TR-03161 - discovered, explain
The IT security of your healthcare application tested in accordance with BSI TR-03161
Healthcare applications store and process a lot of sensitive and particularly sensitive data. It is therefore particularly important for manufacturers of healthcare applications to consider basic security standards - as defined in the BSI Technical Guideline TR-03161 - from the outset and implement them accordingly.
The BSI Technical Guideline TR-03161 aims to protect the confidentiality, integrity and availability of medical data collected by digital health applications.
It was developed by the German Federal Office for Information Security (BSI) and serves as a guideline for developers of healthcare applications when creating secure solutions. It defines the minimum requirements for the IT security of mobile applications, web applications and/or background systems used in the healthcare sector.
BSI TR-03161 is primarily aimed at manufacturers of applications in the healthcare sector. It can also be regarded as a guideline for applications that process or store sensitive data.
In order to be listed in the DiGA directory of reimbursable digital health applications, the following requirements must be met:
A certificate in accordance with BSI TR-03161 has a formal validity of 5 years, but a certificate issued in accordance with this certification programme is only valid for the version of a product tested as part of the conformity test.
If changes are made to a certified product, new versions/configurations are created for which the issued certificate is not valid. If conformity with the requirements of BSI TR-03161 is also to be confirmed for the modification or further development of a certified product, an application for re-certification or maintenance can be submitted to the BSI.
Depending on the object of the evaluation, the customer may require various additional services/information for the evaluation, including, for example
The 3 parts of TR-03161 each essentially describe the (technical) requirements and testing aspects (e.g. architecture, cryptographic implementation, network communication, etc.) of a digital health application.
Part 1: Mobile applications
Part 1 of BSI TR-03161 is aimed at applications on mobile devices and describes the minimum requirements for secure operation. The standard is based on international standards such as the "Smartphone Secure Development Guidelines" [SSDG] and the "Mobile AppSec Verification Standard" [MASVS].
Part 2: Web applications
Part 2 of BSI TR-03161 contains threat scenarios and testing aspects relating to web applications in the healthcare sector. The standard section takes into account international standards, such as the "Application Security Verification Standard" [ASVS] and the "Web Security Testing Guide" [WSTG], and defines minimum requirements for the secure operation of web applications.
Part 3: Background systems
Part 3 of BSI TR-03161 contains requirements for background systems - in particular for the use of cloud computing - in the healthcare sector. The standard part covers the BSI's general recommendations for securing background systems as well as international standards such as the OWASP Top 10.