Digital health applications - A special case for data protection

CONTENT

• What are digital health applications?
• Why do we need digital health apps?
• What do manufacturers have to do to get DiGA approval?
• How can DiGA digital security be ensured?
• What healthcare data is worth protecting?
• What is an information security management system?
• ISO 27001: The benchmark for information security
• A specialcase for data protection
• ISO 27701: Expansion to include a data protection management system
• Compliance with the standard as a basis fo sets the course for inclusion in the DiGA directory
• DQS: Simply leveraging Quality.

What are digital health applications?

Digital health applications are digital medical devices that help in the diagnosis and therapy of diseases. In addition, they are intended to support the path to a self-determined, health-promoting lifestyle. They are therefore "digital helpers" in the hands of patients - the "app on prescription".

The European Medical Device Regulation (MDR) classifies DiGA as medical devices of risk class I or IIa and subjects them to the strict regulations of the "Digital Health Applications Regulation" (DiGAV). Only applications that fully comply with these regulations are included in the DiGA directory of the German Federal Institute for Drugs and Medical Devices (BfArM).

What makes a digital health application?

The BfArM has defined the following characteristics that a medical device must meet in order to be recognized as a DiGA:

• Medical device of risk class I or IIa.
• Main function is based on digital technologies
• The main digital function has a clear medical purpose (i.e., it is not only used to read out or control a device)
• Supports the detection, monitoring, treatment or mitigation of disease or the detection treatment, mitigation or compensation of injury or disability
• Does not serve as a preventive primary care device
• Is used by the patient or jointly with the health care provider, i.e., not exclusively by the physician (again, this would fall under "office equipment")

What is the legal basis for DiGA?

Digital health applications were made possible by the enactment of the Digital Health Care Act (DVG) on Dec. 19, 2019. Since then, people with statutory health insurance have been entitled to receive DiGA - colloquially referred to as "app on prescription".

The details on the application process, requirements and the design of a DiGA directory - i.e. the formulated legal basis for digital health apps - were regulated in the DiGAV of April 8, 2020.

Why do we need digital health applications?

With demographic change, the need for healthcare services will increase significantly in the coming decades. And this demand will lead to major challenges for general healthcare in view of the shortage of doctors and nurses that is already prevalent today. Digitization has the potential to relieve the burden on the healthcare system in the long term, and digital health applications can contribute significantly to this. At the same time, requirements for data protection and information security must be effectively taken into account.

Looking at the requirements for DiGA, however, it quickly becomes clear that they should not be examined in isolation. They are always just one component in the totality of digitally supported healthcare. Electronic health cards, electronic patient files, e-prescriptions - the digitization of the healthcare sector is already in full swing and is being driven forward step by step in order to set the course for up-to-date and sustainable healthcare.

What do manufacturers have to do to obtain DiGA approval?

Since highly sensitive patient data is usually processed in the medical field, the effort required to obtain approval for a digital health application is high. Applicants must meet and document a wide range of requirements. These include:

• Positive health care impact
• Information security
• Data privacy
• Interoperability
• Other quality requirements (robustness, consumer protection, user-friendliness, support for service providers, quality of medical content, patient safety)

How can DiGA digital security be ensured?

Today, the (further) development of digital applications usually follows agile and dynamic principles to keep release cycles as short as possible. In this environment, digital security cannot be ensured in the course of a one-time validation of technical measures. Security is a continuous process that must be deeply embedded in the enterprise.

Digital health applications and data protection: What data is worth protecting in healthcare?

When gathering an organization's data worth protecting, the initial focus is usually on sensitive, personally identifiable information, or so the German Patient Data Protection Act requires. In fact, however, all information that is of value to a company and must not fall into unauthorized hands is worthy of protection. In addition to the data regulated by the GDPR, this also includes strategic roadmaps and program code developed in-house.

What is an information security management system?

Since the security of a DiGA cannot be ensured by a one-time check, manufacturers must approach the topic of information security strategically and systematically. A crucial step in this process is the implementation of an information security management system (ISMS), such as that described in the international standard ISO 27001. This defines binding requirements for ensuring, managing, controlling and continuously improving information security.

The DiGAV addresses the issue of "security as a process" in Annex 1 and requires manufacturers to embed a series of processes in terms of an ISMS. These include, for example:

• Assessment of protection needs, which determine the protection needs of data, applications or systems and reassess them after each significant change
• Strategic release, change and configuration management processes that help align agile development environments with formalized MDR processes
• Inventories of all third-party products used, as well as appropriate processes to ensure that security-related information on third-party components is available in a timely manner.

As of January 1, 2022, implementation of a complete ISMS will become a fundamental requirement for inclusion in the DiGA directory. As a result, DiGA manufacturers will in future be required to demonstrate an ISMS in accordance with the ISO 27000 series, including a certificate.

ISO 27001: The benchmark for information security

The internationally recognized ISO 27001 standard forms the optimal basis for effectively implementing a holistic security strategy in the sense of a structured ISMS. The structure and approach follow the model of the so-called High Level Structure (HLS), the common basic structure for management systems.

The HLS provides the binding basic structure for all process-oriented management system standards and enables the seamless integration of the standards requirements into the existing management system - and thus into the company's general business processes.

Certified information security according to ISO 27001

Protect your information with a management system according to an international standard ★ DQS offers more than 35 years of experience in certification ★.

The certification of an ISMS according to ISO 27001 is carried out in accordance with an accredited procedure. As such, it is considered proof that a successful management system and appropriate measures have been implemented to systematically protect information assets. In addition, the certificate includes a commitment to continuous improvement of the system.

Digital health applications: A special case for data protection

Since patient data is extremely sensitive, users of digital health applications must be able to rely on legal requirements regarding data protection being observed at all times. For this purpose, the DiGAV specifies the legal requirements from the DSGVO and the German Federal Data Protection Act (BDSG). They apply both to the manufacturer itself and to all connected systems, including order processors such as cloud providers. Within the scope of a DiGA, personal data may only be collected after consent has been given and exclusively for the following purposes:

1. For the intended use of the DiGA by users.
2. To provide evidence of positive supply effects in the context of DiGA testing
3. To provide evidence for the purpose of performance-based pricing by the German National Association of Health Insurance Funds in accordance with Section 134 (1) Sentence 3 of the German Social Code, Book 5.
4. To permanently guarantee the technical functionality, user-friendliness and further development of the DiGA.

Consent for the first three purposes can be given jointly, but must be obtained separately for the fourth purpose. Data processing for all other purposes (especially for advertising purposes) is excluded. In addition, data processing may only take place in Germany, the EU, or a country that is deemed equivalent according to German law (for example, Switzerland). Processing in a third country would require an adequacy decision with meaningful justification.

Annex 1 of the DiGAV contains a checklist with 40 statements that consider both the technical implementation and the organization of the manufacturer and its processes. These are very concrete requirements for a listing in the DiGA directory.

Addendum: The GDPR generally permits data processing of personal data within the EU. Processing outside the EU in a so-called third country is permitted, provided that a comparable level of protection exists in the third country (adequacy decision under Article 45 GDPR). Behind this link you will find the list of countries with which an adequacy agreement exists.

ISO 27701: Expansion to include a data protection management system

Since data protection, similar to information security, cannot be monitored selectively, the ISO 27701 standard was published in August 2019. It is considered a so-called "sector-specific supplement" to ISO 27001 and thus requires the existence of a corresponding ISMS. However, ISO 27701 supplements the ISMS with in-depth data protection criteria and expands the requirements for the Privacy Information Management System (PIMS).

In addition, the standard provides concrete best practices for implementing applicable data protection requirements - regardless of whether they are the European GDPR or other regional regulations.

The integration of ISO 27701 explicitly does not automatically ensure compliance with GDPR or the German DSGVO. However, due to its largely congruent orientation, it provides a good starting point for successful implementation of the regulations and makes it easy for responsible parties to reliably protect and process personal data and demonstrate compliance with legal requirements.

Another benefit that comes with implementing the data protection standard is the designation of clear responsibilities in the area of data protection: responsibilities are not divided among colleagues according to workload, as is widely popular, but follow clearly defined rules with dedicated contacts - the data protection officers.

In addition, the introduction of ISO 27701 calls for a risk-oriented approach to data privacy. Risks and their probability of occurrence must therefore be defined and evaluated holistically in order to be able to assess the level of potential damage from the outset and keep it as low as possible.

Compliance with the standard sets the course for inclusion in the DiGA directory

The hurdles for inclusion in the DiGA directory by the German BfArM are high for good reasons. Information security and data protection must be guaranteed at all times despite the highly dynamic nature of the digital world. The structured and systematic approach of ISO 27001 and ISO 27701 provides companies with the optimal basis for managing data of any kind in a secure and compliant manner.

Control and regulatory bodies also assess the conscientious implementation and certification of ISMS and PIMS as a sign of a deeper engagement with robust and sustainable protection mechanisms - this can have a positive impact on possible sanctions in the event of damage.

In short, even if ISO 27001 and ISO 27701 certification itself does not guarantee inclusion in the DiGA directory, the corresponding management systems cover the checklists of the DiGA regulation to a large extent. They therefore provide an optimal starting point for setting the course for successful inclusion in the directory.

DQS: Simply leveraging Quality.

Information security and data protection are complex topics that go far beyond IT security. They encompass technical, organizational and infrastructural aspects and touch on requirements of the law. An information security management system (ISMS) according to ISO/IEC 27001, supplemented by a privacy information management system (PIMS) according to ISO/IEC 27701, is suitable for effective protective measures.

DQS is your specialist for audits and certifications of management systems and processes. With more than 35 years of experience and the know-how of 2,500 auditors worldwide, we are your competent certification partner and provide answers to all questions regarding data protection and information security.

Trust and expertise

Note: Our texts and brochures are written exclusively by our standards experts or auditors with many years of experience. If you have any questions about the text content or our services to our author, please feel free to contact us.