The new article addresses the aspects related to the data security measures to be introduced by the parties involved in operations with digital health products.
Table of content
The German regulating authority in the sphere of healthcare products (BfArM) has published a guidance document dedicated to the regulatory status of digital health applications (DiGA).
The document provides an overview of the respective regulatory requirements based on the existing legal framework and also highlights the key points to be taken into consideration by medical device manufacturers (software developers) and other parties involved to ensure compliance thereto.
At the same time, provisions of the guidance are non-binding in their legal nature, nor are they intended to introduce new rules or impose new obligations.
The authority also reserves the right to make changes to the guidance and recommendations provided therein, should such changes be reasonably necessary to reflect corresponding amendments to the underlying legislation.
Data Security: Key Points
First of all, the authority emphasizes the importance of data security, focusing on the protection of confidentiality, integrity, and availability of data processed via a DiGA.
The DiGAV (Digital Health Applications Ordinance) categorizes data security requirements into two:
- Basic Requirements: Applicable to all digital health applications. They must be met without exceptions unless they are irrelevant to specific DiGA types.
- Additional Requirements for High Protection Needs: These are for DiGA that require extensive protection due to the nature of data processed, supply scenarios, or usage context.
The DiGAV data security specifications derive from publications and recommendations of the Federal Office for Information Security (BSI).
They incorporate processes from BSI standards 200-1, 200-2, and 200-3, supplemented by elements from the IT-Grundschutz compendium related to DiGA.
It is also important to note that the BSI will clarify data security requirements for DiGA verification by January 1, 2024.
From June 1, 2024, the BSI will provide compliance verification processes. Manufacturers must show compliance by January 1, 2025.
Information Security Management System (ISMS)
The scope of the guidance covers, inter alia, the matters related to the information security management system to be designed and implemented by a responsible party.
The authority acknowledges that ensuring information security is challenging due to rapidly evolving threats and DiGA developments.
The DiGAV promotes the idea of treating information security as an ongoing process integrated within an organization rather than a set of technical measures.
This approach is further supported within an ISMS, as described in ISO Standard 27001 and the BSI Standard 200-1.
As explained by the authority, the applicable requirements for the ISMS were detailed in the DiGAV. From April 1, 2022, an ISMS that aligns with ISO 27001 or its counterpart based on IT-Grundschutz is mandatory.
Security as a Process
Despite the ISMS requirement being effective from April 1, 2022, the DiGAV mandates several processes for all DiGA to ensure security is an ongoing process, including:
- Protection Needs Analysis: Manufacturers must analyze DiGA to determine data protection needs. Significant changes to DiGA will necessitate a re-evaluation.
- Release, Change, and Configuration Management: The manufacturer must set up processes that ensure rapid updates and releases align with regulatory guidelines.
- Penetration Tests: DiGA manufacturers must conduct tests to replicate possible attacks and identify security vulnerabilities.
Tests are primarily to be conducted by BSI-certified centres and, importantly, repeated when significant changes occur.
- Directory of Libraries Used and Market Observation: Manufacturers must maintain a directory of third-party products used in DiGA and establish market surveillance processes.
BSI Basic Protection Modules and Technical Guidelines
As it was mentioned before, the data security requirements derive from the BSI-IT Grundschutz catalogues.
The BSI IT Baseline Protection Compendium describes potential IT security threats and countermeasure requirements. These guidelines help clarify which requirements apply to specific technologies.
For instance, such requirements as central authentication are mainly for web applications, while others like authorization checks are already embedded in systems (e.g., Android and iOS).
Requirements for Increased Protection Needs
For DiGA with high protection requirements, additional precautions are necessary. These requirements include inter alia, the following ones:
- Encrypted Data Storage: Data on servers (e.g., in clouds) must be encrypted. The encryption method (hard drive encryption, database encryption, etc.) and key management depend on protection needs and risk analysis.
- Two-factor Authentication for Health Data Access: Only individuals with two-factor authentication can access health data.
In summary, the document additionally emphasizes that data security is vitally important for digital health applications.
The DiGAV, supported by BSI guidelines, provides a comprehensive framework to ensure that data is protected at all levels, with special attention to continuous improvement and adaptation to the evolving digital landscape.
How Can RegDesk Help?
RegDesk is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.