As of mid-January 2021, the German healthcare system will standardize all prescriptions using a central, digital service, thus making them easily and quickly available to both consumers and all healthcare institutions. The identity check, a high-security and high-availability system as a central element of the overall service was awarded to RISE last week. RISE is working together with noris network AG and msg systems ag on this project.

In the EU-wide tender procedure for the introduction of the e-prescription, gematik has awarded the development and operation of the identity provider (IDP) to the Austrian company Research Industrial Systems Engineering (RISE) Forschungs-, Entwicklungs- und Großprojektberatung GmbH. The service had been previously tendered as a second lot within the scope of an EU-wide announcement (No. 2020/S 101-244269 of May 26, 2020).

The identity provider is a central access system that authenticates the identity of the participants (hospitals, GPs, pharmacists and insured persons) and enables access to the e-prescription systems. Separating the identity provider from the e-prescription provider into two lots and awarding both lots to different companies ensures that security-relevant services are distributed among different organizations. RISE will develop and provide the identity provider on behalf of gematik and in accordance with the technical specification based on the Standard OpenID Connect by mid-2021

For the implementation of this 7x24x365 service, which guarantees an availability of 99.99% due to its over-arching use, the Viennese technology company RISE, with its headquarters Berlin, is supported by the Nuremberg-based IT infrastructure company noris, which provides its Germany-wide datacenters, network and cable infrastructures as housing for the identity provider. The consulting and IT company msg, headquartered in Ismaning, is also supporting the development of the project, especially in the areas of service management and delivery as well as quality and test management.

Gematik awarded the e-prescription service, which was also put out to tender as lot 1 in the EU-wide announcement (No. 2020/S 101-244296 of May 26, 2020) to IBM Germany. Together with the e-prescription app developed by gematik, the starting signal for electronic prescriptions will be given on July 1, 2021. As of January 1, 2022, electronic prescriptions for prescription drugs will be mandatory, making processes faster and more efficient. From the moment the GP issues the prescription, to the insured person handing it over at the pharmacy of their choice through to billing with the health insurer.

Thomas Grechenig, spokesperson for Management of RISE: “Identity services are a central element of Europe’s autonomous, digital future. For example, it digitally reports back to the mobile phone trying to access the service “I know you. You may come in.” In the case of the e-prescription for the whole of Germany, this will happen an average of 2 million times a day in the future. The system's downtime must not exceed a maximum of 4 minutes per month and be less than 1 hour per year. In total. To achieve this, you must have a global grasp on IT. And RISE does. Our Identity and Access Management (IAM) experience in many industry sectors over 20 years was certainly one of the reasons why we were awarded the development of this service.

We are also very pleased that two such competent German IT houses as the agile noris and msg with its comprehensive range of products and services are loyally accompanying us in the implementation of this task. With currently 73 million citizens as users, the telematics infrastructure (TI) is currently Europe’s largest, autonomous, public IT infrastructure. It is growing in a solid, future-oriented evolution of IT security, privacy protection and high availability while maintaining high-level demands of integrity and security conditions in collaboration with the Bundesamtes für Sicherheit in der Informationstechnik (BSI German Federal Office for Information Security) and the Bundesbeauftragten für Datenschutz und Informationsfreiheit (German federal commissioner for data protection and freedom of information).

Rolf Kranz, member of the Executive Board of msg: “The e-prescription is one of the key drivers of digitization of Germany’s healthcare sector. We are therefore very pleased to support this project as part of the consortium and to contribute our long-term experience and industry expertise in the healthcare business segment.”

Stefan Keller, member of the Executive Board of noris: "The requirements to be met perfectly suit the strategic direction of noris, with its focus on regulatory requirements for security, availability and compliance in its own datacenters in Germany, which have been certified by different organizations.”

Following the motto of “Insurance 2020 – Business Transformation Accelerated”, msg hosted its first virtual inscomTALK. High-profile insurance experts made guest appearances at the studio and provided answers and explanations during a Q&A session. The event was broadcast to viewers from 14 countries via live stream. The inscomTALK addressed the issues of ecosystems and platforms, innovation management, health ecosystems and compliance.

Host Cristián Gálvez and msg board member Bernhard Lang led the event, passing on questions from participants to the guest speakers and hosting smaller live polls with the audience. “We were very touched by the interaction with our viewers. Even if we cannot get together in person, it is still very important to facilitate direct communication, especially in these turbulent times,” explained Bernhard Lang, while also emphasizing the benefits of a virtual conference. “It is actually much easier for our partners and customers located abroad to participate in a virtual event than to have to travel to Munich.”

The impact of the corona crisis on society and insurance companies was a key topic of the discussion session. During a brief keynote speech, futurologist and trend researcher Matthias Horx took a look at some of the fundamental changes which are triggered by an extreme crisis. “Most people do not even want to go back to how things were before the crisis,” he commented. The audience’s opinion on the topic of changes resulting from the coronavirus was also very clear: A live vote by participants during the event showed that almost 55% considered the impact the crisis is having on digitalization to be “significant”.

What the impact on mobility might be was then discussed by Bernhard Lang with the first guest Karsten Crede, CEO of ERGO Mobility Solutions. Crede was confident the German economy still held considerable potential to create cross-industry platforms. However, he did emphasize during the discussion that product offerings would have to focus directly on customer needs in order to be successful. With his second guest, Sebastian Pitzler, Lang discussed the current situation innovation labs were facing. Despite the current crisis, Pitzler was able to provide some reassurance: InsurLab Germany’s portfolio was being well received in the industry and insurtechs were just as important as before.

Joining the event via a live connection, msg board member Rolf Kranz was able to confirm that fact and provide insight into msg’s insurance strategy. Innovation and collaborations with network partners would continue to be very important going forward. msg hoped to support the healthcare sector even further in the future with digital health offers. To that end, a new business division was even being created within the company.

Trending questions on the topic of healthcare were answered by the third guest, Timm Schindler, in an interview with Bernhard Lang. As a program manager for AOK Plus, Schindler is already well-versed in what it means to create a healthcare platform. Schindler pointed out that insurance companies want to act as digital enablers, not interfere in the relationship between physicians and patients.

Andreas Schönherr, Managing Director of Swiss Re then answered trending questions on the topic of compliance. The results from a vote held amongst the inscomTALK audience confirmed what experts in recent years have observed. Compliance is becoming more widely recognized as a management tool for effective enterprise management. There is, at the very least, a definite trend in that direction.

The insurance industry is constantly being subjected to major changes and must continuously adapt. That the industry can successfully do so during a global crisis like the corona pandemic is something the experts agreed on.

Within the scope of an audit, msg has demonstrated SAP expertise in the AWS environment and has obtained the AWS partner status “SAP Competency”. With this competency rating, it is officially recognized that msg has a comprehensive know-how in the area of architecture, migration and management of SAP applications in the AWS cloud.

This status can only be achieved by partners that have the Advanced Consulting Partner status, which msg has achieved by the end of last year.

For the competency program SAP Competency, msg has demonstrated its abilities in migration and operation scenarios as well as the associated subject areas of security and high availability as part of an external audit. The competency rating emphasizes that msg is the expert in the German-speaking area for architecture, migration and operation of SAP workloads on AWS. Karl Lassak, divisional manager SAP and AWS at the msg group of companies msg services underscores: “Achieving the SAP Competency is an important and strategic step for the partnership between msg and AWS, which underlines our competency and will enhance our visibility on the market.”

Since June 2020, msg is also an AWS training partner (ATP). msg employees with the appropriate certification can perform and hold trainings on AWS topics.

In this year’s Luenendonk ranking of “Top 25 consulting and system integration companies in Germany”, msg has once again earned sixth place. The ranking is considered an important indicator of sentiment in the German IT industry.

The top 25 IT consulting companies in Germany saw average growth of 10.0 percent in 2019. Companies tended to seek the support of IT consultants in the fields of IT modernization, customer interface digitization and cloud transformation in particular. The number of employees at the top 25 in Germany rose by an average of 6.9 percent compared to the previous year.

“We are guided by our proximity to markets and to people – by placing people at the heart of our actions, we are able to create added value in a digitized world. Which makes us all the more pleased to know that our employee growth of about 8.2 percent in Germany exceeds the average determined by Luenendonk,” comments Dr. Stephan Frohnhoff, msg CEO. “Moreover, our current employee count of 5,424 employees across Germany puts us in 3rd place in the current list. We will continue to focus on the growth and development of our employees, to ensure we remain an attractive employer in Germany going forward as well.”         

In regard to revenue, Luenendonk has predicted significantly slower growth in the IT service market for the current year. The consulting and market research company’s more than 30 years of experience has found a strong correlation between the performance of the IT service market and Germany’s gross domestic product (GDP). The downturn in GDP of about 6.5 percent predicted by the EU Commission will therefore have an impact on most IT service providers’ business development. At the same time, customers will be increasing their investment in digitalization projects and new technologies, such as AI and IoT – according to Luenendonk.

“6th place in this high-profile ranking shows us again that msg plays an important role in the digitalization of the German economy,” says Dr. Stephan Frohnhoff. “Especially now, in these difficult times, we are proud to be able to use our IT and consulting competence to help address the Corona crisis. These efforts include msg’s assistance of the federal government and the important applications it uses to protect the population and to equip different institutions like schools with the IT infrastructure they need. After all, the crisis has made one thing clear: it is particularly important, especially right now, to consequently pursue the path of digital transformation.”   

A noticeable paradigm shift has been seen in software development over the course of about the past three years or so: the waterfall model has been replaced with agile development methods – often in combination with DevOps approaches. In the field of IT security, this development has also changed which work models IT security experts employ. Whereas the goals of the software development process used to be defined relatively early on using technical specifications, now the functions of a planned software product can continue to change until shortly before go-live. Consequently, many security requirements now have to be dynamically developed parallel to agile sprints. What exactly does this development mean for an IT security officer’s tasks and responsibilities? msg offers five tips for agile security.

1. Exchange of know-how between all stakeholders

All stakeholders – whether security teams, developers, operations or business units – must be involved in projects from the very beginning to ensure know-how is exchanged between everyone involved and is also continuously maintained. When developers set up a system architecture, for example, they should involve security experts in the project right from the start as that allows the security experts to compare the security requirements to the proposed solution and immediately detect any fundamental vulnerabilities. Necessary measures can then be defined, thereby ensuring the security of the project.

2. The role of the application security expert

The roles in the software development process have also changed, in part due to agile process methods: today, an application security expert is there to guide projects and processes as a whole, in more of a coaching role. As a result, their responsibilities cover more than just writing and drafting security concepts. They steer the entire process and share their know-how with the team. Furthermore, the role of the application security expert does not end with the project. Instead, their expertise is required long after go-live. This development makes sense and is underscored by the fact that product development continues even after a product has gone live.

3. Security user stories for security requirements

In agile software development, security requirements are addressed and scheduled using so-called “security user stories”. The user stories provide a clear overview of all of the security expert’s tasks, while also promoting collaboration and creativity. Security experts should be actively involved in the creation of the security user stories and should alert software developers to any missing scenarios. This also means they are responsible for pointing out when a product owner has failed to schedule and execute a security user story, even though the user story is necessary. For that reason, the organization should be designed to allow suspected defects to be escalated to the appropriate central security organization. Upon conclusion of the security user story development, the relevant security requirements and functional processes are documented. With the user stories covering the key aspects, the relevant scenarios will have been address by the development team as well.

4. Penetration tests for the security audit

Penetration tests conducted before live use (“go-live”) serve to verify whether the security requirements have been adequately provided for. For example, they allow any technical vulnerabilities to be identified and eliminated.

Automated static code analysis using a CI/CD cycle should be standard as it permits experts to address the results of source code analysis from the outset and automatically detect errors. This raises the question, especially with the DevOps model, of when further penetration tests should be scheduled after the initial go-live. Since testing usually involves considerable effort, it is important to define in advance when the tests should be performed. Potential options include testing before a go-live, annually recurring tests or even tests triggered by risk-based incidents, such as criticality tests following software modifications. Ideally, fully-automated dynamic software tests would be performed that repeat cyclically and quickly detect vulnerabilities. However, the reality looks somewhat different at the moment, since most dynamic penetration tests still have to be performed manually.

5. Company-wide security requirements and architectural specifications 

Basic security requirements that are well known throughout an organization, such as checklists and policies, and that provide basic protection remain necessary. The review and release of sample solutions that can be used throughout a company are important, as is the provision of security components for cross-product use. Failure to do so can cause the support provided by security experts to become extremely time-consuming, especially in larger organizations, or it can result in insular solutions that have to be constantly evaluated and re-evaluated simply to ensure security. All of which would, of course, tie up considerable resources unnecessarily.