DiGA contribute to professional medical care, especially the detection, monitoring, treatment, or alleviation of illnesses and injuries. The applications are used either by the patient alone or together with the treating physician. For example, the applications enable the collection of more precise diagnostics through the continuous recording of health values. The course of the illness and the progress made towards recovery can be tracked and analyzed seamlessly. In practice, these applications also help the patient avoid unnecessary appointments with doctors, which reduces the overall effort needed for treatment.
As defined by the General Data Protection Regulation (GDPR), providers and operators of DiGA must ensure the integrity and confidentiality of the processed data. In order to guarantee this, data controllers must take suitable technical and organizational measures. These include data encryption or pseudonymization technologies. In accordance with the Digital Health Applications Ordinance (DiGAV) and similar to what is required under the rules governing health insurance funds (Section 80 SGB X), data must be processed locally in the Federal Republic of Germany, the member states of the EU, the contracting states of the Agreement on the European Economic Area (EEA) and Switzerland, or in states for which there is an adequacy decision in accordance with Article 45 GDPR.
The same methods that are used to protect other sensitive business processes apply to the protection of DiGA. Dedicated security systems designed to protect against DDoS attacks on the online platforms themselves and the server structures behind them can be used to reliably defend against traffic flooding attacks across all relevant network layers. Automated access to the applications by bots should also be registered as such and prevented if necessary to effectively combat brute force, credential stuffing, or credential cracking. The most common attack vectors for web applications are addressed by a professionally implemented WAF solution that allows operating companies to also minimize the risk of any security gaps in the DiGA themselves. Continuous monitoring, regular security audits, and penetration tests round off the range of protective measures.
Myra Security develops and operates highly certified protection solutions to secure digital business processes. As a specialist provider for sensitive and critical infrastructure, we have many years of experience protecting companies and organizations in the healthcare, finance, and insurance industries as well as in the critical infrastructure and government sectors. Customers in these highly regulated areas benefit from certified security and compliance with GDPR, IT-SiG, BSI-KRITIS, and industry-specific standards.