Apps on prescription – are they a good idea, and are they secure?

26 april 2023

For a good two-and-a-half years now, physicians and therapists have been allowed to prescribe special apps or browser-based applications. How do the users find these digital therapeutic aids? And what has changed in the data protection and data security requirements? It’s time to take stock.


Digitalisation is on an unstoppable onward march – and the health sector is no exception. A survey carried out by the consumer organisations has revealed that, since the coronavirus pandemic, about 40 percent of patients have been making greater use of the digital options available to them. They are using the Internet in particular to arrange online appointments or find physicians. But the demand for digital health applications (abbreviated to DiGA in German) is growing too: Consultancy firm McKinsey estimates that some 125,000 medical apps or browser applications have been prescribed since 2022. While this may still be a modest number, it does represent a major increase of 177 percent over 2021, when 62,000 apps and browser-based applications were prescribed.

Some of these apps offer support in the treatment of claustrophobia, panic attacks and social phobias. Others are designed to improve quality of life for those people who suffer, for example, from chronic obstructive pulmonary disease (COPD). And there are others which aim to use a combination of exercises, relaxation techniques and background knowledge to combat back pain. And the range of products on offer is increasing: The DiGA directory of the Federal Institute for Drugs and Medical Devices (BfArM) currently lists about 45 digital health applications. This features all the digital therapeutic aids which have been tested and – in some cases provisionally – licenced in Germany. Our infobox explains how you can get an app on prescription.


Acceptance of digital therapeutic aids is growing

As a survey carried out on behalf of AOK reveals, patients have largely welcomed these new digital possibilities. 58 percent of the respondents see DiGA as being a meaningful complement to their therapy. And 40 percent say that these products have helped them manage their illnesses more effectively.

A study carried out by the Stiftung Gesundheit foundation reveals that confidence in digital therapeutic aids is also growing among physicians, as is their readiness to prescribe apps. And yet, almost 80 percent of the doctors surveyed still see obstacles to the easy deployment of such apps: On the one hand, they doubt their effectiveness; on the other, some complain that the costs are too high. However, more than 60 percent of doctors are primarily concerned with privacy considerations.

Requirements increasing on data protection and IT security

Medical apps first need to go through an appropriate approvals process overseen by the BfArM and generally have to satisfy stricter requirements than freely available apps. For instance, access is restricted to the patient and the doctor treating them and requires consent to be granted in advance, explains Tobias Mielke from TÜViT. The requirements on the providers have increased in recent years: All they originally had to do was to submit a self-disclosure with information on the privacy and data security aspects of their digital application. Based on this self-disclosure and the submitted documents, the BfArM verifies within three months whether the app meets the requirements for security, functionality, data protection, information security, quality and interoperability.

Now, the apps also have to undergo a penetration test: A hacker attack carried out in the laboratory. “The aim is to find vulnerabilities in the mobile application which then need to be fixed,” says Tobias Mielke. Starting this year, the providers must also present a certificate to demonstrate that their apps have an effective information management system.


Tobias Mielke doubles as an appraiser and auditor for data protection and as an expert in management systems for information security and data protection at TÜViT.

Prescription only after certification

Over the next few years, the requirements on the producers will become more rigorous. As of August 2024, all the apps in the DiGA directory will have to prove through presentation of a certificate that they satisfy the data protection requirements; in other words, they will have to pass a test set by independent third parties. From the beginning of 2025, the same will apply to data security. Mielke and his colleagues investigate apps, for instance, to determine whether IT security is a defined part of the software development. If a provider cannot present evidence of certification on a random sampling date, their app will no longer be eligible for prescription.

Technical developments do not stand still, of course – either for app developers or for hackers. This is why Tobias Mielke and his team carry out a monitoring audit once a year in the context of data protection certification. “If an app has undergone bigger technical changes, then further monitoring will be required,” Mielke says. Such tests are never completed once and for all. “This is an ongoing process. After all, features are constantly being added to these apps to ensure that they carry on offering long-term added value to the patients. And these features must of course also be implemented securely.”

Health apps are up and coming. The requirements for data privacy and IT security are also increasing.

No mandatory testing for freely available health apps

These kinds of testing obligations and strict privacy requirements do not however apply to freely available apps. “Some of them are real data collectors, for instance,” says Mielke, “and in many cases they don’t need the data to do what they’re supposed to do.” Not only that, but it is not clear to the users how their data are stored and whether they are processed further or even sold on. Every user should be aware that personal data are a very hard currency. “Especially when it comes to health data like blood pressure, weight, physical fitness, sleep patterns or current medication plans.”

Wearables such as smart watches also collect, store or transmit these data. How they do it and where the data go is usually not fully apparent. There is no mandatory testing for these applications either, says Tobias Mielke. “Here it would at least be good to have a self-disclosure from the manufacturers akin to the DiGA. Even better would be a test conducted by independent third parties with the aim of safeguarding data protection and security in the best possible way.”

How can you get an app on prescription?

The DiGA directory of the Federal Institute for Drugs and Medical Devices offers an overview of all licenced and prescribable apps and browser applications. If you discover an application which is relevant to your own medical problem, you can talk about it with your GP or therapist. You then submit the prescription to your medical insurer, who will in turn send you a release code for the DiGA. If the diagnosis fits, payment can also be made to the DiGA directly by the insurer without any need to go down the “prescription” route. You can find out more from your own medical insurance provider.