The certification of an ISMS according to ISO 27001 is carried out in accordance with an accredited procedure. As such, it is considered proof that a successful management system and appropriate measures have been implemented to systematically protect information assets. In addition, the certificate includes a commitment to continuous improvement of the system.
Digital health applications: A special case for data protection
Since patient data is extremely sensitive, users of digital health applications must be able to rely on legal requirements regarding data protection being observed at all times. For this purpose, the DiGAV specifies the legal requirements from the DSGVO and the German Federal Data Protection Act (BDSG). They apply both to the manufacturer itself and to all connected systems, including order processors such as cloud providers. Within the scope of a DiGA, personal data may only be collected after consent has been given and exclusively for the following purposes:
- For the intended use of the DiGA by users.
- To provide evidence of positive supply effects in the context of DiGA testing
- To provide evidence for the purpose of performance-based pricing by the German National Association of Health Insurance Funds in accordance with Section 134 (1) Sentence 3 of the German Social Code, Book 5.
- To permanently guarantee the technical functionality, user-friendliness and further development of the DiGA.
Consent for the first three purposes can be given jointly, but must be obtained separately for the fourth purpose. Data processing for all other purposes (especially for advertising purposes) is excluded. In addition, data processing may only take place in Germany, the EU, or a country that is deemed equivalent according to German law (for example, Switzerland). Processing in a third country would require an adequacy decision with meaningful justification.
Annex 1 of the DiGAV contains a checklist with 40 statements that consider both the technical implementation and the organization of the manufacturer and its processes. These are very concrete requirements for a listing in the DiGA directory.
Addendum: The GDPR generally permits data processing of personal data within the EU. Processing outside the EU in a so-called third country is permitted, provided that a comparable level of protection exists in the third country (adequacy decision under Article 45 GDPR). Behind this link you will find the list of countries with which an adequacy agreement exists.
ISO 27701: Expansion to include a data protection management system
Since data protection, similar to information security, cannot be monitored selectively, the ISO 27701 standard was published in August 2019. It is considered a so-called "sector-specific supplement" to ISO 27001 and thus requires the existence of a corresponding ISMS. However, ISO 27701 supplements the ISMS with in-depth data protection criteria and expands the requirements for the Privacy Information Management System (PIMS).