For more than a year now, physicians and psychotherapists have been able to prescribe Digital Health Applications (DiGA). 31 such "health apps" (as of 8 March 2022) are now listed in the BfArM directory: they can provide support in the treatment of depression as well as for diabetes management or smoking cessation. What they all have in common is that they analyse data from those using them in order to do so.

Therefore, anyone using a DiGA must be able to rely on the manufacturers' compliance with legal data protection requirements, careful handling of data, and implementation of reliable measures to protect confidentiality, availability, and integrity. Corresponding stipulations are found in the General Data Protection Regulation (GDPR) and are supplemented by the Digital Health Applications Ordinance (DiGAV).

For inclusion in the DiGA directory, manufacturers have to document that they comply with the data protection requirements. Dr. Armin Grünewald ensures that all these requirements are met. He is a research associate in the BfArM's "DiGA Fast-Track" unit and is responsible for reviewing DiGAs with regard to data protection and data security requirements. In the course of that process, he also tests the apps or web applications: "We look closely at how the application is structured and go through the entire process, from registration to the use of course content," explains the specialist with a PhD in computer science. "We then look at, among other things, the purposes for which the data is processed, whether there is any unauthorised data leakage, and whether the application is also designed to be user-friendly." Reviews are carried out based on a practical checklist with DiGAV requirements drawn up at the BfArM, which also reveals general malfunctions. On occasion, this can also be met with positive feedback: According to Grünewald, "one manufacturer, for example, thanked us for pointing out that the "password reset function" was faulty and was able to correct this immediately".

He communicates closely with the manufacturers and knows what implementation depends on. "As part of the assessment process we test the applications in great detail. If we observe deficiencies during this process, the manufacturers will have to make improvements. It is our goal to support the applicants in the best possible manner in order to introduce useful, safe and functional DiGA for patients into the BfArM directory," Grünewald explains.

Based on DiGA review practice and consultations, we have compiled the following list of challenges and shortcomings that, in our experience, are most common when implementing data protection.

#1: You can't do it without consent: agreement by mouse click.

Many applicants are not aware of the fact that personal data may only be processed if consent is obtained in the form of a clear, affirmative action by the data subject. This issue can be solved easily: for example, by using a selection box in which consent to the corresponding use can be given actively by way of a mouse click.
... and, of course, data may only be processed for the purposes specified in Section 4 (2) DiGAV, i.e., no use exceeding that of the DiGA, e.g., for advertising purposes.

#2: How, Who, What For: Privacy Policy

Every DiGA must be accompanied by a data protection declaration, which must contain certain information. We evaluate this against a checklist and we unfortunately also often find this declaration to be incomplete.
The following issues must be addressed in every case:

• Manufacturer and the responsible data protection officer
• Purpose of the DiGA
• Data categories processed
• Manufacturer's handling of this data
• Right to revoke given consents
• Possibilities for exercising the rights of the data subject

Among others, the data protection declaration must additionally contain a data deletion policy. This describes, e.g., what happens if someone objects to the use of their data or uninstalls the app: the option of deleting one's own personal data and revoking consent from within the app in an accessible manner must be given.

#3: Data processing in the USA: Not permitted

Strict regulations apply as to where health data and personal data may be processed outside of Germany. Manufacturers are often not aware of this. In particular, data processing in the USA is not permitted according to a ruling by the European Court of Justice, which means that many US software companies and cloud providers cannot be used for these purposes. Here again, there are specifics that need to be observed very closely: e.g., if it is intended to use cloud providers whose servers are located in the EU, but which belong to a US parent company, for example. In such cases, special regulations apply which are described in the handout on data processing outside Germany.

#4: Protection against data theft: The Information Security Management System

As of 1 April 2022, a new requirement for data security will be applicable: manufacturers are obliged to establish a so-called Information Security Management System (ISMS) by this date and to provide the BfArM with a corresponding certificate - even if the DiGA concerned is already listed in the directory.

The ISMS indicates that methods and processes have been established to permanently ensure and improve information security. This also includes protecting DiGA data - for example, patient health data - from unauthorised access. The system is thus a very important building block that creates additional trust. Manufacturers can find more information on this in the guide "The Fast-Track Process for Digital Health Applications (DiGA) according to Section 139e SGB V".

Penetration testing, which supplements the ISMS, has been mandatory since mid-2021. This obligates manufacturers to test whether it is possible for attackers to penetrate the application and gain access to data. The BfArM requires proof that such tests have been carried out and that any vulnerabilities found have been successfully remedied.
Both of these measures are important. They show patients using DiGA from the BfArM directory: "your data is safe".

#5: Is it really me? Authentication is a must

Last but not least, we unfortunately often find that the apps & co themselves are either not protected, or authentication (entering a username and password or a pin code) only takes place once after installation. This represents a major security risk: Third parties can thus obtain patients' health data simply by picking up their smartphone.
Requiring a password or code to be entered again each time the app is restarted and after 30 minutes of inactivity helps avoid this risk without much effort.

Conclusion/Outlook:

The security and protection of people's personal data is of great value and is therefore particularly in the BfArM's direct focus - for this reason, the requirements will be raised once again in the future with the introduction of data protection and data security certificates specifically tailored to DiGA. The BfArM is sharing its experiences from nearly two years of DiGA consulting and evaluation of applications in a series of webinars.

Dr. Armin Grünewald

Studied applied computer science with a focus on microsystems technology in Siegen. From 2011 to 2021 he was a research associate at the Chair of Medical Informatics and Microsystem Design at the University of Siegen. 2016 PhD with the topic "Application-specific technology and test selection for the development of 3D systems" in computer science.
2020-2021 Team leader "Medic@l XR" at the University of Siegen: development of VR and AR applications for therapy and training of medical personnel. Since October 2021, he has been working as a research associate in the BfArM's "DiGA Fast-Track" unit, responsible for the technical testing of DiGA with regard to data privacy, data security and interoperability.