Data protection and information security of digital health applications (DiGA)

Ensuring data privacy and information security frequently poses a challenge for manufacturers of digital health applications (DiGA). This is often caused by a low level of maturity of the application development organization and a lack of expertise in the intersection between regulatory requirements and applied information security. As a result, critical mistakes are made during implementation, requirement analysis, and process design. These must be avoided. This paper presents the requirements and solutions derived from and in compliance with the General Data Protection Regulation, the state of the art, other regulations that must be taken into account, the Digital Healthcare Act (DVG), and the corresponding ordinance. In order to derive specific requirements according to the state of the art and considering the identified level of protection with regard to the fundamental objectives of information security, such as confidentiality, integrity and availability, reference is made to important standards and norms. In the spirit of a how-to for manufacturers, the authors then directly address the most important deficiencies regarding authentication, consent, and authorization and give appropriate recommendations. The authors see further support for manufacturers from the Federal Institute for Drugs and Medical Devices (BfArM), for example in the form of specific guidelines, as an important pillar in overcoming the gap between requirements and reality in matters of data protection and information security. At the same time, further maturation of the manufacturer's application development organization is required and expected. At the same time, with the replacement of the Medical Device Directive (MDD) with the Medical Device Regulation (MDR), information security gains more importance.