Growing Emphasis on Security for Digital Health Apps in Germany
The European mHealth market size in 2019 was valued at $14,162 million USD and is expected to experience a 39.0% CAGR from 2020 to 2026. This is a testament to the fact that the adoption of mobile health apps is steadily evolving in Europe. Germany has been taking swift action to remain at the forefront of ensuring the security of mobile health applications and bringing about meaningful changes in healthcare.
In this blog, we will cover the following:
- Germany introduced The Digital Healthcare Act, with one of the main objectives being the implementation of DiGA or DiGAV or, in English, Digital Health Applications. What does this mean for medical health app-developing companies?
- How can you get your medical health apps listed in the DiGA directory using the Fast Track process?
- Why are we talking about DiGA now?
- How can thorough mobile application testing and protection techniques ensure a spot in the DiGA directory?
Digital Healthcare Act (DVG)
In late 2019, Germany introduced the Digital Healthcare Act (Digitale-Versorgung-Gesetz, or DVG), which brought about the Digitale Gesundheitsanwendungen, DiGA/DiGAV, or, in English, Digital Health Applications. The Digital Healthcare Act establishes the legal framework that will allow around 73 million people insured under the Statutory Health Insurance (SHI) scheme to be entitled to use DiGAs. Simply put, DiGAs are digital health applications that doctors can prescribe for patient use for various diagnoses - essentially, they are "prescription apps."
Fast-track process
Since 2020, medical apps for patients that are CE-marked as Class 1 and Class 2a low-risk medical devices have been able to apply for fast-track market entry in Germany. The DiGA fast-track process significantly reduces the time to market without compromising patient safety.
With the fast-track process, the Federal Institute for Drugs and Medical Devices (BfArM) in Germany has three months to evaluate the DiGA after receiving the application through its portal. Once an app meets all criteria, it is listed in the DiGA directory.
The details of getting your health app approved can be found in this guide, among other reading materials by BfArM. The DiGAV contains a checklist manufacturers can use to verify whether your software complies with security, quality, and interoperability requirements.
The sequence below depicts the complete fast-track approval process:
Why are we talking about it now?
In September 2022, the BfArM published new, more stringent data protection criteria for a new DiGA to acquire a certification. These are covered in the First Amendment of the Digital Health Applications Ordinance (1. DiGAVÄndV) and the amendment to Paragraph 139e of the Social Security Code V (SGB V). As a result, the BfArM is among the first in Europe to develop a specific data protection certification to strengthen patient rights.
Ensuring mobile health app security and data protection has become a matter of utmost concern as the adoption of such mHealth apps increases and the process evolves. As an app developer, to make sure that your app gets listed in the DiGA directory, you must ensure you have addressed security and data protection within the app.
Following the same practices, in France, the Délégation du Numérique en Santé (Digital Health Delegation), which is associated with the Ministry of Health, has established an ambitious roadmap for the deployment of digital health transformation projects across France. It has recently introduced a fast-track access pathway for some digital health products, joining the likes of Germany and Belgium. With more countries across Europe promoting the digitization of healthcare, we must talk about security and protection as healthcare embraces mobile and mobile applications.
How Guardsquare can help
Guardsquare's comprehensive approach to mobile app security seamlessly integrates into the software development lifecycle at every stage. This approach helps ensure that mobile health app developers will be able to meet BfArM's DiGA requirements and have their apps approved in the fast-track process. Guardsquare's mobile application protection, testing, and monitoring products work on the precautionary principle to ensure your app is secured from early stages of development to deployment and after.
Guardsquare’s protection solutions, DexGuard (for Android) and iXGuard (for iOS), protect your mHealth/mobile medical apps against tampering through the multiple layers of code hardening and Runtime Application Self-Protection (RASP) checks. In addition, the polymorphic protection technique resets the clock with every build, meaning the layers of protection applied with every build are different. As a result, any hacking attempts made by a malicious actor turn futile when the code is re-built.
The Ordinance on the procedure and requirements for checking the eligibility for reimbursement of digital health applications in statutory health insurance (Digital Health Applications Ordinance - DiGAV), Annex 1 Section 32a states:
"Security, and - as far as the applicability is given - also takes into account the current OWASP top 10 security risks, and can he submit corresponding evidence for the implementation of the penetration tests and the elimination of the vulnerabilities found?."
AppSweep, Guardsquare's Mobile Application Security Testing (MAST) product, helps users identify and fix security issues and dependencies during the development process by providing actionable recommendations and insights in alignment with OWASP MASVS categories. An automated MAST tool like AppSweep will provide fast, accurate, and actionable feedback to dramatically improve the security posture of your mobile app throughout the development cycle. While both pentesting and MAST work towards the same goal, it is important to note that a free MAST tool like AppSweep is available to integrate into the SDLC and will continuously scan the health app for security issues. This is cost-effective efficient, and gives the developers better control over the security testing. While pentesting will likely remain a necessary step to demonstrate the medical health apps are as secure as possible and to meet the BfArM requirements to get listed, scanning your app with a MAST beforehand will make pentesting more effective and efficient.
Our real-time monitoring solution, ThreatCast, provides real-time insights into different types of threats mobile medical apps face, including debugging and hooking tools, repackaging attempts, escalation of privilege, emulators, virtual environments, and many more once the app is available. This enables proactive analysis of attack attempts and adjustments to be made to your security approach.
Germany is one of the early adopters and trendsetters of the EU-wide regulatory changes, such as the Medical Device Regulation (MDR), following the legislation being moved to the country level. As a company developing medical applications in an evolving ecosystem, one must prioritize application security and protection not only to get listed in the DiGA directory but also to demonstrate trust in the market. A free MAST tool like AppSweep is the first step to remaining compliant and ensuring safety.
Scan your app for free, and use the actionable recommendations to develop a robust mobile health application.