Swiss hospitals have approved joint baseline protection requirements for IT systems, which healthcare institutions can require from system suppliers’ products and apply in future procurement processes. These requirements are based on applicable laws, regulatory authority directives, and recognized standards.
With these technical and organizational requirements, healthcare institutions establish a uniform benchmark for comparing IT security aspects of products from different manufacturers, thereby reinforcing the demand for secure products and manufacturers that take information security seriously.
Target audience
The document “Baseline protection requirements for IT systems” is primarily intended for suppliers of healthcare institutions. Dedicated materials for healthcare institutions are available on the H-CSC platform.
Benefits for all stakeholders
The baseline protection requirements for IT systems define uniform, cross-industry requirements. This baseline provides significant benefits for both suppliers and healthcare institutions:
- In healthcare procurement processes, product security features receive greater attention and evaluation. More secure products stand out compared to weaker competing products.
- Suppliers’ investments in the IT security of their products pay off and can be used as market sales arguments.
- The baseline protection requirements highlight valuable steps for suppliers in their product development.
- The harmonization of requirements eliminates the need for individual requirement catalogues from healthcare institutions that suppliers previously had to complete. Suppliers can assess their products once and reuse the documentation for multiple healthcare institutions.
- Healthcare institutions have a standardized specification for requesting baseline protection for IT systems and no longer need to create individual requirements.
- Overall, the baseline protection requirements will increase information security in healthcare institutions and thereby reduce security incidents, benefiting patients, healthcare institutions, and suppliers.
Functioning of the baseline protection requirements for IT systems:
Suppliers of systems that invest in the IT security of their products must be fairly assessed compared to suppliers whose systems contain vulnerabilities, by making the additional costs visible and aggregating them. The baseline protection requirements define the uniform benchmark.
Procedure
The standard supports both proactive procurement processes (acquisitive procurement) and reactive procurement processes (request-based procurement).
For proactive procurement processes, suppliers can use the “self-declaration”, a standardized electronic form aligned with the standard.
- Suppliers, i.e., product manufacturers, prepare a one-time self-declaration for their respective products based on the publicly available requirements. Missing security features can be compensated by additional measures, thereby enhancing the product.
- Suppliers submit the self-declaration together with the remaining tender documents to the requesting healthcare institution.
- Individual requirement catalogues to be completed at a later stage are no longer necessary.
- The healthcare institution evaluates both the product and the self-declaration as part of its assessment processes and makes its decision.
In reactive procurement processes, healthcare institutions define their requirements in the form of a “specification”, a standardized electronic form reflecting the standard and enabling healthcare institutions, depending on the procurement object, to declare certain requirements as, for example, not relevant or mandatory.
- Healthcare institutions create the standardized specification for their respective request-based procurement that is based on the publicly available requirements.
- Suppliers can respond to the specification by referring to the “self-declaration” of their products. The two forms – the healthcare institution’s “specification” and suppliers’ “self-declaration” – are compatible, based on the same standard, and contain identical references.
- For suppliers who already maintain self-declarations for their products, responding to the requirements requires minimal effort.
- Suppliers may include additional security features defined for their products in the self-declaration within the requirements, thereby enhancing their product.
- Individual requirement catalogues per healthcare institution are no longer necessary. The standard simplifies the process for both suppliers and healthcare institutions.
- Suppliers submit the completed specification together with the remaining tender documents to the requesting healthcare institution.
- The healthcare institution evaluates the product by comparing the completed requirements. Depending on the procurement procedure, missing security features may be compensated by additional protective measures implemented by the healthcare institution. These efforts are incorporated into the evaluation by adding the associated costs to the suppliers’ offered prices. In this way, offers can be compared using uniform baseline protection requirements.
Links to the documents
Note: In order to be able to use the electronic form correctly, once opened please select “download a copy → Excel”
Further specific materials for healthcare institutions is available for members on the H-CSC platform.
Contact persons
For questions, please contact your respective contact persons within the relevant healthcare institution.
Broad support
The healthcare institutions listed below apply the baseline protection requirements in their procurement processes.
This logo list is currently under development. The following institutions have already confirmed their participation:
