Table of Contents

Purpose of this document

samedi has implemented an information security management system (ISMS) which complies to ISO 27001:2017 and BSI C5:2020, in order to ensure information security in all our products, services and offerings.

This document serves as the central information security policy and defines the purpose, orientation, fundamentals, and basic rules for the ISMS.

The information security policy is reviewed regularly and approved by managing directors.

Company Description

samedi, as a web software solution (SaaS), enables collaborative treatment process planning and patient management for all stakeholders in the healthcare sector. The coordination of treatment processes and the digital representation of all relevant communication channels between medical practices, clinics, patients, payers, and other healthcare providers are comprehensively and efficiently managed through samedi in accordance with the highest security requirements.

Interested Parties

samedi has identified the following interested parties and their requirements for information security:

• Customers

• Suppliers

• Employees

• Legislators

Security Objectives

Information security refers to a state in which the risks to the security objectives of confidentiality, integrity, availability, and authenticity of information and information technology are reduced to an acceptable level through appropriate measures. Information security encompasses the security of IT systems and the data stored within them.

Confidentiality:

Confidential data, information, and programs must be protected from unauthorized access and disclosure. Objects of protection include stored or transported message contents, detailed information about the communication process (who, when, how long, with whom, etc.), and data about the sending and receiving process.

Integrity:

The term integrity applies to both information and data as well as the entire IT system. Integrity of information means its completeness and correctness. Completeness means that all parts of the information are available. Information is correct if it accurately reflects the described facts. Additionally, the term integrity also refers to IT systems, as the integrity of information and data can only be ensured with proper processing and transmission.

Availability:

The functions of hardware and software in the system and network area, as well as necessary information, are available to the user at the right time and place. Our customer requirements regarding the availability of our cloud products is of high importance to us

Authenticity:

Ensuring the unique identity of communication partners and communicating components. This aims to protect against identity misuse.

According to the company's goals, strategy, business processes, and the requirements of the company's stakeholders, the relevant cloud regulations and threats to the confidentiality, integrity, availability and authenticity of information are the most important security requirements for samedi. To systematically meet these security requirements, the company, specifically the Cloud Applications division, aligns with the Cloud Computing Compliance Controls Catalogue (C5) of the Federal Office for Information Security (BSI). Additionally, the company operates an Information Security Management System (ISMS) according to DIN EN ISO/IEC 27001.

Scope

The information security policy is valid for all of samedi’s internal and external employees, processes, products and sites, as defined in the scope of our information security management system.

Product development, programming, operations, marketing, sales and support
of e-health software

The document has been communicated to all internal and external employees and all of samedi’s customers.

Roles and dependencies

ISMS Roles

The following ISMS roles and responsibilities are defined (see Organisation of the Management Systems):

• Managing Directors (MD)

• Chief Technology Officer (CTO)

• Chief Principal Engineer (CPE)

• Information Security Officer (ISO)

• Coordinator for Handling IT Security Incidents (CERT Leader)

• Data Protection Officer / General Counsel (DPO)

• Business Continuity Management Officer

• Employees

Information Security Committees

The following committees have been established to manage information security aspects:

• ISB Jour-Fixe

• Security Board

• ISMS-Team

Other Organisations

While developing, maintaining, and enhancing our information security management system, samedi relies on Syngenity GmbH to act as the external Information Security Management Officer and Quality Management Officer. Syngenity GmbH offers expertise and consulting services for all aspects related to information security and quality management.

Other relevant roles are defined at samedi that are important in the context of the ISMS. These include, for example, the CTO, CPE and Head of ITO. All roles are defined by us.

From a technical perspective, samedi partners with T-Systems for their infrastructure-as-a-service solutions within the Open Telekom Cloud. This infrastructure is utilized to host our customer-facing products.

Interfaces and Dependencies

Interfaces and dependencies can be found within the company itself and between the company and its customers as well as the (SSO) service providers:

• The organization and roles within the company are described below (Organisation of the Management Systems).

• Interactions with customers are regulated in the respective contracts (SLAs or contracts) as well as in the company's process descriptions.

• The interfaces and dependencies to the (SSO) service providers are documented in line with the organization's requirements for ISMS-documentation.

Importance of information security within samedi

For more than 15 years, samedi’s mission has been to support the relationship between doctors and patients by offering digital services which help to coordinate healthcare treatments to aid all actors in maintaining easy, efficient and secure workflows.

Since the very beginning, samedi has sought advice from legal professionals, data security specialists and technology experts to find ways to enable doctors, clinics and other actors to securely store patient and medical data in the cloud.

The patient and medical data samedi stores is categorized under Art. 9 GDPR as “special categories of personal data,” which requires a higher protection level for our customers.

As samedi processes a great amount of data, including sensitive information, any data breach would be critical and must be avoided.

Data and information security as well as high availability of our services are samedi’s highest values and core unique selling point for our customers.

The importance of information security is underscored by our commitment to implementing critical frameworks such as ISO 27001 and BSI C5, which ensure robust protection of our data and systems. These efforts demonstrate our dedication to maintaining high security standards, building trust with our clients, and complying with regulatory requirements.

Information Security Management System in accordance with ISO 27001

Demonstrated by the ISO 27001 certification, samedi has implemented a robust framework for managing information security, ensuring that all sensitive data is protected against threats and vulnerabilities. This demonstrates samedi's commitment to safeguarding information, enhancing customer trust, and complying with regulatory requirements. ISO 27001 integrates security practices across the entire organization, involving all departments and employees in maintaining and continually improving information security measures. This holistic approach ensures that security is ingrained in samedi's culture and operations, reducing risks and enhancing overall resilience.

Information Security in Cloud Applications in accordance with BSI C5

Through the implementation of BSI C5, we ensure that our cloud services meet stringent security standards and regulatory requirements. BSI C5 provides a comprehensive framework for data protection, access control, and threat management in the cloud. The implementation demonstrates our commitment to high security levels, safeguarding customer data, and enhancing trust in our cloud services.

Corporate Goals and strategy for achievement

Our security objectives and desired level of security are derived from our business goals and are integral to our strategy. We aim to align our security measures with our operational goals to ensure robust protection of our services. Our approach emphasizes balancing security and business efficiency to deliver reliable and secure cloud solutions. Excellence in our services for customers is our top priority. Our main goals for information security, data security, and quality are:

• Avoid incidents that threaten the confidentiality, integrity, availability, and authenticity of our customers' data.

• Provide an availability of our customer-facing services of at least 99.95% (annual average).

These goals do not exist in a vacuum. As a cloud service provider in the healthcare sector, the organization must comply with various laws and regulations. The most important laws and regulations include:

• General Data Protection Regulation (GDPR)

• Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG)

• NIS-2

• Hospital Future Act (Krankenhauszukunftsgesetz - KHZG)

• Digital-Gesetz - DigiG

• Sozialgesetzbuch V

The detailed legal requirements are defined in our overview of applicable laws: https://samedigmbh.atlassian.net/wiki/x/MYArG

From these, more general information security goals can be derived:

• Ensuring consistent information security throughout the entire company

• Safeguarding intangible assets and preventing economic losses and damage to reputation. The company faces significant damages if sensitive information and data are misused, manipulated, sabotaged, or made unavailable. The adopted policies, processes, and information security and data protection measures aim to minimize these risks and damages.

• Compliance with legal requirements

• Building and maintaining a leading position as a reputable, secure vendor

• Protecting investments in our intellectual property, know-how, and strategic and economically relevant plans

• Minimizing the damages that can occur during failures or disruptions

Due to the criticality of the information we store for our customers and the regulations they must comply with, the organization must provide a high protection level for all production assets, while providing a normal protection level for all non-production assets.

Certain regulations, especially DigiG and SGB V, require the organization to seek and maintain specific certifications and attestations, which we are committed to maintaining. Additionally, the organization proactively addresses issues beyond mere legal compliance, responding to stakeholder expectations:

• BSI C5:2020 - required by DigiG

• Certification for information security regarding Annex 31b to Bundesmantelvertrag-Ärzte (for video consultation)

• ISO 27001 - self-commitment to a certified management system

• ISO 9001 - self-commitment to a certified management system

Given the extensive requirements, strict planning and organization are essential to properly fulfill all obligations. This is achieved by embedding information security across the organization. The key aspects of the organization’s strategy to accomplish this are:

• Creating awareness of information security among all employees

• Embedding information and data security into our design, development, and QA processes

• Securely hosting our cloud environments with trusted partners

• Continually reviewing and revising policies, processes, and implementations to improve our management systems.

Commitment of Management

To achieve the objectives in the context of information security, the management commits to the following:

• Actively supporting the organization's security activities by setting clear goals and guidelines.

• Leading by example through responsible actions, including reviewing and approving this policy, monitoring and responding to changes, and defining key roles and responsibilities in the information security management process.

• Providing sufficient resources for the operation and maintenance of the ISMS.

• Implementing comprehensive measures to achieve the company's goals, which are continuously reviewed for completeness, effectiveness, and appropriateness, both internally and externally. Findings are analyzed, evaluated, and implemented as relevant to ensure ongoing improvement of the ISMS. Additionally, specific goals for improving the ISMS for the coming year are set during regular management reviews, and the achievement of the previous reporting period's goals is assessed.

• Promoting and supporting employees and other leaders in performing their duties within their areas of responsibility, particularly to ensure the effectiveness of the ISMS.

Organization of the Management Systems

The focus on information security, data security and quality shown above can only be achieved when the whole company works on realizing the goals. This starts at defining roles and responsibilities for the management systems.

Managing Directors (MD)

The Managing Directors hold the highest decision-making authority. They approve the Information Security Policy based on the recommendations of the Information Security Officer.

Managing Directors are responsible for ensuring that the Information Security and Quality Management Systems are active and up-to-date according to this policy. They must also provide sufficient financial and time resources to maintain these management systems.

They must review the Management System at least annually or when major changes occur to ensure its appropriateness, fitness, and effectiveness.

The ultimate responsibility for the proper and secure performance of tasks, including information security, rests with the company management.

Chief Technology Officer (CTO) & Chief Principal Engineer (CPE)

CTO and CPE are the central instance for operational IT security and responsible for the secure operation and implementation of security measures. Together with the Information Security Officer, they bring in specific aspects of information security and are responsible for implementing appropriate security measures.

They serve as an interface to the Information Security Officer and conduct regular meetings in order to make sure that information security is implemented in all relevant projects and development of our products.

Information Security Officer (ISO)

The Information Security Officer (ISO) is responsible for coordinating the operation, reporting, and effectiveness of the Information Security Management System. The ISO also devises, coordinates, and conducts information security training and awareness programs for all employees.

The ISO defines requirements and approves the implementation of new applications, processes, and components, with a special focus on risks related to the protection goals of information security: confidentiality, integrity, availability, and authenticity. These risks must be evaluated, tracked, and mitigated according to the risk management policy.

Additionally, the ISO monitors the technical and organizational development of information security, such as identifying critical security vulnerabilities and updates to state-of-the-art technologies. The ISO informs stakeholders and assist them in adapting or defining appropriate measures.

Coordinator for Handling IT Security Incidents (CERT Leader)

The Coordinator for Handling IT Security Incidents leads the Computer Emergency Response Team.

Data Protection Officer / General Counsel

The Data Protection Officer / General Counsel supports compliance with (data protection) regulations. They are consulted by the project teams in order to assess data security early in projects.

They monitor relevant legal changes which serve as inputs/requirements to the Information Security Management System.

They are also included in incident management teams when required.

Information Security Management Team (ISMS-Team)

The ISMS-Team includes:

• Information Security Officer

• Data Security Officer

• Chief Principal Engineer or Chief Technology Officer

• other subject matter experts

It is responsible for planning tasks and measures required for maintaining and improving the ISMS, as well as planning audits and reasoning on incidents. Furthermore, it is responsible for continuously reviewing and improving the ISMS documentation (policies, processes, procedures).

It oversees and coordinates activities related to the organization's risk management framework. It assesses ongoing and emerging risks, evaluates the effectiveness of current risk mitigation strategies, and ensures that the organization’s risk profile aligns with its strategic objectives. The board also promotes cross-departmental communication to address risks comprehensively and efficiently.

Furthermore, the ISMS-Team oversees and guides the organization's Business Continuity Management (BCM) activities. The team reviews the effectiveness of current continuity plans, assesses potential risks to critical operations, and ensures that the organization is prepared to respond to and recover from disruptions. It also coordinates cross-departmental efforts to maintain resilience and safeguard essential business functions.

Employees

Information Security cannot be implemented without proper awareness and alignment of all employees. Employees are required to keep our information systems safe and ensure customer and business data is kept secure.

Should an employee notice irregularities regarding information security, they are required to act immediately and inform their team lead and the Information Security Officer.

All internal and external employee are expected to know and adhere to this information security policy.

Other responsibilities

For all information, processes, systems and infrastructure, a responsible person is named (asset-, process-, risk- or system-owner). They are responsible for judging the business impact, define rights and roles, approve or deny changes to security-related configuration, permissions and processes in their respective area of responsibility.

They are accountable towards the Information Security Officer in respect to matters of information security.

They are also responsible for informing external partners and suppliers of samedi about the requirements for information security and monitor the compliance thereof.

Consequences of Non-Compliance

Intentional or grossly negligent actions that violate security requirements can result in financial losses, harm employees, business partners, and customers, or jeopardize the company's reputation. Deliberate violations of mandatory security rules can have labor law and potentially criminal consequences and lead to claims for damages.