Penetration TestJan Kahmen11 min read

BSI TR-03161: Comprehensive Security Standard for Healthcare Applications

BSI TR-03161: Security standard for healthcare applications with mobile, web and backend components

BSI TR-03161: Comprehensive Security Standard for Healthcare Applications

Introduction

The digitalization of healthcare is advancing rapidly. Healthcare apps, electronic patient records, and telemedicine solutions have long become part of our everyday lives. However, with this development comes an increased responsibility to protect sensitive health data from unauthorized access. The German Federal Office for Information Security (BSI) has created a comprehensive standard with Technical Guideline TR-03161 to ensure exactly this.

TR-03161 defines security requirements for healthcare applications and is divided into three parts: Mobile Applications (Part 1, Version 3.0), Web Applications (Part 2, Version 2.0), and Backend Systems (Part 3, Version 2.0). This three-part structure reflects the modern architecture of healthcare applications, which typically consist of a combination of frontend applications and backend infrastructure.

Special Features of the Guideline Compared to Other Standards

What distinguishes BSI TR-03161 from other security standards is its specific focus on healthcare. While many international standards such as the OWASP Application Security Verification Standard (ASVS) or the Mobile AppSec Verification Standard (MASVS) define general best practices, TR-03161 specifically addresses the particular requirements of the German healthcare system.

While the guideline is based on established international standards – including OWASP Top 10, the Web Security Testing Guide, and ENISA's Smartphone Secure Development Guidelines – it goes beyond them in several respects:

  • Legal Framework: TR-03161 is closely linked to the German Social Code, particularly with § 33a SGB V (Digital Health Applications) and § 40a SGB XI (Digital Care Applications). This gives the guideline particular legal relevance for the German market.

  • Data Protection Focus: The protection of personal health data is at the center. The guideline recognizes that the loss of health data immediately leads to harm for the user and therefore requires particularly strict protective measures.

  • Holistic Approach: Unlike many other standards that focus on either frontend or backend, TR-03161 considers the entire application architecture. All three parts are coordinated and complement each other.

  • Practice Orientation: The guideline is based on experiences that the BSI has gathered during actual examinations of healthcare applications. It is therefore not purely theoretical but reflects real threat scenarios.

  • Certifiability: The guideline defines clear audit aspects, test characteristics, and audit depths that enable objective evaluation and certification of applications.

Comparison of the Three Parts: Characteristics and Focus Areas

Part 1: Mobile Applications (Version 3.0)

The first part of the guideline focuses on native mobile applications and the native portion of hybrid apps. It is the most comprehensive part and reflects the complexity of mobile platforms.

Key Focus Areas:

The mobile requirements consider platform-specific security mechanisms of iOS and Android. Particular attention is paid to mobile apps' direct access to device components such as GPS, camera, or microphone. The guideline requires that applications only request permissions necessary for their legitimate purpose and transparently inform users about their use.

Test characteristics include:

  • Application purpose and data processing
  • Architecture and security design
  • Source code quality and security
  • Third-party software and dependencies
  • Cryptographic implementation
  • Authentication, identification, and authorization
  • Data storage and data protection
  • Paid resources
  • Network communication
  • Platform-specific interactions
  • Resilience and error handling

Special Features:
Part 1 considers the challenge that mobile devices are typically under user control and operated outside protected environments. The guideline therefore requires extensive client-side security measures, including secure local data storage, protection against reverse engineering, and secure use of operating system APIs.

Part 2: Web Applications (Version 2.0)

Part 2 addresses web applications that run in browsers, as well as the web portion of hybrid solutions. The special architecture of web applications is at the forefront here.

Key Focus Areas:

Web applications have no direct access to device components and are heavily dependent on the browser used. The guideline therefore requires that web applications check the currency of the browser being used and block access to sensitive data in case of security-relevant vulnerabilities.

Specific Requirements:

  • Use of modern HTTP server headers (HSTS, CSP, X-Frame-Options)
  • Control of URL redirects
  • Protection against code injection and cross-site scripting
  • Secure handling of session management
  • Minimalist approach with server-side processing logic

Special Features:
A key difference from Part 1 is the assumption that web applications have no persistent trust anchor on the client. The guideline assumes that users check the correct internet address and use standard browser security settings. This leads to specific requirements for server authentication via TLS and the establishment of initial trust.

Part 2 also emphasizes that web applications cannot be viewed in isolation – they are inseparably connected to their backend system that delivers the application.

Part 3: Backend Systems (Version 2.0)

The third part focuses on the backend infrastructure that supports both mobile and web applications. It is essential because modern healthcare applications typically use server-based components for data storage and processing.

Key Focus Areas:

Part 3 distinguishes three operational scenarios:

  1. Self-hosted systems (full control by the manufacturer)
  2. Externally hosted systems (hosting by service provider)
  3. Cloud-based systems (use of cloud services)

Specific Requirements:

  • Physical and organizational security of infrastructure
  • Separation of customer data in multi-tenancy
  • Centralized logging and monitoring
  • Secure memory management
  • Deployment processes without compromising sensitive data
  • Control over updates and patch management

Special Features:
Part 3 requires the use of providers that meet the BSI C5 Criteria Catalog or can demonstrate comparable certificates for cloud computing. This ensures that an appropriate security level is guaranteed even with outsourced operations.

An important aspect is the requirement for a centralized logging system on dedicated log servers to prevent manipulation and deletion of logs on source systems. This is particularly relevant for traceability in security incidents.

Common Core Principles of All Three Parts

Despite their different focuses, all three parts share fundamental security principles:

  • Security by Design: Security must be an integral part of the development cycle from the beginning. Already in the design phase, it must be considered that sensitive data will be processed.

  • Purpose Limitation: Data collection, processing, and storage may only be done with clear purpose limitation. The legitimate purpose must be communicated transparently.

  • User Autonomy: Users must actively consent before any collection of personal data and be able to revoke this consent at any time. A directory of consents must be accessible to users.

  • State-of-the-Art Cryptography: All parts refer to BSI TR-02102 for cryptographic procedures and key lengths, as well as TR-02102-2 for TLS configuration.

  • Third-Party Software Management: A central list of all dependencies must be maintained, and third-party software must be regularly checked for vulnerabilities.

  • Auditability: All three parts define clear test characteristics with result categories PASS, INCONCLUSIVE, FAIL, and NOT APPLICABLE.

Outlook: The Future of Healthcare IT Security

BSI TR-03161 is more than just a technical standard – it is a milestone for the secure digitalization of healthcare in Germany. With continuous development (Part 1 is already available in Version 3.0), it shows that the guideline responds dynamically to new threats and technological developments.

Trends and Challenges:

The increasing networking of healthcare applications with IoT devices (wearables, medical measuring devices) will become even more focused in the future. The use of artificial intelligence in medical applications also raises new security questions that must be addressed in future versions.

Harmonization with European standards such as the Medical Device Regulation (MDR) and the upcoming EU AI Act will also play a role. TR-03161 could serve as a model for European guidelines here.

Practical Significance:

For manufacturers of healthcare applications, compliance with TR-03161 is increasingly becoming a competitive advantage. Health insurance companies and public authorities can use the guideline as a selection criterion. For users, certification according to TR-03161 provides important guidance in selecting secure healthcare applications.

The guideline also promotes a cultural change in software development: security is not a retrospective add-on but must be considered from the beginning. This requires investments in training, processes, and tools but pays off in the long term through more robust and trustworthy applications.

Conclusion

BSI TR-03161 represents a comprehensive and practice-oriented security standard for healthcare applications that combines international best practices with the specific requirements of the German healthcare system. The three-part structure enables differentiated consideration of different application types, while common core principles ensure a consistent security philosophy.

Part 1 (Mobile Applications) addresses the special challenges of mobile platforms and direct access to device components. Part 2 (Web Applications) focuses on browser-based solutions and their specific security requirements. Part 3 (Backend Systems) ensures that backend infrastructure is adequately protected – regardless of whether it is self-hosted, externally managed, or operated in the cloud.

The strength of the guideline lies in its holistic nature: it considers not only individual components but the entire application architecture. It is not only theoretically grounded but based on practical experience. And it is not static but evolves with technological and legal framework conditions.

For all actors in healthcare – manufacturers, operators, certifiers, and not least patients – TR-03161 provides a clear framework for secure digital healthcare applications. At a time when cyberattacks on healthcare facilities are increasing and data protection has the highest priority, this is more important than ever.

The consistent implementation of TR-03161 is an essential step to create trust in digital healthcare solutions and protect citizens' sensitive health data. It shows that the highest security standards and user-friendliness need not be contradictory but can – and must – go hand in hand.

Our Services

ISMS Consulting