Overview

Hasomed Tech is a cloud-focused subsidiary of Hasomed, a Magdeburg-based medical technology company that has been building software and hardware for healthcare since the late 1980s. One of Hasomed's flagship products is Elefant, a practice management system used by around 13,000 psychotherapists across Germany for patient management, documentation, scheduling, and billing.

To modernize Elefant and make it securely accessible from anywhere, Hasomed founded Hasomed Tech GmbH as a dedicated engineering organization. Hasomed Tech's mandate: evolve a mature, Windows-based on-premise application into a modern, web-accessible, cloud-backed platform — without compromising the confidentiality and integrity of highly sensitive mental health data.

The new Elefant Cloud Service follows a hybrid model: a local Windows application continues to work with the existing Firebird database in the practice, while a secure backend synchronizes selected data to the cloud to enable remote access via web interfaces. Hasomed Tech operates as an independent entity with its own product, design, and engineering teams, while Hasomed retains all IP and remains the sole customer under a long-term development contract. Security and compliance — including BSI C5 readiness — are owned and operated by CISOIQ as Hasomed Tech's CISO and security team.

From day one, the goal was clear: build a cloud platform that can safely process millions of highly sensitive health records, meet strict German and sector-specific regulatory expectations, and still feel fast and modern for a small, high-caliber engineering team. Security had to be a first-class design principle, not an afterthought — and it had to earn the trust of a market that is, by default, "slightly skeptical" of "everything in the cloud".

Challenges

1. Best-in-Class Protection for Sensitive Health Data: The Elefant ecosystem processes millions of psychotherapy-related patient records — some of the most sensitive data in healthcare. Hasomed Tech needed a cloud architecture with end-to-end, cryptographically robust protection for all sensitive data: in transit, at rest, and across internal services. "Good enough" was not an option; the bar was best-in-class encryption and key management that would stand up to scrutiny from auditors, regulators, and critical customers.
2. Developer-Centric Workplace Security Without Friction: The team consists of 15–20 top-tier engineers, product managers, and designers who expect a modern, uncluttered setup. Traditional, heavy-handed security approaches (intrusive agents, locked-down devices, constant friction) would have been rejected immediately. The challenge was to build a secure workplace environment — identity and access management, endpoint security, secret management and all those good things — that protects the company without breaking developer autonomy. Security had to work in the background while engineers remain in full control of their machines and workflows.
3. BSI C5 Compliance on an Aggressive Timeline: As a cloud provider in the German healthcare context, Hasomed Tech needed to design its AWS-based environment to be BSI C5-conformant from the start and achieve an audit by accredited auditors within three to six months. That required translating regulatory and C5 requirements into concrete architectural decisions, operational processes, and documentation — without derailing product delivery.
4. Overcoming Cloud Skepticism in a Regulated Market: Psychotherapists and healthcare stakeholders in Germany are, by default, cautious about cloud solutions — especially when they hear "AWS" and "patient data" in the same sentence. For Hasomed Tech, it was not enough to be compliant on paper. The security model had to be made transparent and understandable for non-technical buyers, so that trust was based on substance and clarity, not on marketing slogans or checklists.
5. Embedding Security Into a Curious, High-Expectations Engineering Culture: The Hasomed Tech team is not "passively tolerant" of security — they are actively interested in how a state-of-the-art security program looks in a modern, cloud-native product company. Security needed to be integrated into the entire lifecycle, from Figma prototypes to production deployments: secure-by-design architecture, threat modeling, and guardrails embedded into day-to-day engineering. The challenge was to turn that curiosity into a lived security culture rather than some one-off initiative.

CISOIQ Impact

1. Envelope-Encryption with EKM for all Health Data Records: Hasomed Tech's cloud backend now runs on envelope encryption with external key management in AWS. Each practice's records are encrypted with individual data keys, which are themselves encrypted with a dedicated key-encryption key (KEK). Instead of keeping that master key inside AWS, CISOIQ designed an external key management setup: the KEK lives in a T-Systems HSM in Germany via AWS External Key Management. The effect: even in hypothetical compelled-access scenarios against AWS, the underlying psychotherapy data remains cryptographically inaccessible because the master key is outside AWS's control. This architecture is explainable, auditable, and built to satisfy both regulators and the most skeptical buyers.
2. Preserved Developer-Autonomy through Zero-Trust Architecture: Rather than locking down endpoints, Hasomed Tech treats every developer laptop as potentially compromised ("assume breach principle") and shifts trust to a hardened access layer. Access to internal applications, cloud consoles, and even SSH is mediated through Island as Secure Enterprise Browser, tightly integrated with Google Workspace as the central identity provider. Content redactions, step-up authentication, and various other so-called "last-mile controls" are enforced in the browser, where the security team has full visibility into how company systems and data are accessed — without installing intrusive agents or removing people's admin access on their own laptops. Engineers keep their preferred workflows; the company gets a modern, zero-trust workplace perimeter.
3. BSI C5-Ready Cloud Environment in Weeks, Not Years: From the beginning, every control was mapped directly against BSI C5 requirements. CISOIQ structured the security architecture and management system into a central, Notion-based information domain: policies, standards, risk records, and roughly 150–300 compliance artefacts all linked to the underlying systems and repositories. This made the environment fully traceable, both for ourselves and for external auditors. Together with a specialized audit partner, Hasomed Tech completed its first C5 assessment within a few weeks — with a clean result and a reusable compliance backbone for future audits.
4. A Security Whitepaper that Builds Market Trust: To address the healthy skepticism of the German healthcare market toward cloud solutions, we deliberately moved away from black-box "trust us" messaging. Instead, we published a detailed security whitepaper that explains who Hasomed Tech is, which threat model the company operates against, and which concrete controls are implemented in the cloud, at the workplace, and in the product. Prospective customers, professional bodies, and critics can challenge the model instead of guessing how it might work or relying on assumptions. Security becomes something verifiable and discussable — not a marketing claim.
5. Embedded Security Operations: CISOIQ anchored security in the tools and routines the engineering team already lives in, rather than creating a parallel "security universe." Cloud posture is continuously monitored with Wiz; access and device context are managed through Island and Google Workspace; secrets and rotations are handled in 1Password; a vulnerability reward program with over a hundred hunters feeds real-world feedback into the program. In Notion, the team maintains detailed Mermaid-based architecture diagrams, service-to-service communication maps, and cross-cutting concerns like authentication and authorization — all linked to GitHub and the cyber & information security management system. Threat modeling happens in that shared environment, with engineers and security working from the same source of truth. The result is a security program that feels like part of Hasomed Tech's engineering culture, not a constraint imposed on it.

What This Case Demonstrates

1. Security only matters to the extent it can be demonstrated: Every environment is insecure by default. It only becomes more secure in proportion to the controls you can point to — and the evidence that those controls actually exist and run. Security claims without that evidence are just marketing. Hasomed Tech's approach is to make the whole model inspectable: a clear threat model, an explainable encryption design, documented processes, and a public security whitepaper that anyone can read and challenge. That shifts the discussion from "trust us" to "here is what we do, here is why, here is how you can verify it." Trust comes from the ability to verify, not from the promise itself.
2. Security by design needs a shared information domain, not a separate security universe: "Secure by design" doesn't happen if security has its own tools, its own docs, and its own language somewhere off to the side. At Hasomed Tech, everyone works in the same place: Figma for product, GitHub for code, Notion as the connective tissue. Risks, systems, incidents, architecture diagrams, and pull requests are tied together via databases, relations, and page mentions. If you want to know what risk sits behind a specific change, you don't ask around — you click through the graph. That's the real pattern here: treat your security program as an information domain that evolves with the product, instead of a static pile of PDFs that nobody touches after the audit.
3. AI-native workflows turn a small security team into a big one: Hasomed Tech assumes AI from the start. Meetings are transcribed so architectural and security details don't evaporate after the call. Documentation is drafted and refined with LLMs so design and control decisions are actually written down, not just "known" by a few people. Threat modeling sessions are supported by LLMs that help explore edge cases and alternative attack paths. None of this replaces human expertise — it amplifies it. The deeper lesson: if you design your security and compliance workflows to be AI-native, a small, senior team can run a program with the depth and responsiveness that usually requires a much larger organization.