BAYOOMED
  • Portfolio
    • Solutions
      • Mobile Medical Apps
      • Digital Health Applications (DiGA)
      • Connectivity
      • Cloud based Solutions
      • Desktop and Web Solutions
      • Artificial Intelligence
      • Cybersecurity
      • Agile Software Development
      • Verification and Validation
    • Product Launch
      • BAYOOCARE
      • Regulatory Support
    • Support
      • Risk Management
      • Quality Management
      • Usability Engineering
      • Approval
      • Classification
      • Post-Market-Surveillance
  • Medical Software
    • Product Development
      • Requirements Management
      • Software Architecture
      • Software Engineering
      • Embedded Software
      • Verification and Validation
  • About Us
    • About BAYOOMED
      • Team
      • Certification (ISO 13485 Certificate)
      • Medical Device Experts
    • About BAYOONET
      • BAYOOSOFT
      • BAYOOTEC
      • BAYOOCARE
    • Success Stories
  • News
  • Jobs and Career
  • Search
  • Menu

DIGA Compliant Cloud

Developing a digital health application (DiGA) with a cloud-based solution requires special care in planning. This is because the Digital Health Applications Regulation () formulates high requirements for the security and data protection of health and personal data.

by Aaron Rosenthal

To this end, the DiGAV provides questionnaires in Annex 1 and Annex 2, which manufacturers must complete. The aim should be to be able to answer each question with “applicable”. If this is not the case, precise reasons must be given. The effort required for implementation and realisation in order to fulfil the requirements should not be underestimated. In total, the questionnaires contain 124 questions:

  • Appendix 1 consists of 77 questions on data protection and data security with an additional 9 questions that come into play in the case of a DiGA with a very high need for protection.
  • Appendix 2 consists of 38 questions on quality and interoperability.

Very high protection requirement

Whether a DiGA has a very high protection requirement must be determined with a protection requirement assessment. For this purpose, the DiGAV refers to BSI Standard 200-2. This standard describes a detailed assessment of the need for protection as well as sample criteria for orientation. One of these example criteria is, quote:

“The protection of personal data must be guaranteed at all costs. Otherwise, there may be a danger to life and limb or to the personal freedom of the person concerned” Source: BSI-Standard 200-2

In the case of a very high protection requirement, the additional 9 questions from DiGAV Annex 1 must be taken into account. Manufacturers must plan for the resulting requirements at an early stage. For a cloud-based solution, the following points are of particular interest:

Penetration testing, including all back-end components.
Two-factor authentication for at least the initial authentication process
Encryption of personal data on systems that are not at the personal disposal of the person using them.

However, the type of encryption is not specified.

Personal data

The DSGVO (Regulation (EU)2016/679) applies first and foremost to the handling of personal data. In addition, national laws, such as those on information security, sustainability, “lived” data protection and the factual possibility of asserting claims against manufacturers:inside, must also be observed. The DiGAV also requires a granular statement of all personal data processing locations, including external systems and vendors. The GDPR and national laws must be observed for all sites.

If personal data are processed in the cloud as part of a DiGA, cloud providers must be checked with regard to the GDPR. There is an information paper from the BfArM on this entitled:

“Information on the admissibility of data processing outside Germany in connection with the BfArM review procedure pursuant to Section 139e of the Fifth Book of the German Social Code (SGB V)” Source: BfArM

There, the BfArM provides an assessment and offers concrete answers in an FAQ. According to this, processing of personal data outside the EU solely on the basis of Article 46 DSGVO (Standard Contractual Clauses) or Article 47 (Binding Corporate Rules) is not permissible for DiGA (cf. § 4 para. 3 DiGAV).

Since the EU-US Privacy Shield Agreement is no longer sufficient for this purpose, the use of service providers from the USA is not permitted. For service providers with a branch in the EU and a parent company in the USA, the use of services is possible “under certain conditions”. The main requirement is that the flow of personal data to the USA is fully excluded. The responsibility for this lies with the DiGA manufacturers.

Encryption of personal data with storage of the keys in the EU is mentioned as a possible solution. However, there is no more detailed information on this.

Therefore, DiGA manufacturers are recommended to operate in the familiar legal area and, for example, to orient themselves to the BSI Grundschutz and C5 guidelines for German cloud providers.

Data protection and security

For data security, the DiGAV requires processes such as an information security management system (ISMS) according to ISO 27000 or BSI Standard 200-2 and also concrete measures. For cloud-based solutions, the following measures are interesting:

  • Basic encryption when transferring personal data from the user:inside device to external systems, according to the current state of the art. Likewise, the requirement to use TLS, according to 8 paragraph 1 sentence 1 of the BSI Act.

  • A DiGA must verify the authenticity of internet services.

  • Session management of users, including automatic invalidation and expiration periods

  • Logging of accesses to personal data, as well as security-relevant events, such as identification or authentication

  • The automated evaluation of logging data to detect and, if possible, proactively prevent security-relevant events

  • Inform DiGA users about updates, e.g. via push messages.

  • Separate storage of health-related data from data required exclusively for service accounting. It is advisable to use two databases for a clear separation.

  • As a measure against Denial of Service (DoS) and Distributed Denial of Service (DDoS), a check of all inputs to publicly accessible services must be carried out with defined schemes.

Further safety requirements can be found in the technical guideline BSI TR-03161. The test aspects listed therein are even more detailed than the requirements of the DiGAV, but occasionally contradict the requirements of the DiGAV.

In case of doubt, compliance with the requirements formulated in the DiGAV should be sought. The technical guideline BSI TR-03161 refers several times to the guidelines on cryptography BSI TR-02102-1 and BSI TR-02102-2. If compliance with the requirements of BSI TR-03161 is sought, this must be planned in good time. This is because the effects on the system architecture and development of the DiGA should not be underestimated.

Interesting, isn’t it? Why not share the article with others who are interested?
  • Share on Facebook
  • Share on WhatsApp
  • Share on LinkedIn
  • Share by Mail

News

  • DIGA Compliant Cloud25. June 2021 - 10:22
  • Live @MedTech Stars on 23 June21. June 2021 - 11:12
  • BAYOOMED @T4M18. June 2021 - 19:47

Darmstadt
Europaplatz 5
64293 Darmstadt

Munich
Machtlfinger Straße 11
81379 München

Berlin 
Mariendorfer Damm 1-3
12099 Berlin

Contact:

Phone: +49 (0) 6151 – 86 18 – 0
Fax: +49 (0) 6151 – 86 18 – 150

E-mail: info@bayoo.net
Support: support@bayoo.net
Jobs: jobs@bayoo.net
Press: presse@bayoo.net

  • Contact
  • BAYOONET AG
  • Data Protection Policy
  • Imprint
Live @MedTech Stars on 23 June
Scroll to top