Updated DiGA guide: What DiGA manufacturers should know

The revision of the DiGA guidelines calls for penetration tests to be carried out primarily by BSI-certified test centres in future. They should also include mandatory code reviews and whitebox tests. While pentests under the Digital Health Applications Ordinance (DiGAV) were previously only prescribed for DiGAs with increased protection requirements, they will be mandatory for all DiGAs once the Digital Healthcare Modernisation Act (DVPMG) comes into force. This means that carrying out penetration tests is now one of the "basic requirements that apply to all digital healthcare applications" (Annex 1). This results in two relevant deadlines for DiGA manufacturers - depending on the status of the application process:
 

• 31.01.2024: 31.01.2024 is relevant for DiGA manufacturers that are either already in the application process before 01.02.2024 or are already listed in the DiGA directory. They must prove that the pentests carried out already fulfil the new requirements. Proof from the relevant IT security service provider is required for this. If the penetration test does not fulfil the new requirements, the DiGA manufacturer must provide a timetable for when it will be completed in accordance with the updated requirements. Proof that the penetration test has been carried out (including the elimination of any vulnerabilities found) must be available by 31 January 2024 at the latest.

• 01.02.2024: From 01.02.2024, a pentest in accordance with the new requirements is a prerequisite for the formal completeness of the application. This includes manual code reviews, whitebox tests and the prioritised execution of the pentest by a BSI-certified test centre.

   

With the DVPMG coming into force, security as a process is becoming even more important than before. In this context, penetration tests are seen as an essential means of ensuring the security of data across the entire application process and all conceivable usage scenarios. This is because pentests can be used to replicate possible attack patterns with the aim of uncovering any existing security vulnerabilities.

These are therefore mandatory for all DiGAs with immediate effect. This means that a penetration test must have been carried out for all components (including all backend components) for the product version whose inclusion in the DiGA directory is being applied for. The test concept is based on the BSI's implementation concept for penetration tests and the current OWASP Top 10 security risks.

If, for example, new interfaces to the Internet are added over time or libraries relevant to external connections are updated, the pentest must be repeated for the specific application.

Personal data is particularly worthy of protection. This applies in general, but especially when health data, such as diagnoses of physical and mental illnesses or medication, are involved. With the help of pentests, we support you in identifying potential weaknesses within your DiGA at an early stage and in providing the necessary proof to the BfArM.

As an ISO 17025 BSI-certified test centre, we can look back on decades of experience in carrying out penetration tests and have already successfully tested many healthcare applications. We scrutinise both mobile apps and web applications. We use a combination of automated and manual whitebox tests to achieve meaningful and high-quality results. The BSI's implementation concept for penetration tests and the OWASP Top 10 risks for web applications and mobile apps serve as the basis for testing.

Would you also like to submit an application for authorisation to the BfArM for your digital health application or do you need to have your DiGA retested in line with requirements? Then please get in touch with us!