KBV IT Security Guideline 2025: What medical practices need to do now

With its new IT security guidelines, the KBV has tightened the requirements for data protection and cyber resilience in private practices. The aim is to increase staff awareness and improve technical and organizational security measures. One key change is that all practice employees - regardless of their position or role - must be trained in IT security.

Who is affected?
The requirements apply to all contracted physicians and psychotherapists and are also binding at the employee level. The size of the practice determines the scope of the requirements:

• Small practices: up to 5 people with data processing access
• Medium-sized practices: 6 to 20 people
• Large practices: more than 20 people or practices with special equipment (e.g., CT, MRI) or special processing requirements (HÄVBW)

The guideline took effect on April 1, 2025, and must be implemented by October 1, 2025.

Important: According to current information, failure to implement the directive will not result in fee reductions or fines by the KBV. Nevertheless, the risk of data protection sanctions or security incidents increases significantly.

To give you a solid understanding, here are the most important legal references:

General Data Protection Regulation (GDPR)

According to Art. 32 GDPR, controllers must take appropriate technical and organizational measures (TOM) “to ensure a level of security appropriate to the risk.” This includes training and raising awareness among staff.

In addition, Article 24 GDPR requires accountability: you must be able to demonstrate that you have actually implemented the GDPR requirements – and that includes documentation and training measures.

Section 75b SGB V (for medical practices)

In the case of contract medical care, additional federal regulations come into play: for example, IT security requirements based on social legislation and agreements with associations of statutory health insurance physicians. The KBV guideline specifies how practices at this contract level should organize their security obligations.

IT Security Act / BSI Basic Protection / ISO 27001 (as a guide)

Although these standards do not apply directly to every medical practice, they often serve as a benchmark in audits or expert assessments. Anyone asking about the “state of the art” in practice can refer to established standards.

In short, the new KBV guideline reinforces legal requirements and makes employee training a mandatory part of the security strategy.

A properly designed training program should address both technical and organizational aspects and ideally be modular in structure. Here are the core elements:

Mandatory modules for all employees

• Basic concepts of IT security (phishing, social engineering, password hygiene)
• Proper handling of sensitive data, patient records, and access controls
• Recognizing and reporting security incidents
• Handling mobile devices, USB sticks, and cloud services
• Using email, VPN, and remote access under secure conditions

Advanced modules depending on role

• Administrators/IT managers: Firewall, network segmentation, patch management
• Management: Governance, risk management, reporting
• Laboratory, diagnostics, or imaging: Secure processing of large data sets, interfaces

Examination or control mechanisms

• Short tests or quizzes at the end of each module
• Documentation: Who completed which module and when
• Refresher courses: annual or semi-annual updates

Formats and tools

• E-learning platforms (on-demand)
• Face-to-face training or workshops
• Gamification elements (simulators, interactive scenarios)
• Awareness campaigns (weekly tips, posters, phishing simulations)

Here is a pragmatic roadmap for meeting the requirement:

Step 1: Analyze the status quo

• Create an overview of all employees, including their tasks and IT access
• Conduct a risk analysis: Where are the vulnerabilities (e.g., bring-your-own-device, working from home)?
• Review existing training courses, guidelines, and documentation.

Step 2: Develop a training concept

• Choose a training format (e-learning, face-to-face, hybrid).
• Define training content and mandatory modules.
• Assign responsibility for planning, implementation, and documentation.
• Calculate resources: time, costs, technical infrastructure.

Step 3: Start implementation

• Communicate transparently within the team: what the training is for, what obligations exist
• Start with a basic module for all employees
• Set deadlines and reminders
• Incorporate feedback loops

Step 4: Monitoring and verification

• Keep records of who has completed which module and when
• Check the results (quizzes, tests)
• Document training processes in the compliance and data protection concept
• Integrate refresher courses and updates (e.g., in the event of new threats)

Step 5: Integration into the overall security concept

• Link the training closely to technical measures (e.g., access controls, encryption)
• Require employees to comply with training guidelines
• Anchor IT security in your organizational framework (e.g., responsibilities, escalation paths)

• Resistance within the team: Some employees see training as a chore. Involve them early on, explain the benefits, and provide practical examples.
• Time constraints: Plan specific time slots, e.g., short daily sessions instead of full-day workshops.
• Technical implementation: A robust e-learning platform, such as the one from heyData, can help. Pay attention to usability, user-friendliness, and tracking functions.
• Sustainability: Without refresher training, knowledge fades. Establish regular updates or mini-refreshers.
• Verification: Documentation is mandatory. Automated reports and audit logs make this easier.

How often should the training be repeated?
As a best practice, you should plan annual refresher courses. Immediate updates may also be necessary in the event of new threats or incidents.

What happens if someone does not complete the training?
You should clearly communicate that training is mandatory. You can take internal measures in the event of refusal—in extreme cases, restrictions on IT access, if legally permissible.

Can I use external training providers?
Yes, external providers with proven expertise are often useful. Important: Contractual provisions on data protection (e.g., order processing) must be taken into account. We are happy to support you in this step with our IT security training courses, which have been verified by lawyers, via our platform.

Do I have to measure the success of the training?
Yes. Through tests, simulated phishing campaigns, or reported security incidents, you can evaluate how effective the training was.

The KBV guideline sets a clear standard: IT security can no longer be an optional extra in medical practices. You must introduce training for all employees in every case. This can be done in small practices with simple means and in large practices with sophisticated concepts.

In the long term, it is worth investing in a professionally implemented learning management system (LMS), coupled with awareness campaigns and technical measures. This will help you establish a security culture that goes beyond the minimum requirements.

Next, you should:

• Immediately outline a roadmap (who, when, with what)
• Evaluate suitable training providers
• Start communication within the team

Check the technical infrastructure (e.g., tracking, platforms)

With the new KBV guideline, IT security training is now mandatory in medical practices. It is becoming a cornerstone of effective data protection and security concepts. For you as a compliance officer or IT decision-maker, one thing is clear: you need to take action. With a well-thought-out concept, comprehensible documentation, and appropriate training formats, you can meet the requirements and at the same time sustainably increase the cyber resilience of your practice.