Requirements for Digital Health Applications
However, a compromised digital application can lead to reputational damage by inadvertently exposing the user's digital life.
What Does the BSI Guideline Describe?
The German Federal Ministry of Health (BMG) sees the Western healthcare sector facing major challenges: caring for elderly and chronically ill patients, financing costly medical innovations, and providing medical services in underserved rural areas. Digital health applications (DiGA) can help address these challenges by supporting patient treatment and care while leveraging modern information and communication technologies (ICT).
To facilitate the adoption of such applications, the BSI has developed a family of Technical Guidelines (TR) aimed at DiGA developers. These guidelines also serve as a useful reference for any application that handles sensitive data.
Aim of the BSI Documents
The trend toward self-tracking with new IoT devices and the push for more efficient use of medical data have reached the healthcare sector. With location- and time-independent access to personal medical data, users can now store sensitive information such as pulse rate, sleep patterns, medication plans, prescriptions, and medical certificates. The corresponding applications connect users to relevant services and act as central communication hubs. However, a compromised device can lead to financial losses or reputational damage by inadvertently exposing the user's digital life. This makes it essential for manufacturers to plan responsibly during the development phase, ensuring their DiGA applications properly process, store, and protect personal and other sensitive data.
Verification Areas
The Technical Guidelines cover mobile applications, web applications, and backend systems. They define minimum security standards and examine the following areas:
- Application purpose
- Architecture
- Source code
- Third-party software
- Cryptographic implementation
- Authentication
- Data security
- Paid resources
- Data storage and data protection
- Network communication
- Platform-specific interactions
- Resilience
Conclusion
The BSI's Technical Guidelines are an important instrument for ensuring security and data protection in the development of digital health applications. The defined verification areas enable developers to confirm that their applications are both secure and compliant with data protection requirements. This benefits not only user privacy but the healthcare system as a whole.