects information that is classified as special categories of personal data under Article 9 of the GDPR: medical history, pre-existing conditions, medication lists, risk factors, allergies, and informed consent to the procedure. This imposes stricter requirements on the legal basis for processing, on technical and organizational measures (TOMs) under Article 32 of the GDPR, and generally mandates a data protection impact assessment (DPIA) under Article 35 of the GDPR.

A software provider that processes this data on behalf of your clinic acts as a processor within the meaning of Article 28 of the GDPR. The clinic remains the controller. In practice, this means that if the processor acts negligently, the clinic bears the consequences—toward the supervisory authority, toward affected patients, and in the event of liability. Exercising due diligence in selecting a provider is therefore not merely a bureaucratic requirement, but a concrete risk management tool.

What ISO 27001 Actually Says—and What It Doesn’t

ISO/IEC 27001 is the international standard for information security management systems (ISMS). Valid certification means that an accredited external auditor has confirmed that the company operates a systematic framework to identify, assess, and address information security risks and to continuously improve—and that this framework is documented and regularly reviewed.

What ISO 27001 does not mean: that security incidents cannot occur, that all conceivable risks have been eliminated, or that the certificate automatically applies to all of the company’s products and services. The scope is crucial.

Specific criteria to consider when selecting a provider:

  • Is there a valid ISO 27001 certificate issued by a certification body accredited by DAkkS or an equivalent accrediting body?
  • Does the scope explicitly include the development, operation, and processing of patient-related data—or only a specific area of the company?
  • When was the certificate issued, and when does it expire? ISO 27001 certificates are valid for three years and require annual surveillance audits.

An ISO 27001 logo that refers to a five-year-old certificate with a different scope has no significance for your risk assessment.

BSI C5 — The Cloud-Specific Security Standard

The BSI Cloud Computing Compliance Controls Catalog (BSI C5) was developed by the Federal Office for Information Security and specifically addresses the requirements for cloud services. It is therefore more directly applicable to the question of how secure a cloud service is for clinical use than ISO 27001 alone.

BSI C5 distinguishes between two types of tests:

  • Type 1: Assessment of the adequacy of security controls as of a specified date. Documents whether the controls are in place and appropriately designed.
  • Type 2: Assessment of the effectiveness of controls over a given period (typically six to twelve months). This type is significantly more informative for demonstrating operational security—it shows whether the controls not only exist but actually work.

Among other things, BSI C5 assesses organizational security, asset management, physical security, cryptography, access control, incident management, business continuity, and—particularly relevant for hospital procurement—full transparency regarding subcontractors and sub-processing chains.

A common pattern in vendor documentation is the statement that BSI C5 is “being pursued” or is “in preparation.” This is not necessarily a negative sign—C5 audits are resource-intensive. The relevant question is: Is a specific, commissioned audit currently underway? And if so, for what time period and with which audit firm? These questions should be answered in writing.

Five Questions Every Hospital IT Department Should Ask

Regardless of which cloud solution is being evaluated for preoperative patient registration, these five questions should be answered in writing before signing the contract:

1. Where is patient data processed?

European Economic Area or third country? Are there sub-processors outside the EU—for example, for AI-supported processing steps, analyses, or support services? Transfers to third countries are permitted under the GDPR, but only subject to stricter requirements (standard contractual clauses or an adequacy decision). Many hospital groups and tertiary care providers specify “EU-only” data storage as a formal award criterion in their requests for proposals.

2. How is client segregation implemented?

Do multiple hospital clients of a provider share the same database layers, or is your hospital’s patient data technically strictly separated from that of other clients? This question determines whether a security incident at another clinic could affect your own data—and whether configuration errors on another client’s end could impact your instance.

3. Which TOMs are documented and verifiable?

Article 32 of the GDPR requires appropriate technical and organizational measures. Specifically, this means: How is data at rest encrypted? What transport encryption standard is used? How are access rights regulated and documented? How are activities logged and made available for audit purposes? A reputable provider will supply structured TOM documentation without any significant effort—it is a mandatory component of a legally valid data processing agreement.

4. Is there a complete data processing agreement in accordance with Article 28 of the GDPR?

Not only is it in place, but: Does the Data Processing Agreement comply with the current version of the GDPR? Does it contain a complete, up-to-date list of the subprocessors used (Sub-DPA)? Does it outline the procedure for data breaches, including the 72-hour notification requirement under Article 33 of the GDPR? And has it been signed by both parties in a legally binding manner? The DPA template should be available before the pilot phase, not just after go-live.

5. How is a security incident handled?

What documented process does the provider have in place for detecting, classifying, and reporting data breaches? Who is your point of contact, and within what timeframe will you be notified? What recovery objectives (RTO, RPO) are contractually guaranteed? And has this process been verified as part of an external audit—or is it merely an internal commitment?

What Hospitals Rightly Demand

In procurement discussions with hospitals, I’ve noticed that these questions are being asked with increasing precision—and that’s exactly as it should be. GDPR compliance is now a given; it’s no longer a distinguishing factor. What hospital IT managers and data protection officers are rightfully demanding is proof: a valid certificate with a clearly defined scope, a legally sound data processing agreement (DPA) template, and honest information about what is still under development and what is already available for verification.

Vendors who can provide specific answers to these questions—backed by documentation—will make your procurement process more efficient and reduce your residual risk. Vendors who evade the questions or make generic statements are not providing you with a substantive answer.

Information about medudoc’s security standards and certifications, as well as the AVV template, is available in the Trust Center at trust.medudoc.com.

Where medudoc stands today

In accordance with the evaluation criteria described here, I am disclosing my own position:

medudoc has been certified to ISO/IEC 27001:2022 since April 2026. The scope of certification covers the development, operation, maintenance, and distribution of the medudoc platform, including the processing of patient-related data. The certificate is valid through March 2029. It can be viewed and downloaded at trust.medudoc.com.

The Type 1 audit process for BSI C5 is currently being conducted by a contracted auditing firm. The Type 1 audit report is still pending—the audit process is ongoing but not yet complete. For hospitals that already require BSI C5 as a formal award criterion, I recommend a direct discussion regarding the current status and expected timeline.

Patient data is processed exclusively in Germany. AI-supported processing steps remain within the EU. There are no transfers to third countries. A complete data processing agreement template in accordance with Article 28 of the GDPR, including the TOM annex and a list of subprocessors, is available for contract review.

We continuously update the current status of all quality and safety standards.

Conclusion

IT security and data protection are not an afterthought in the procurement process for clinical cloud software—they belong in the first round of evaluation. The questions a hospital asks today are the same ones a data protection authority would ask in the event of a breach. The difference lies in whether the answers are available before an incident occurs.

The five key points from this article—data storage location, client isolation, TOMs, AVV, and incident management—are not an exhaustive checklist, but they serve as a reliable starting point for any procurement discussion.

If you are evaluating the digital preoperative workflow for your clinic and have specific questions about security architecture, certification status, or the AVV, please contact us directly: Request a demo.

Mag. iur. Alexander Viehhauser ist Unternehmensjurist bei medudoc und begleitet dort die rechtlichen und datenschutzrechtlichen Fragestellungen rund um die digitale Patientenaufnahme. Seine Schwerpunkte liegen im Medizin- und Gesundheitsrecht, im Datenschutz sowie in der regulatorischen Compliance für digitale Gesundheitslösungen im DACH-Raum.

Similar Posts