Digital health applications (DiGA) will soon require certificates for data security and data protection. However, the original deadlines for this were set somewhat too optimistically, which is why they have now been postponed to the future by the Hospital Nursing Relief Act (KHPflEG).
Following repeated problems with the handling of personal data in some DiGAs in the past, manufacturers will have to have their applications checked more closely in future in order to obtain the relevant certificates.
When does the certification obligation apply?
The new certification deadlines for DiGA are as follows:
- Data protection certificate (GDPR): 08/01/2024
- Data security certificate (BSI): 01/01/2025
(As of 09/10/2024)
This means that DiGAs that are already listed must acquire corresponding certificates in order to remain in the BfArM’s DiGA directory. For newly developed DiGAs, the certificates apply as an admission criterion. At least that’s what the law says (Section 139e (10) SGB V and Section 139e (11) SGB V) – but the BfArM is still working on corresponding certification procedures.
How do I get the DiGA certificate for data security?
The basis for the data security certificate will (presumably) be the technical guideline TR-03161 of the German Federal Office for Information Security (BSI).
The data security certificates themselves are to be issued by the BSI, but the underlying testing will presumably be carried out by external testing bodies that are recognized by the BSI. The list of bodies authorized to carry out a test in accordance with TR-03161 can be found here. As of today (September 10, 2024), 3 inspection bodies are listed there:
- secuvera GmbH
- TÜV Informationstechnik GmbH
- PwC PricewaterhouseCoopers GmbH WPG
Note: Discussions about TR-03161 are still ongoing. Recently, for example, the obligation of 2-factor authentication and the restriction of biometric authentication methods have been discussed in gematik’s regular consultation hours. However, it can be assumed that most of the criteria of the current TR-03161 will also have to be implemented for the final data security certification.
How do I obtain the DiGA certificate for data protection?
The data protection certificate is a certification in accordance with Article 42 GDPR. The underlying test is to be carried out on the basis of test criteria published by the BfArM a few months ago: DiGA and DiPA data protection criteria
According to the GDPR, corresponding certificates can be issued by the supervisory authorities themselves or by accredited bodies . In practice, however, the picture is different.
The Bavarian State Office for Data Protection Supervision (BayLDA), for example, “due to a lack of human resources” carry out any certifications itself. Instead, reference is made to the organizations accredited by the DAkkS (German Accreditation Body), which do not appear to exist at present (source: BayLDA – Certification). (As of 09/10/2024)
Open questions
Unfortunately, many of the questions that currently concern DiGA manufacturers cannot yet be answered. These include, among others:
- Who can carry out the relevant tests required for certification?
- How long do the certification procedures take?
- How much do the certifications cost?
- etc.
The central information with which DiGA manufacturers can fulfill the legal requirements is therefore still missing.
Preparation for certification
Unfortunately, the questions regarding the soon to be mandatory certificates have not yet all been conclusively clarified. But one thing can already be said today: The TR-03161 for the implementation of data security standards and the test criteria for data protection of the BfArM are already available. There are a few stumbling blocks, especially in the technical implementation, which can cost DiGA manufacturers certification. If you are planning to develop a DiGA or medical app, please get in touch with us. We develop your software and implement all relevant regulatory requirements.
If you are planning to implement a DiGA, the following articles may also be helpful: