The stakes of meeting cybersecurity regulations and protecting patient health data
What are DiGA and DiPA?
It has been over two years since the Bundestag allowed physicians in Germany to prescribe digital health applications to their patients. DiGA (Digitale Gesundheitsandwendungen – or in English Digital Health Applications), also called “apps on prescription”, are CE-marked medical devices that help patients with the recognition, monitoring, treatment, or alleviation of diseases, injuries, or disabilities. They can be mobile apps, web applications, or other devices whose main functionality is based on digital technology.
Between November 2020 and October 2021, they have been prescribed 50 000 times, and their use is only expected to grow in the near future. Currently, there are 34 DiGA in the BfARM directory. Some examples of DiGA are: Deprexis, available as a web app for assisting in the treatment of depression, Endo App for patients suffering from endometriosis, or Elevida – a web app for people with multiple sclerosis.
BfARM has recently published an ordinance establishing requirements for reimbursement of digital care applications (DiPA – Digitale Pflegeandwendungen) intended to support the everyday care of patients. DiPA are intended for use by care recipients and their nurses and carers, including family members – they are not considered health devices but “care assistants”. Manufacturers of said apps and devices will soon be able to apply to have their products listed in the upcoming DiPA directory.
The stakes of keeping patient data secure
Why DiGA and DiPA manufacturers should prioritize security?
The Federal Office for Information Security (BSI) emphasizes in its technical guideline for manufacturers of e-Health applications BSI TR-03161 the importance of protecting patients’ data and the perils of not complying with security requirements. It considers unintentional disclosure of patient’s health data more harmful than some data breaches in the financial sector, as the former can endanger patient’s health, and unlike fraudulent financial operations, it cannot be refunded. The loss of confidentiality is irreversible, and its consequences are severe.
That’s why the regulations and guidelines regarding DiGAs’ security are strict, and they are about to become even more rigorous. The data protection and data security requirements for DiPA are expected to follow the ones for DiGA.
Security requirements for all DiGA Digital Health Applications
In order to be classified as DiGA and qualify for reimbursement from German health insurance funds, and therefore become readily available to 73 million patients, the device must pass a Fast Track assessment by Federal Institute for Drugs and Medical Devices (BfArM).
The three-month assessment process checks the general usability of the app, its interoperability, user-friendliness, and finally, its handling of security and data protection.
According to section 32a of DiGAV Annex 1 all the devices that want to become a digital health application, not only the ones with very high protection requirements, must undergo a penetration test that includes all back-end components and “follows the implementation concept for penetration tests recommended by the Federal Office for Information Security, and – insofar as the applicability is given – also takes into account the current OWASP Top-10 security risks”. The manufacturer is further obliged to “submit appropriate evidence for the implementation of the penetration tests and the elimination of the weak points found on request”.
What Annex 1 doesn’t mention is that penetration testing assessments for DiGA and DiPA compliance can sometimes be more nuanced than everyday pentesting. Security engineers performing pentests for these apps should have a stronger focus on finding vulnerabilities that may expose patient data, such as IDORs and problems in access control enforcement, and need to be familiar with standards that are specific to the sector, such as HL7, DICOM, FHIR as well as proprietary protocols.
Choosing penetration testing services based on methodologies such as OWASP Top 10, OWASP MASVS, OSSTMM, PTES, and BSI standards (mandatory for DiGA/DiPA) will ensure an in-depth review of the security controls of the platforms and systems in the scope of your audit.
Certifications required for DiGA
Will regulations become stricter?
From April 1, 2022, proof of an “information security management system (ISMS) in accordance with ISO 27001 must be submitted. From January 1, 2023, a certificate from the BSI must prove that the data security requirements are met. From April 1, 2023, data protection requirements will also have to be met.
The new requirements have to be met by the devices already listed in the directory and the ones whose manufacturers are only applying for inclusion.
How to keep digital health apps safe in the long term?
A single pentest and obtaining appropriate certification do not make an app secure in the long term, and BfArM is well aware of it when it stresses that information security should be a process to be anchored in a company, and pentests should be repeated, for example when new interfaces are added to the internet.
Considering the record levels of cybersecurity breaches that were carried out in Germany last year and the fact that their main targets were critical to society and included healthcare, DiGA and DiPA will have to adhere to very strict security standards if they want to conquer society that has relied on analog healthcare systems longer than most EU countries.
Why is pentesting so important for DiGA and DiPA security?
DiGA has lately attracted the attention of a German hacking collective Zervorschung whose test discovered vulnerabilities in two health applications that had already been positively verified and listed on BfARM. Critical vulnerabilities included the possibility to download other patients’ data (including username, email address, and details about their health condition) and to log in as a doctor and access critical data such as passwords and medical reports.
The apps’ manufacturers fixed the issues after being contacted by Zervorschung. Should patients rely on friendly hackers to help secure the apps? No. Broken Access Control vulnerabilities such as the above are often easily identifiable with a pentest and should have been discovered before the apps were made available to patients. Hopefully, new certification requirements will prevent apps with glaring security issues from reaching patients.
Conclusion
The digitization of Germany’s healthcare system, of which DiGA and DiPA are a part, is one of the most significant current IT operations in Europe, and at the heart of it lies patient data protection.
With 50% of German patients declaring willingness to use digital health apps and only 3% (as of 2020) being prescribed them, security compliance is not only a matter of meeting requirements for reimbursement but an important step in building trust among doctors and patients who still hesitate to fully embrace the possibilities that these applications present.
