IT Security Policy, Section 390 of SGB V: What Medical Practices Need to Know Now
This text was generated using artificial intelligence (AI).On July 14, 2026, the Federal Office for Information Security (BSI) announced the implementation of the new IT security directive pursuant to Section 390 of SGB V. This directive establishes mandatory security standards for the protection of sensitive patient data and affects approximately 99,000 medical and psychotherapy practices as well as nearly 38,000 dental practices in Germany. The goal is to strengthen information security in private practice and increase resilience against cyberattacks.
The Legal Framework: From Section 75b to Section 390 of SGB V
The legal basis for the new requirements is Section 390 of Book V of the Social Code (SGB V), which replaces the previous Section 75b of SGB V pursuant to the Digital Act (DigiG) of March 22, 2024. The specific requirements are established by the National Association of Statutory Health Insurance Physicians (KBV) and the National Association of Statutory Health Insurance Dentists (KZBV) in consultation with the Federal Office for Information Security (BSI). This collaboration ensures that the measures reflect the current state of the art and the threat landscape. To ensure long-term effectiveness, the guideline is reviewed annually and updated every two years.
Key Requirements of the Directive in Detail
The directive requires all medical practices to adopt a structured approach to IT security. The requirements are tiered according to practice size but include mandatory technical and organizational measures for all:
- Awareness-raising and training: All employees must be regularly informed about security risks and common attack methods.
- Structured Onboarding: New team members must receive targeted training on the IT systems and the secure handling of patient data.
- Personal login credentials: Each user needs their own account to track access and manage permissions effectively.
- Patch and Change Management: Operating systems and applications must be kept up to date through regular updates to address known vulnerabilities.
- Securing Endpoints: All devices that access practice data (PCs, laptops, mobile devices) must be adequately protected.
- Evaluation of Cloud Services: The use of external service providers and cloud applications must be evaluated, and the terms of the collaboration must be set forth in a contract.
Mandatory Deadlines and Obligations to Provide Evidence
The implementation deadlines for the directive are already in effect. Medical practices must be able to demonstrate compliance with the requirements:
- Medical and Psychotherapy Practices (KBV): The requirements have been mandatory since October 1, 2025.
- Dental Practices (KZBV): Implementation has been mandatory since January 2, 2026.
In the event of a security incident, medical practices are required—in addition to complying with the IT security policy under Article 33 of the GDPR—to report data breaches to the competent data protection supervisory authority within 72 hours. The IT security policy and the data protection reporting obligations are thus directly interlinked.
Demonstrate compliance with Section 390 of SGB V using LocateRisk
Implementing the IT security policy requires a thorough understanding of one’s own IT infrastructure and the external service providers used. LocateRisk helps medical practices and their IT partners achieve the transparency needed to demonstrate compliance.
The platform provides a continuous inventory of all externally accessible IT systems—including forgotten subdomains, unmanaged cloud assets, and shadow IT that can arise in day-to-day operations. This overview forms the basis for effective patch management and serves as evidence for audits in accordance with the guideline. The Vendor Risk Management (VRM) module also enables the systematic review of cloud providers and other IT service providers, as explicitly required by the directive. This allows practices to provide verifiable evidence that their partners also meet the required security standards.
As a „Made in Germany“ solution, LocateRisk is operated in German data centers by ISO 27001-certified partners. Hosting in Germany helps medical practices meet data residency requirements and reduce the risk of data access by non-European authorities.
Sources and further information
—
A note on our own behalf: This article reflects the legal situation as of the date of publication. Since IT law and compliance requirements are highly complex, this text is intended solely as a general guide and does not constitute legally binding advice. If in doubt, we recommend seeking legal counsel regarding implementation within your company. We assume no liability for the content.
Frequently asked questions
The directive is binding on all medical and dental practices in Germany that participate in the statutory health insurance system. This includes approximately 99,000 medical and psychotherapy practices, as well as nearly 38,000 dental practices.
The implementation deadlines have already passed. The guideline has been in effect since October 1, 2025, for the KBV sector, and since January 2, 2026, for the KZBV sector. Proof of implementation is required.
Key requirements include regular employee training, systematic patch management, securing end devices, the use of individual login credentials, and the review and contractual regulation of cloud services. The requirements are tiered according to the size of the practice.
In addition to the data protection implications under the GDPR, Article 33 of the GDPR requires that a data breach be reported to the competent supervisory authority within 72 hours. Medical practices should therefore be able to fully document their compliance with these requirements.