A Cybersecurity Self Check? Medical Facilities Best Practice Test Criteria for Article 32 GDPR

According to the publishers, this paper is an aid to quickly checking your own security with regard to the availability of your own data processing within the meaning of Article 32 GDPR. The scope includes both the non-public as well as the public area. The work was created in a collaboration between the Bavarian State Office for Data Protection Supervision (BayLDA) and the Bavarian State Commissioner for Data Protection (BayLfD). 

en flag
nl flag
et flag
fi flag
fr flag
de flag
pt flag
ru flag
es flag

Editor’s Note: Developed and published by the Bavarian State Commissioner for Data Protection (BayLfD) and the Bavarian State Office for Data Protection Supervision (BayLDA), this paper is shared to highlight important cybersecurity considerations around sixteen fundamental areas ranging from patch management and ransomware to remote maintenance and social engineering. Developed through the lens of medical facility cybersecurity, this paper may be beneficial for legal, business, and information technology professionals in the eDiscovery ecosystem as they seek to secure and protect sensitive data in both on-site and remote environments.

Cyber Security for Medical Facilities: Best Practice Test Criteria for Article 32 GDPR

Purpose and Content of This Paper

This handout provides an overview of some practical cybersecurity measures for medical facilities – including a thematic block, especially for laboratories – in accordance with the applicable legal data protection requirements. With the aim of targeted prevention, this should increase awareness of safety-related issues and actively support the trouble-free operation of these facilities.

The focus of the document is based on the availability of data or services regarding attacks from the Internet and less on their confidentiality and integrity, which, however, must also be observed from a data protection perspective. The measures listed are, of course, not to be regarded as conclusive, but represent a best practice approach that one can support effective protection against current cybersecurity threats. Due to the individual circumstances of each company, it is not absolutely necessary to implement every measure mentioned to comply with the data protection security requirements. If individual measures are not implemented, it must be checked how other (possibly existing) measures can offer a comparable, adequate level of protection.

This paper is an aid to quickly checking your own security with regard to the availability of your own data processing within the meaning of Art. 32 GDPR. The scope includes both the non-public as well as the public area.

The work was created in a collaboration between the Bavarian State Office for Data Protection Supervision (BayLDA) and the Bavarian State Commissioner for Data Protection (BayLfD).

Cybersecurity for Medical Facilities (PDF) Mouseover to Scroll

Cybersicherheit für medizinische Einrichtungen – 27 Mai 2020

Original Source: BayLDA

Checklist Extracts from English Translation of Paper*

Self-Check: Cybersecurity in Medical Facilities

Patch Management

Outdated software versions pose an increased risk of attack due to potential vulnerabilities. The software used must, therefore, be kept up to date through regular security updates.

  • Patch management concept in place (including an updated plan with an overview of the software used)
  • Regular evaluation of information on security gaps in the software used, such as operating systems, office software, specialist applications, and medical device environment (e.g., through email newsletters, manufacturer publications, trade media, security warnings)
  • Exclusive use of desktop operating systems, for which the manufacturer/maintainer has become aware of vulnerabilities provides security updates
  • Regulated process for the prompt import of server security updates
  • Automatic updates of the desktop operating systems (directly from the manufacturer or through central distribution)
  • Regulated process for browser updates (Recommendation: automatically, if possible)
  • Regulated process for updates of basic components like e.g., B. Java, PDF reader (Recommendation: automatically, if possible)

Malware Protection

Infection with malicious code often leads to a significant IT disruption. Through antivirus programs, not all malware variants were recognized, but many standard attacks intercepted. Effective anti-malware protection must, therefore, be used.

  • Endpoint Protection on every workstation
  • Daily automatic update of the antivirus signatures
  • Central recording of alarm messages by the IT administration
  • Clear instructions to employees on how to deal with alarm messages
  • IT administration schedule for malware infections
  • Antivirus solution with local configured as “high” heuristic detection
  • Sandboxing process or advanced endpoint protection and response (EDR) only under strict consideration data protection regulations

Ransomware Protection

Trojans that encrypt data in a targeted manner in order to extort ransom can bring the operating process to a standstill. Proactive measures to protect against encryption Trojans are essential to prevent impending negative effects at an early stage.

  • As far as possible no macros in office documents in everyday operations
  • Allow only signed Microsoft Office macros or (regular) information, e.g., once a year, to inform employees on risks of macro activation (e.g., in Microsoft Word)
  • Prevent automatic execution of downloaded programs (e.g., software restriction policy and sandboxing)
  • Deactivation of Windows Script Hosts (WSH) on clients (if not absolutely necessary)
  • Check whether the restriction of PowerShell scripts with the “ConstrainedLanguage Mode” on Windows clients is feasible
  • Use a web proxy with current (daily) blocked lists malicious code download sites (IOCs)
  • Emergency plan for dealing with encryption Trojans on paper
  • Review of the backup and recovery strategy (see Backups), which ensures that backups cannot be encrypted by the ransomware

Password Protection

Access to personal data of any kind, by unauthorized persons, especially cybercriminals, make appropriate measures more difficult. Strong passwords help protect the logins of employees.

  • Employee awareness of what strong passwords are and how to deal with them (e.g., no sticky notes at work, never pass on, …)
  • Default for applications to prevent selection very weak passwords (e.g., via guidelines or, as far as possible, technically enforced via the identity management system)
  • Minimum length of ten digits for used passwords
  • Recommendation to avoid easily guessable passwords or password components
  • Regulation for blocking and reassigning passwords after an incident
  • Strong passwords also according to password guidelines use internal systems if they are not already being enforced through the Identity Management System
  • Checking the rule that passwords must be changed after short periods (e.g., 60 days) – if the passwords are strong and long enough (e.g., at least twelve [characters], the password change interval can be significantly longer (e.g., once a year)

Note: Encryption is particularly necessary for personal medical data. However, this can cause the content not to be checked for malicious code in advance. Therefore, special care must be taken before or when opening medical data.

Two-factor Authentication

Safety-critical areas have long been the focus of attackers. In addition to classic passwords, additional access factors are required to adequately protect these access points that are particularly worth protecting to secure.

  • Two-factor protection for administrator access – at least for internet services (e.g., Cloud Mail Hosting)
  • Basic protection of encrypted VPN connections with cryptographic certificates or one-time passwords
  • If chip cards are used as employee ID cards, check whether this is for basic authentication (e.g., Windows login) can be used

Note: For laboratories and other medical facilities in Bavarian hospitals can use cloud hosting from medical data based on Art. 27 para. 4 Bavarian Hospital Act (BayKrG) may be inadmissible, see the common guidelines for order data processing of the BayLDA and BayLfD.

Email Security

Email traffic poses great security risks and is often the starting point for a successful attack. Company-wide regulations for email traffic help to counter these risks in good time.

  • Display emails in “plain text format” to make manipulated links visible
  • Use of a security component to link in check emails before calling
  • Checking incoming emails using anti-malware protection
  • Block dangerous attachments (e.g., .exe, .doc, .cmd)
  • Inform employees about the dangers encrypted email attachments (e.g., zip file with password)
  • Inform employees to identify counterfeit goods emails (e.g., sender addresses, abnormalities, embedded links)
  • Regularly inform current employees of email attack variants (e.g., Emotet, CEO fraud), e.g., B. once a year
  • Deactivate blanket forwarding rules at cloud hosting
  • Use of cryptographically signed emails (e.g., with S / MIME) for internal communication to recognize and check fake internal emails as part of an attempted attacks

Note: For laboratories and other medical facilities in Bavarian hospitals can use cloud hosting from medical data based on Art. 27 para. 4 Bavarian Hospital Act (BayKrG) may be inadmissible, see the common guidelines for order data processing of the BayLDA and BayLfD.


Failures of data carriers, be it due to malfunctions or cyber​​attacks can result in sustained damage and lead to the total failure of a company. Regular backups of important data are, therefore, a prerequisite to making an IT failure as harmless as possible to survive. It should be noted that Trojans depend on design and can also span backups.

  • The existence of a written backup concept
  • Carrying out backups according to the 3-2-1 rule: 3 data stores, 2 different backup media (also “offline” like tape backups) and 1 of them on one external location
  • Appropriate physical storage of backup media (e.g., safe, different fire compartments, risk of water damage, …)
  • Regular check for at least one backup is performed daily
  • Regular tests with all relevant data in the backup process and recovery included
  • At least one backup system is not malicious code encryptable (e.g., special data backup procedure such as pulling the backup system or air gap disconnected (offline) after the backup process is complete

Home Office

If employees move work into their own home, completely new security problems arise and can act as a gateway for far-reaching cyber attacks. The connection of employees in the home mode must, therefore, be well thought out and designed safely.

  • Overview of employees who have the opportunity to work in the home office
  • Overview of employees who currently use a home office
  • Overview of employees’ devices in the home office
  • Guaranteeing the accessibility of the employees in the home office via various communication channels in the event of an attack (e.g., dodging on the phone)
  • Hard disk encryption of mobile devices using strong cryptography (e.g., AES 256 bit) common guide to order data processing of the BayLDA and the BayLfD.
  • Securing home office access to the company network with VPN connections and one two-factor authentication
  • Regulations for the use of private devices in exceptional cases (e.g., only connections to terminal servers)
  • If necessary, container solutions to separate business and private areas
  • Information about dealing with video conferences
  • Regulations for taking away and disposing of sensitive paper documents (e.g., security concepts, policies, network plans, …)

External Access Option for Laboratory Results

Possibilities for online retrieval of laboratory results for senders, e.g., through a website, offer new attack areas based on accessibility via the Internet. Therefore, they can be the target for hacker attacks. Consequently, extensive protection measures are required to be used.

  • Appropriate security of access (e.g., SSL)
  • Secure and different for each submitter of accessed data
  • Regular update of the software used, in particular, the speedy closing of known vulnerabilities
  • Complete logging of access
  • Regular control of the logs
  • Security-related separation of access pages and internal IT systems
  • Regular (automatic) deletion of the provided data after retrieval by the senders
  • Regular penetration tests

Remote Maintenance

Provide opportunities for remote access to a system of new targets. When dealing with service providers who switch to systems via remote maintenance, well-established security processes are particularly important in operation.

  • Limitation of remote maintenance access only to the specific system to be maintained instead of complete network segments, if necessary additionally secured by a so-called “Jumpserver”
  • Activation of remote maintenance access only for specific purposes and duration
  • Deactivation of file transfers – if for remote maintenance is not required
  • Complete logging of remote maintenance access
  • Regular control of the protocols for remote maintenance
  • Cryptographically appropriate protection of the remote maintenance access (e.g., VPN, TLS)
  • Block or prevent remote maintenance access termination of a service contract


Cybercriminals have an easy time of it when they are in possession of privileged user accounts. Even if the role of administrators with their far-reaching permissions in emergencies are particularly important, only use administrator accounts in a targeted manner.

  • Non-privileged standard accounts also for administrators for other work outside of the administrative activity
  • Regulation that does not have administrator rights on the Internet surfed or read/send emails
  • Very strong passwords for local admin accounts (e.g., min. 16 digits, complex and without usual word components and different for each PC)
  • As far as possible consistent use of procedures for two-factor authentication for applications that do this support especially for administrators
  • No dependency of the entire company on individuals or employees with administrator IDs
  • Ensure that in the event of a failure (e.g., illness), the ability of the company to work can be maintained by several IT administration employees
  • Appointment of an information security officer or of a person responsible for information security with clearly regulated allocation of competences

Emergency Concept

The availability of important medical devices, from communication programs and basic data, is essential for a smooth daily operation. An emergency concept is, therefore, relevant to be prepared in the event of a failure.

  • Existence of an emergency concept that is actually available for the relevant groups of people in paper form
  • Regular checking of the topicality of the emergency concept and adjustment if necessary
  • Enabling operations to be resumed by various, already planned and tested in advance process steps in the emergency plan<
  • Presence of emergency reserve hardware to prevent failures to compensate (e.g., retired devices, replacement purchases)
  • Rapid creation of an alternative infrastructure (e.g., external servers, mobile communication, emergency email addresses)
  • Existence of a well structured and up to date network plan
  • Inform employees about the contact person or internal contact persons in the event of security incidents
  • Ensuring the accessibility of the internal contact person (s) for security incidents
  • Indication of the relevant competent authorities and reporting obligations in the emergency plan
  • Secure storage of central administration access data (e.g., in the safe) and access options in an emergency


Once attackers are in your private network, scan, among other things, for data, connected devices and ways of spreading. If the private IT networks, e.g., B. in the medical field, for administration and the Internet, strictly with network components are separated from each other, the impact of the attack is minimized.

  • Restrictive (physical) separation of medical networks of administrative networks (using firewall systems)
  • Operation of the servers accessible via the Internet in one demilitarized zone (DMZ) (e.g., email server, web server, VPN endpoints)
  • Regulated process for the correct configuration of the firewalls and regular reviews of the same (e.g., on the need for approvals)
  • Logging at firewall level to prevent unauthorized persons and determine and close access between the networks analyzed
  • Automatic notifications to IT administration if unauthorized processing is suspected


Attempts to access your own company from the outside is unavoidable. It is important to do this as best as possible blocked by a firewall ruleset with logging in order to identify dangers and to design security measures as required.

  • Isolation of all internal servers, PCs and on the internal network-connected medical devices from the Internet through a firewall to the Internet;
  • “Air gap”, i.e. the separation from the network, should be implemented with critical systems, if possible
  • Regular review of the correct configuration of the firewall (e.g., using port scans for the own IP addresses from external and periodic pentests)
  • Use of adequately qualified personnel/service providers to configure the firewall
  • Monitoring to identify attempts to access

Data Protection Officer (DSB)

Poor security structures in an organization can endanger the operational process. It is important, therefore, to use existing skills and not only IT managers but also the DSB at integration and implementation of security issues.

  • Consistent involvement of the DPO in security issues
  • Sufficient professional qualification of the DSB for security-related questions and possibilities for training on this topic
  • Conduct regular audits by the DSB Art. 32 GDPR for the security of processing
  • Knowledge of the responsible data protection supervisory authority
  • Knowledge of the reporting obligations under Art. 33 and 34 GDPR (breach of security)
  • Support the cooperation of the DSB with the Information Security Officer (ISB) by the management (info: when selecting and implementing the technical-organizational measures according to Art. 32 GDPR can create synergies through the DSB and the ISB)

Social Engineering

Criminals sneak up through social engineering attacks to access important information for downstream cyber ​​attacks. Accordingly, it is important to everyone that the “human safety factor” is explained appropriately training.

  • Regular training of employees on current issues and more frequent cyber attacks (e.g., once a year)
  • Consistent instruction of new employees on the fair handling of IT components and behavior in social engineering attacks
  • Raising awareness of new employees about IT risks the start of data processing (e.g., also for temporary workers)
  • Presentation of the course of social engineering attacks to raise awareness among employees (e.g., the possibility of manipulating telephone numbers)
  • Information to employees about reporting channels (e.g., by the ISB or DSB) and responsibilities

Original Post


*Original content translated via machine translation (Google) and ComplexDiscovery review.

Additional Reading

Source: ComplexDiscovery


Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

A (Brand) New Approach? Considering the Framework and Structure of eDiscovery Offerings

Today’s eDiscovery providers may benefit from the lessons learned in the creation of the Sgt. Pepper’s Lonely Hearts Club Band album by creating a concept for branding and packaging their offerings within that brand in a connected, theme-based way that represents the offerings’ promise and capability in a way that is easy to understand and remember.

This fictionalized branding approach was developed from the intellectual exercise of trying to figure out a reasonable and memorable way to descriptively highlight the promise and capabilities of offerings typically delivered by full-service eDiscovery providers. It may not be completely comprehensive or fully normalized. However, the hope of sharing this branding example is that it might help those involved in the branding and communication of eDiscovery provider services and solutions.

eDiscovery Mergers, Acquisitions, and Investments in 2020

Since beginning to track the number of publicly highlighted merger, acquisition,...

Relativity Acquires VerQu

According to Relativity CEO Mike Gamson, "It's imperative that the legal...

eDiscovery Mergers, Acquisitions, and Investments in Q4 2020

From Nuix and DISCO to Exterro and AccessData, the following findings,...

DISCO Closes Funding Round of $100 Million

According to DISCO CEO Kiwi Camara, “Legaltech is booming now, and...

A New Era in eDiscovery? Framing Market Growth Through the Lens of Six Eras

There are many excellent resources for considering chronological and historiographical approaches...

An eDiscovery Market Size Mashup: 2020-2025 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Resetting the Baseline? eDiscovery Market Size Adjustments for 2020

An unanticipated pandemeconomic-driven retraction in eDiscovery spending during 2020 has resulted...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Five Great Reads on eDiscovery for December 2020

May the peace and joy of the holiday season be with...

Five Great Reads on eDiscovery for November 2020

From market sizing and cyber law to industry investments and customer...

Five Great Reads on eDiscovery for October 2020

From business confidence and captive ALSPs to digital republics and mass...

Five Great Reads on eDiscovery for September 2020

From cloud forensics and cyber defense to social media and surveys,...

It’s a Match! Focusing on the Total Cost of eDiscovery Review with ReviewRight Match

As a leader in remote legal document review, HaystackID provides clients...

From Proactive Detection to Data Breach Reviews: Sensitive Data Discovery and Extraction with Ascema

A steady rise in the number of sensitive data discovery requirements...

A Running List: Top 100+ eDiscovery Providers

Based on a compilation of research from analyst firms and industry...

The eDisclosure Systems Buyers Guide – 2020 Edition (Andrew Haslam)

Authored by industry expert Andrew Haslam, the eDisclosure Buyers Guide continues...

A Lifting of the Fog? Winter 2021 eDiscovery Business Confidence Survey Results

This is the twenty-first quarterly eDiscovery Business Confidence Survey conducted by...

Orion Nebula
A Nebulous Outcome? The Winter 2021 eDiscovery Business Confidence Survey

The eDiscovery Business Confidence Survey is a nonscientific quarterly survey designed...

High Five? An Aggregate Overview of Five Semi-Annual eDiscovery Pricing Surveys

As we are in the midst of a pandemic that has...

Balancing Relevance and Reality? Winter 2021 eDiscovery Pricing Survey Results

Based on the complexity of data and legal discovery, it is...