Despite an increasingly strict regulatory environment, the public cloud can become a key success factor in the healthcare sector. A real-world example shows how organizations can balance compliance and modernization—and which selection criteria truly matter.
A shortage of skilled professionals, rising costs combined with uncertain funding, rigid infrastructure, and an urgent need for digitalization—all while meeting the high requirements of critical infrastructure regulations—mean that the healthcare sector faces enormous challenges. Recently, another has been added: Section 393 of the German Social Code Book V (SGB V) now requires hospitals, health insurers, and their IT service providers to provide a C5 attestation from the German Federal Office for Information Security (BSI) for cloud solutions. In addition, data processing must be restricted to Germany, the EU, and a limited number of other countries. These requirements go beyond the General Data Protection Regulation (GDPR), forcing affected organizations to introduce new certification processes and rethink how they select cloud providers.
At the same time, healthcare institutions must modernize their IT infrastructure, become more flexible, and reduce costs. This leaves many IT leaders with the question: Does the stricter legal framework rule out the public cloud—or are there ways to meet both requirements?
Large healthcare organizations process vast amounts of data. At AOK Niedersachsen, for example, more than 20 million documents are handled each year, including notifications, billing statements, and informational letters. Four out of five documents are still sent by post because either some information cannot yet be fully digitalized, or consistent digital processes across the healthcare ecosystem are still lacking. In total, around 16 million mailings must be printed, enveloped, and stamped annually.
During special campaigns targeting all insured members—where up to 2.3 million documents must be sent almost simultaneously—the scalability of an on-premises data center reaches its limits. This can lead to performance bottlenecks and impact service availability. For a health insurer handling many time-sensitive communications, this represents a critical risk.
The logical next step is to migrate managed services to the cloud. But which type? A private cloud offers greater control, but often faces similar scalability challenges as on-premises solutions, because capacity must still be planned in advance and hardware procured. A public cloud, on the other hand, delivers what is missing: on-demand resources, scaling within hours instead of weeks, and no lead times for peak loads.
However, in healthcare, the immediate question is: can this be reconciled with strict data protection and compliance requirements? Are sensitive health data and the public cloud compatible?
In principle, yes—but not every public cloud meets these requirements. The journey to the public cloud should therefore not begin with technology selection, but with intensive internal alignment. Data protection officers, legal departments, and business units must work closely together to clarify all legal and organizational questions in advance: What requirements must a cloud provider meet? Which contractual clauses are essential? How can control over social data be ensured? Only once these foundations are established should the selection process begin. This sequence is critical to project success and enables targeted evaluation of providers.
Section 393 SGB V requires a BSI C5 attestation and restricts data processing geographically. Section 80 SGB X governs the processing of social data by external providers and mandates instruction-based processing. The GDPR protects personal data and requires transparency. A public cloud must demonstrably meet all three.
Where are the servers physically located? Does the data ever leave German territory? Decision-makers must be certain that social data is processed exclusively in German data centers—without exposure to foreign legislations such as the US Cloud Act. Who has access to the systems? A critical security aspect is external key management: control over decryption must remain with the healthcare organization, not the cloud provider.
To avoid vendor lock-in, cloud solutions should ideally be based on open standards. This allows providers to be changed with minimal technical effort. At the same time, the solution must scale rapidly to handle peak loads within hours.
The provision of these services became a lighthouse project for us in adopting cloud services—and we have not regretted taking this step
Christoph Meyer, Head of Solution Management at AOK Niedersachsen
German health insurance company AOK Niedersachsen aimed to make its document management system from provider Binect more flexible. The organization chose the T Cloud Public, with data centers located in Germany, ensuring that social data never leaves the country. The solution has been running reliably for over three years. According to Sebastian Angerstein, Head of IT Project and Solution Management at AOK Niedersachsen, processing times have been reduced from days to hours. The user experience has also improved significantly. In addition, service availability has been greatly enhanced. Updates can be deployed quickly, and scaling is available at the push of a button. The pay-as-you-use model provides cost advantages and transparency regarding actual usage. “The provision of these services became a lighthouse project for us in adopting cloud services—and we have not regretted taking this step,” says Christoph Meyer, Head of Solution Management at AOK Niedersachsen.
What other organizations can learn from this project is clear: public cloud and healthcare are not mutually exclusive. In fact, meeting extensive regulatory requirements can be easier with certified cloud solutions from Germany. Key success factors include early involvement of compliance departments, the use of open standards (open source), and a strong focus on providers with a C5 Type 2 attestation.
