Successful first audit in accordance with the Network and Information System Security Act (NIS Act)
University Hospital Graz © Kanizaj15
The non-profit Steiermärkische Krankenanstaltengesellschaft m.b.H. (KAGes) employs more than 18,000 people, making it the largest healthcare provider in Styria. Five of the 20 KAGes hospital sites are among the essential services according to the NIS Ordinance and are therefore subject to the NIS Act. KAGes’ IT infrastructure must therefore fulfil the requirements set out in this law.
Good basis with ISO 27001 – new challenge of the NIS Act
Since centralising its IT several decades ago, KAGes has been committed to the greatest possible commitment to data protection and data security and has developed and implemented its own information management strategy and an information security guideline. The company’s IT department has undergone regular external audits for many years and has been ISO 27001 (information security) certified since 2018, which has already laid a solid foundation for IT security in accordance with the German Network and Information System Security Act. The Austrian certification company in the field of data protection, information security, business continuity and more, CIS – Certification & Information Security Services GmbH, was commissioned to carry out the audits for the ISO certification right from the start.
The initial situation for the company audit in accordance with the NIS Act was a very special one: both the auditors and the auditees were going through the process for the first time and had to anticipate the expectations of the NIS authority. It therefore made sense to commission CIS, a certification partner already familiar with KAGes, with the NISG audit. CIS has been authorised by the Federal Ministry of the Interior since 2020 to act as a qualified body for audits under the NIS Act.
5 locations – 22 test days
Between July and November 2023, the audit in accordance with the NISG finally took place on 22 audit days, sometimes with two parallel audits. In the meantime, the auditors were always available to answer questions.
“Thanks to our successful collaboration to date, the CIS auditors were already familiar with the complex system landscape at KAGes and were able to gain an overview of the enormous scope of the NISG audit,” explains DI Dr Helmut Brückler, Head of the IT Management team at KAGes. “We also benefited from their extensive knowledge of the healthcare sector.”
According to the authority’s decision, the provincial hospitals (LKH) LKH University Hospital Graz, LKH Hochsteiermark with the Leoben site, LKH Murtal with the Judenburg (pictured) and Knittelfeld sites and LKH Rottenmann-Bad Aussee with the Rottenmann site had to undergo the NIS inspection.
The central IT was subjected to a particularly intensive and comprehensive audit, as all essential applications (hospital information system, laboratory system etc.) and the IT infrastructure (data centres, network infrastructure etc.), which are necessary for the acute care of patients, are provided centrally.
LKH Judenburg © Toni Muhr
In addition, NIS-relevant ICT services and interfaces as well as the NIS-relevant medical technology devices and building services systems were defined and reviewed from both a technical and organisational perspective.
Clear starting points for improvements
In the course of the NISG audit, not a single requirement specified by the legislator or the NIS authority was judged to be “ineffective” and the people working at KAGes were certified as having a high level of information security awareness in the areas reviewed. The authority’s feedback on the audit report was correspondingly positive. The requirements, which were classified as “partially effective”, provide further useful starting points for optimisation.
“The NISG audit has created additional awareness for the topic of IT security and at the same time highlighted the areas in which we still need to intensify our efforts,” emphasises Dr Helmut Brückler. “The improvement measures identified together with the CIS auditors give us a clear orientation as to where we can start in concrete terms.”
About CIS – Certification & Information Security Services GmbH
Since 2020, CIS has been authorised by the Federal Ministry of the Interior to act as a qualified body for inspections under the NIS Act. With the new European NIS 2 Directive, which comes into force on 17 October 2024, new and increased responsibilities for managers and risk officers and the obligation to undergo further training in the area of cyber security apply. CIS provides holistic support and offers NIS-2 audits (incl. compliance status and recommendations from practice) as well as customised management training and NIS-2 hacking labs.
Do you have questions about NIS or would you like more information? Contact us – the experts at CIS are always available to answer your questions!
More news
