Penetration TestJan Kahmen3 min read

Requirements for Digital Health Applications

However, a compromised digital application can lead to reputational damage by inadvertently exposing the user's digital life.

Table of content

What Does the BSI Guideline Describe?

The Federal Ministry of Health (BMG) sees major challenges for digital health applications (DiGA) in the western world. These include the care of elderly and chronically ill people, the financing of expensive medical innovations and the provision of medical services in structurally weak rural areas. Healthcare applications can help to overcome these challenges by supporting the treatment and care of patients and utilizing the possibilities of modern information and communication technologies (ICT).

To facilitate the use of such applications in the healthcare sector, the BMG has developed a family of Technical Guidelines (TR) aimed at developers of such DIGA applications. These guidelines can also be regarded as guidelines for applications that work with sensitive data.

Aim of the BSI Documents

The trend towards "self-tracking" with new IOT devices and the demand for efficient use of medical data are also making themselves felt in the healthcare sector. Thanks to the ability to access personal medical data from anywhere and at any time, it is possible to store sensitive and personal information such as pulse rate, sleep rhythm, medication plans, medical prescriptions and certificates. These applications connect the user to corresponding services and act as communication hubs. However, a compromised device can lead to financial loss or reputational damage by inadvertently exposing the user's digital life. To prevent this, it is important that manufacturers plan responsibly how applications process, store and protect personal and other sensitive data during the development phase of these DIGAs.

Verification Systems

The various guidelines exist for mobile applications, web applications and backend systems. The Technical Guideline examines the minimum security standards for these applications. The following points are checked:

  • Application purpose
  • Architecture
  • Source codes
  • Third-party Software
  • Cryptographic Implementation
  • Authentication
  • Data Security
  • Paid Resources
  • Data Storage and Data Protection
  • Paid Resources
  • Network Communication
  • Platform-specific Interactions
  • Resilience


The BMG's Technical Guidelines are an important tool for ensuring security and data protection in the development of digital applications in the healthcare sector. The specified test systems enable developers to ensure that their applications are secure and data protection-compliant. This system not only protects the privacy of users, but also helps to improve the healthcare system.


Technical Guidelines TR03161


Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: