Skip to content

News

What about the security of health apps?

Tracking calories, being reminded to take medication or monitoring your heart rate - with the help of health apps, it is now possible to manage your own health digitally. At the same time, however, there are more and more reports of security gaps and vulnerabilities being discovered. This becomes particularly critical when sensitive data is involved.

Eine Frau hält ein Smartphone in der Hand. | TÜVIT
06.07.2023 | Essen

IT security vs. sensitive data

As a digital assistant, many people can no longer imagine their everyday life without their smartphone. Be it for navigation, quick searches on the web or using your mobile phone as a personal organiser. A similar trend is also emerging in the health sector, as health apps are becoming increasingly popular. However, there are increasing reports of security vulnerabilities. And many a user will have found themselves wondering whether their own data is really secure in the app.


Experts repeatedly discover security vulnerabilities

Time and again, IT security experts come across vulnerabilities, some of which are serious. In the worst-case scenario, cybercriminals could use these to gain access to sensitive data, such as diagnoses of physical and mental illnesses or medication. The gateways that have been discovered in the past include:
 

  • The forgotten password function: In some cases, it was possible to use this to determine whether a person was logged into a certain platform in order to find out about their state of health.
  • Faulty end-to-end encryption: In some applications, IT security experts were able to access private doctor-patient chats due to inadequate end-to-end encryption.
  • No secure identification: In some cases, it was not necessary to confirm one's identity in any way. This opens up the possibility for attackers to impersonate an existing patient, for example, and thus obtain personal data.
     

Need for action regarding the security of health apps

This clearly shows that there is still some catching up to do in terms of IT security and data protection in the booming health app market. Strict regulations already apply to digital health applications (DiGA) that can be prescribed by doctors. However, health apps that do not fall under these strict requirements are not currently regulated. This means that it is up to the providers to decide which data protection measures are actually taken and implemented. However, the Technical Guideline TR-03161, which was developed by the German Federal Office for Information Security (BSI), brings trust and transparency to the market.


Strengthening trust with BSI TR-03161

The standard serves as a guideline for developers of healthcare applications to create secure solutions and to consider and implement IT security and data protection from the outset. The main aim of TR-03161 is to protect the confidentiality, integrity and availability of medical data collected by (digital) healthcare applications. The standard contains security requirements for mobile applications (TR-03161-1) as well as for web applications (TR-03161-2) and background systems (TR-03161-3). Aspects such as architecture, cryptographic implementation and network communication are considered.

With the help of TR-03161, manufacturers can put their (digital) healthcare application to the test, uncover potential vulnerabilities and improve the security of their own application in a targeted manner. At the same time, this leads to greater trust on the part of users, who know that their sensitive data is in safe hands. After all, the security vulnerabilities that have come to light so far show that Regular app security checks are not only important, but absolutely necessary in order to adequately protect sensitive data.

Find out more about BSI TR-03161