The German Federal Office for Information Security (BSI) is implementing new cybersecurity support measures for medical practices to combat the rising threat of ransomware and data breaches. These initiatives help smaller supply centers and group practices comply with the IT Security Directive under § 75b SGB V, which became mandatory for physicians via the KBV in October 2025 and for dentists via the KZBV in January 2026.
BSI Targets the “Too Small to Be a Target” Fallacy
Many small medical practices operate under the mistaken belief that their size protects them from cyberattacks. According to the BSI, this is a dangerous misconception. Cybercriminals frequently target smaller and medium-sized practices where patient data is electronically processed and exchanged, as unauthorized access, data loss, or ransomware attacks can significantly disrupt or halt operations.
Pascal Jeschke, from the BSI’s Referat für Gesundheits- und Finanzwesen, states that general practitioners and family doctors are particularly attractive targets because they handle highly sensitive health data. He emphasizes the need to sensitize staff to common attack patterns and integrate IT security into daily practice routines.
Understanding the § 75b SGB V IT Security Directive
The IT Security Directive under § 75b SGB V establishes binding standards. These rules are relevant to the environment of the electronic patient record (ePA) and practice management systems (PVS).
The rollout of these mandates occurred in two phases:
- October 2025: Mandatory compliance for the area of the National Association of Statutory Health Insurance Physicians (KBV).
- January 2026: Mandatory compliance for the area of the National Association of Statutory Health Insurance Dentists (KZBV).
BSI Support Tools for Practice Compliance
To bridge the gap between requirements and implementation, the BSI provides resources for doctors, dentists, and psychotherapists. These tools are designed to assist in implementing and permanently anchoring the requirements for cybersecurity.
The BSI’s support package includes:
- Concrete Action Recommendations: Guidance on how to secure practice systems.
- Compliance Checklists: Tools to verify if the practice meets the requirements of the directive.
The Risks of Non-Compliance in Digital Health
In Arztpraxen, cybersecurity in the environment of ePA and PVS plays an increasingly important role. According to BSI analysis, unauthorized access, data loss, or ransomware attacks in smaller and medium-sized practices can significantly disrupt or halt operations.
The BSI notes that not only large clinics and/or medical care centers (MVZ) are targeted by cybercriminals. Sensitive, digitally recorded patient data is highly sought after by cybercriminals—the data is suitable for extortion.
Frequently Asked Questions
Who is affected by the § 75b SGB V directive?
Arzt-, Zahnarzt- und Psychotherapiepraxen.
Why are small practices targeted?
The BSI notes that not only large clinics and/or medical care centers (MVZ) are targeted. Small and medium-sized practices are also targeted because they hold sensitive, digitally recorded patient data that is suitable for extortion.
Where can practices find the BSI checklists?
The BSI provides these documents to support Arzt-, Zahnarzt- und Psychotherapiepraxen.
As the healthcare system continues its digital transformation, the BSI provides support to enable even smaller supply centers and group practices to get started with better operational cybersecurity management.
Keep reading