News
Article 42 of the EU GDPR has actually created the prerequisites for certification in accordance with the EU General Data Protection Regulation. However, even 5 years after the regulation came into force, there is still no authorised procedure. We take a look at what GDPR certification actually is, what advantages it brings and when the first certificates can be expected.
As a digital assistant, many people can no longer imagine their everyday life without their smartphone. Be it for navigation, quick searches on the web or using your mobile phone as a personal organiser. A similar trend is also emerging in the health sector, as health apps are becoming increasingly popular. However, there are increasing reports of security vulnerabilities. And many a user will have found themselves wondering whether their own data is really secure in the app.
Experts repeatedly discover security vulnerabilities
Time and again, IT security experts come across vulnerabilities, some of which are serious. In the worst-case scenario, cybercriminals could use these to gain access to sensitive data, such as diagnoses of physical and mental illnesses or medication. The gateways that have been discovered in the past include:
Need for action regarding the security of health apps
This clearly shows that there is still some catching up to do in terms of IT security and data protection in the booming health app market. Strict regulations already apply to digital health applications (DiGA) that can be prescribed by doctors. However, health apps that do not fall under these strict requirements are not currently regulated. This means that it is up to the providers to decide which data protection measures are actually taken and implemented. However, the Technical Guideline TR-03161, which was developed by the German Federal Office for Information Security (BSI), brings trust and transparency to the market.
Strengthening trust with BSI TR-03161
The standard serves as a guideline for developers of healthcare applications to create secure solutions and to consider and implement IT security and data protection from the outset. The main aim of TR-03161 is to protect the confidentiality, integrity and availability of medical data collected by (digital) healthcare applications. The standard contains security requirements for mobile applications (TR-03161-1) as well as for web applications (TR-03161-2) and background systems (TR-03161-3). Aspects such as architecture, cryptographic implementation and network communication are considered.
With the help of TR-03161, manufacturers can put their (digital) healthcare application to the test, uncover potential vulnerabilities and improve the security of their own application in a targeted manner. At the same time, this leads to greater trust on the part of users, who know that their sensitive data is in safe hands. After all, the security vulnerabilities that have come to light so far show that Regular app security checks are not only important, but absolutely necessary in order to adequately protect sensitive data.
Personal data is particularly worthy of protection. This applies in general, but especially when health data, such as diagnoses of physical and mental illnesses or medication, are involved. With the help of pentests, we support you in identifying potential weaknesses within your DiGA at an early stage and in providing the necessary proof to the BfArM.
As an ISO 17025 BSI-certified test centre, we can look back on decades of experience in carrying out penetration tests and have already successfully tested many healthcare applications. We scrutinise both mobile apps and web applications. We use a combination of automated and manual whitebox tests to achieve meaningful and high-quality results. The BSI's implementation concept for penetration tests and the OWASP Top 10 risks for web applications and mobile apps serve as the basis for testing.
Would you also like to submit an application for authorisation to the BfArM for your digital health application or do you need to have your DiGA retested in line with requirements? Then please get in touch with us!