Information Security for Digital Health Applications
What are Digital Health Applications (DiGA)?
Digital Health Applications are “digital assistants” for patients. They are designed to help detect and treat diseases and support a more independent and self-determined way of living. DiGA are medical devices with CE marking.
Certification of Information Security for DiGA
DIN EN ISO 13485 is the standard that defines a quality management system (QMS) for medical devices. An established QMS is a prerequisite for a conformity assessment procedure, which is required for a DiGA to become a reimbursable medical device.
ISO/IEC 27001
The implementation of a management system according to ISO/IEC 27001 enables an organization to effectively protect data and information of customers and other parties, safeguard their rights and interests, and comply with legal requirements. With a certified ISMS, the organization demonstrates that it protects the confidentiality, integrity, and availability of its assets.
ISO 27799:2016 includes additions to ISO/IEC 27001 that must be considered when implementing an ISMS in the healthcare sector. It is aimed at users handling health data and takes into account the specific requirements and environmental conditions of the medical field. This standard provides many detailed recommendations for extending the general protective measures from ISO/IEC 27001 and also lists additional measures.
There is no separate certification for DIN EN ISO 27799; the specific requirements are assessed within the scope of ISO/IEC 27001.
Penetration testing provides valuable data on the vulnerability status of systems under real-world conditions. Penetration tests are a strong complement to an Information Security Management System (ISMS) and are mandatory for digital health applications.
Prerequisites / Requirements for DiGA Certification
A prerequisite for certification is an established management system according to DIN EN ISO 13485 and ISO/IEC 27001, which also takes into account the additions from DIN EN ISO 27799. An internal audit and a management review must be completed no later than the Stage 2 audit. It is recommended to have already conducted an internal audit and management review at the time of application so that the new system has undergone an internal assessment (optionally by an external auditor) before submission.
Please note that there are additional requirements that must be met to classify your health application as a DiGA.
The combination of standards presented here is relevant for manufacturers of DiGA and their contract software developers and is mandatory under the DiGAV.
To provide you with more information and solid guidance, our parent company GUTcert has developed a guide and a checklist.
.
With the Digital Healthcare Act (DVG), the Social Code Book V was amended to make a new group of medical devices, the “Digital Health Applications” (DiGA), eligible for reimbursement. The “Regulation on the Procedure and Requirements for Assessing the Reimbursability of Digital Health Applications in Statutory Health Insurance” (DiGAV) specifies the requirements for DiGA.
Manufacturers of DiGA must demonstrate certification to the Federal Institute for Drugs and Medical Devices (BfArM) for:
Information Security Management Systems: ISO/IEC 27001 (from 01.04.2022)
Medical Device Quality Management Systems: DIN EN ISO 13485:2021
Additionally, according to § 139e SGB V, certificates are required for:
Data security according to BSI requirements (from 01.01.2023)
Data protection (from 01.04.2023)
No final procedures for data security and data protection certification have been defined yet; we will provide updates here as they become available.
Take advantage of the joint certification through GUTcert and Berlin Cert: With a combined certification process, you save additional effort, and your personal contact will guide you through the entire process.
