How secure are apps on prescription?

19. November 2020

Health care is becoming ever more digital: Since the beginning of October, in Germany doctors have been permitted to prescribe certain apps alongside tablets, therapies and prostheses. Tobias Kippert from TÜViT explains what conditions a medicine app needs to satisfy before a health insurance provider will be willing to pay for it and how things stand with the security of such applications.

Which apps have been available on prescription since October? 

Tobias Kippert: The health insurance companies now accept all those apps that have been included in the “DiGA” directory after scrutiny by the Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte, BfArM). DiGA stands for “digitale Gesundheitsanwendung” (“digital health application”). To date, five apps and web applications have been listed in this DiGA directory. They are aimed at people who are struggling with conditions including tinnitus, insomnia, obesity, panic disorders and osteoarthritis. In principle, any application that can help with mental or physical problems and meets the legal requirements can be included in this directory.

And what are the specific requirements for an app to be recognised as a “digital health application”?

The first requirement is that the application has already been CE-certified as a medical device. The manufacturer must then apply to the Federal Institute for Drugs and Medical Devices (BfArM) for inclusion. On the basis of this self-disclosure and the submitted documents, the BfArM verifies within three months whether the app meets the requirements for security, functionality, data protection, information security, quality and interoperability as set out in the Digital Health Applications Regulation (DiGAV). The manufacturer must also demonstrate “positive therapeutic effects” for the application. In other words, it has to prove that the app is actually medically effective. If it hasn’t yet carried out the required studies but meets all the other requirements, it may also apply for provisional inclusion. The necessary studies must then be submitted within one year. In exceptional cases, this period may be extended.

How are the apps verified for data protection and security?

As with all other requirements, the applicant must provide information on data protection and security by self-declaration in accordance with the DiGA Regulation. This declaration is then reviewed for plausibility by the BfArM. The Federal Institute can in this way rely exclusively on the information provided by the manufacturers and doesn’t carry out its own security and data protection tests. Whether the apps are actually as secure as claimed can’t be conclusively proven. In fact, IT security researchers have already looked more closely at some of these apps and discovered vulnerabilities. For example, they were able to use the “Forgot Password” function to determine whether a specific e-mail address was registered on the platform for patients with anxiety disorders, thereby drawing conclusions about corresponding mental health problems. In addition, the reset code sent to the e-mail addresses in question was only four characters long and was valid for 24 hours. By automatically cycling through a lot of different codes, it would have been possible to change the password and take over the account. The manufacturer says it has since fixed this problem. But such negative reports can, of course, seriously damage public confidence in these digital health applications. 

How can this problem be dealt with?

One possible way would be to ask an independent third party to test them. Ideally, the app would be subjected to a penetration test to detect possible vulnerabilities in data security so that these could be sorted out afterwards. A general review of data security and data protection measures would also be a good idea. Of course, for the start-ups that are so often responsible for developing these apps, such complex tests can be a major financial obstacle. But they can also arrange for the self-declaration they plan to submit to the BfArM to be examined by an independent third party. Since the self-declaration questionnaire is very detailed, it would also be possible on this basis to go through the audit process with the app manufacturer. The expectation is that data security, at the very least, will need to be verified by an ISMS certificate as of January 2022. However, app manufacturers should call in IT security experts now to avert the risk of loss of trust due to potential security vulnerabilities, and they should be well prepared for ISMS certification.