The healthcare sector has undergone significant transformations driven by digitalization and the adoption of innovative technologies. To facilitate easier access to and storage of information, there has been a growing use of electronic health records and AI-powered diagnostics. This transition leads to greater efficiency in hospital administration, improved patient outcomes, and enhanced collaboration even across international borders.
With this progress, however, new challenges are emerging for healthcare systems and professionals – particularly in safeguarding personal data and taking action against the misuse and theft. Across the EU, health data is classified as highly sensitive under the General Data Protection Regulation (GDPR), requiring strict safeguards and explicit consent for its use. Healthcare is also recognized as critical infrastructure, making it an increasingly attractive target for large-scale cyberattacks.
Promises and limits of the cloud
To store and process vast amounts of data, healthcare organizations increasingly rely on cloud-based solutions. Beyond providing scalable storage, these technologies offer speed, facilitate access, and support the development of international research, as well as collaboration with foreign healthcare systems.
In day-to-day practice the situation proves more complex. Discrepancies in professional standards across EU Member States, legal uncertainty, and a lack of trust between countries become key factors behind inefficient data exchange – despite the technology itself being fully capable. The evident fragmentation of health data in Europe not only limits interoperability but also slows down innovation in the sector.
Germany’s approach to cloud solutions
One of the most highly regulated and restrictive healthcare systems in Europe is that of Germany. Despite the country’s technological advancement and ongoing digital transformation, there is still a noticeable delay in the implementation of sustainable and fully functional data storage models. This is largely due to the complexity of regulatory frameworks and the strict rules governing the protection of personal data and sensitive information.
Currently, there is no fully integrated, nationwide cloud-based hospital information system (HIS) implemented in Germany. Nevertheless, this does not mean that the medical community is not looking ahead – according to recent research, 98% of healthcare organizations already store data from at least one of their applications in the cloud.
Regulatory requirements for healthcare organizations are further complicated by the fact that, when relying on cloud service providers, the responsibility for protecting patients’ personal data lies with the organization itself. Additionally, the German C5 certification framework imposes strict standards on providers, which further raises compliance requirements.
This approach highlights both the advantages and the limitations of the country’s strict regulatory frameworks. By prioritizing data sovereignty and the protection of personal information, Germany strengthens trust. At the same time, however, this strategy also underscores fundamental challenges related to the implementation of digital solutions in a highly regulated environment.
How can the cloud put medical data at risk of cyberattacks?
The transition of patients’ personal data from hospital shelves to digital environments carries its own risks. The larger the volumes of sensitive information, the higher the exposure to malicious attacks. As stated by the European Commission, in 2023, a total of 309 cybersecurity incidents were recorded in the EU healthcare sector, with 54% of cyberattacks involving ransomware (a type of malicious software that encrypts a victim’s data or blocks access to their systems, demanding payment for restoration).
Cyberattacks are often observed in hospitals with outdated infrastructure that nevertheless rely on modern digital platforms, leaving them unable to respond adequately in the event of a breach. The consequences of such attacks in the healthcare sector can be extremely severe, even putting human lives at risk. A case in point is the 2020 incident at Düsseldorf University Hospital, where a ransomware attack on its IT systems prevented a female patient from being admitted, who subsequently died – marking the first known death resulting from a cyberattack.
Balancing compliance with data protection regulations while ensuring robust protection against cyberattacks requires a complex framework of strategies that healthcare organizations must consistently follow in their operations. This means that, in working with every patient, all necessary measures must be taken to protect sensitive information. In practice this often adds complexity to the daily work of healthcare professionals, as it can shift the focus away from treatment in order to meet administrative requirements.
Future strategies for data protection in the EU area
Cloud technologies are a key and indispensable component of modern European healthcare. The future of securing the vast volumes of data shared between healthcare organizations and across borders depends on the ability to maintain a balance between innovation, regulation, and security.
Driven by stringent security requirements, we carried out a complete redesign and migration of the healthcare infrastructure to the T-Cloud Public (previously know as OpenTelekomCloud) for our client, CompuGroup Medical (CGM) – one of the world’s leading e-health companies. We rebuilt the entire cloud infrastructure from the ground up, delivering a secure, BSI C5-compliant migration that included client isolation and complex integrations with hospital networks. Learn more about the project here.
Effective healthcare is built on trust in the system that safeguards patients’ sensitive information, which is why cybersecurity lies at the core of healthcare infrastructure. The implementation of regulatory frameworks such as the NIS2 Directive (the EU’s updated legal framework for cybersecurity, strengthening security requirements across 15+ critical sectors to combat rising cyber threats) reflects the growing recognition of its necessity. In this sector, entrusting personal data to third parties is essential to people’s health and lives, which makes it among the most valuable types of information that can be handled.
