/

What are DiGA?

Digital health applications (DiGA) are virtual medical products that are available as apps for mobile devices or as browser applications. These applications are used for self-diagnosis – as electronic diaries for diabetics or as a medication plan –, as interactive therapy software, as well as in other areas. The solutions require a prescription and must be approved by the Federal Institute for Drugs and Medical Devices (BfArM).

At one
look

  1. 01. A definition of DiGA
    1. 02. How do I obtain a DiGA?
      1. 03. What are the advantages of DiGA?
        1. 04. Which DiGA exist?
          1. 05. How secure are DiGA?
            1. 06. DiGA data protection
              1. 07. DiGA data security
                1. 08. What are the risks of using DiGA?
                  1. 09. How can DiGA be protected from cyber attacks?
                    1. 10. What you need to know about DiGA
                      /

                      01

                      A definition of DiGA

                      The Digital Healthcare Act (DVG), which has been in force since December 19, 2019, forms the legal basis for DiGA. The regulation was intended to promote innovation in the healthcare system and improve patient care, including by introducing new health applications for low risk classes along with other solutions. Statutory health insurance covers the costs of DiGA. In order to provide new solutions as quickly and with the least amount of bureaucracy as possible, BfArM first checks the products to make sure that they are safe, functional, high quality, and comply with data security best practices and laws. After the one-year trial phase, the manufacturers must prove the specific utility of the solutions. The software must provide positive healthcare outcomes, whether by providing medical benefits (improving the state of health, shortening the duration of illness, etc.) or by making structural and procedural improvements (coordinating treatment, ensuring adherence, reducing effort, etc.). If studies can show that the application provides such advantages, it may be permanently listed in the official DiGA directory.

                      /

                      02

                      How do I obtain a DiGA?

                      Solutions from the DiGA directory may be prescribed by doctors. Persons covered by the GKV (German statutory health insurance) then receive the activation codes from their health insurance fund that they can then use to obtain the app. These keys can be used to obtain the DiGA from app stores on smartphones and tablets or directly from the manufacturer’s website.

                      03

                      What are the advantages of DiGA?

                      DiGA contribute to professional medical care, especially the detection, monitoring, treatment, or alleviation of illnesses and injuries. The applications are used either by the patient alone or together with the treating physician. For example, the applications enable the collection of more precise diagnostics through the continuous recording of health values. The course of the illness and the progress made towards recovery can be tracked and analyzed seamlessly. In practice, these applications also help the patient avoid unnecessary appointments with doctors, which reduces the overall effort needed for treatment.

                      /

                      04

                      Which DiGA exist?

                      Digital health applications are now available for a wide range of use cases. The spectrum ranges from solutions for the accompanying treatment of anxiety disorders, panic attacks, and depression to apps for diseases such as multiple sclerosis, breast cancer, tinnitus, or joint pain, and applications to help quit smoking. The DiGA directory listing all current applications can be accessed on the BfArM website.

                      /

                      05

                      How secure are DiGA?

                      In principle, the BfArM checks the applications for compliance with data security and data protection requirements. Since sensitive health data is generated and processed during use, the strictest regulatory requirements apply here.

                      06

                      DiGA data protection

                      As defined by the General Data Protection Regulation (GDPR), providers and operators of DiGA must ensure the integrity and confidentiality of the processed data. In order to guarantee this, data controllers must take suitable technical and organizational measures. These include data encryption or pseudonymization technologies. In accordance with the Digital Health Applications Ordinance (DiGAV) and similar to what is required under the rules governing health insurance funds (Section 80 SGB X), data must be processed locally in the Federal Republic of Germany, the member states of the EU, the contracting states of the Agreement on the European Economic Area (EEA) and Switzerland, or in states for which there is an adequacy decision in accordance with Article 45 GDPR. Processing of the data outside the EU is not permitted on the basis of Article 46 GDPR (standard contractual clauses) or Article 47 (binding corporate rules). Due to the invalidation of the Privacy Shield as a result of the Schrems II ruling of 2020, the processing of health data by contractors or service providers from the USA is no longer permitted.

                      /

                      07

                      DiGA data security

                      There are extensive data security specifications for DiGA. The DiGAV alone stipulates the following requirements: State-of-the-art protection, an information security management system (ISMS) in accordance with the ISO 27000-series or BSI standard 200-2, protection against DoS attacks, protection needs analyses, data leakage prevention, penetration tests, and compliance with specific requirements for the product itself, e.g., authentication and authorization, logging, or hardening. There are also further requirements which in turn are derived from the Medical Devices Regulation 2017/745 (MDR) or the DVG. The highest level of expertise in cybersecurity is required from operating companies and service providers in order to ensure full compliance. This is the only way to consistently ensure the protection of sensitive health data.

                      /

                      08

                      What are the risks of using DiGA?

                      As with all digital solutions, DiGA also present risks of unpredictable peak loads, hacker attacks, or malware. Depending on the type of application, platforms or interfaces that are used to communicate over the Internet are at particular risk. Cybercriminals can target these platforms to cripple the application using DDoS attacks, for instance. Bot-based attacks to obtain valid login data from users are also feasible. As soon as the attackers gain access to the stored accounts, they can view all the stored health data and abuse this information to blackmail the data subjects. In addition, DiGA present the risk that cybercriminals can manipulate the information stored there to trigger misdiagnoses and unsuitable medications. In such cases, the attacks target the health of the data subjects.

                      09

                      How can DiGA be protected from cyber attacks?

                      The same methods that are used to protect other sensitive business processes apply to the protection of DiGA. Dedicated security systems designed to protect against DDoS attacks on the online platforms themselves and the server structures behind them can be used to reliably defend against traffic flooding attacks across all relevant network layers. Automated access to the applications by bots should also be registered as such and prevented if necessary to effectively combat brute force, credential stuffing, or credential cracking. The most common attack vectors for web applications are addressed by a professionally implemented WAF solution that allows operating companies to also minimize the risk of any security gaps in the DiGA themselves. Continuous monitoring, regular security audits, and penetration tests round off the range of protective measures.

                      /

                      10

                      What you need to know about DiGA

                      DiGA are medical applications that are prescribed to patients. The solutions are used for diagnostic and treatment purposes, among other things. These digital tools for smartphones, tablets, and PCs are meant to supplement classic treatment methods by continuously recording and evaluating vital signs, for instance. Moreover, the applications serve to reduce the treatment effort required by all sides without making compromises on care. Patients receive DiGA as a prescription from their treating physician or on their own initiative by applying to the statutory health insurance fund. All DiGA are reviewed by the BfArM and are checked for safety, functionality, quality, data security, and data protection. Since the applications are used to process sensitive health data, the data protection and data security requirements are very high. Therefore, a high level of expertise and industry knowledge is required from operating companies and affiliated service providers to ensure protection in line with the needs. This is the only way to minimize the attack surface for cyber attacks.

                      Myra is the specialist provider for the healthcare sector

                      Myra Security develops and operates highly certified protection solutions to secure digital business processes. As a specialist provider for sensitive and critical infrastructure, we have many years of experience protecting companies and organizations in the healthcare, finance, and insurance industries as well as in the critical infrastructure and government sectors. Customers in these highly regulated areas benefit from certified security and compliance with GDPR, IT-SiG, BSI-KRITIS, and industry-specific standards.

                      © Myra Security GmbH 2023, alle Rechte vorbehalten

                      Responsible DisclosureGlossarImpressumDatenschutzAGB