Engineering a DiGA with a cloud-based solution requires special care during planning. This is because the Digital Health Applications Ordinance (DiGAV) formulates high requirements for the security and data protection of health and personal data.
For this purpose, questionnaires are provided in Annex 1 and Annex 2 of the DiGAV, which manufacturers must complete. The aim should be to be able to answer every question with “applicable”. If this is not the case, precise reasons must be given. The effort required for realization and implementation in order to ultimately meet the requirements should not be underestimated. The questionnaires comprise a total of 124 questions:
- Appendix 1 consists of 77 questions on data protection and data security with an additional 9 questions that apply to a DiGA with very high protection requirements.
- Appendix 2 consists of 38 questions on quality and interoperability.
DiGA – very high protection requirements?
Whether a DiGA has a very high protection requirement must be determined with a protection requirement assessment. Reference is made to BSI Standard 200-2 in the DiGAV. It describes a detailed determination of protection requirements as well as sample criteria for orientation. One of these example criteria is, quote:
“The protection of personal data must be guaranteed. Otherwise, there may be a risk to life and limb or to the personal freedom of the person concerned” Source: BSI Standard 200-2
If there is a very high need for protection, the additional 9 questions from DiGAV Annex 1 must be taken into account. Manufacturers must plan for the resulting requirements at an early stage. The following points are particularly interesting for a cloud-based solution:
- Penetration test, including all backend components
- Two-factor authentication for at least the initial authentication process
- Encryption of personal data on systems that are not at the personal disposal of the user
However, the type of encryption is not specified.
DiGA – Personal data
The GDPR (Regulation (EU) 2016/679) applies first and foremost to the handling of personal data. National laws, such as those on information security, sustainability, “lived” data protection and the de facto possibility of asserting claims against manufacturers, must also be observed. The DiGAV also requires a granular presentation of all locations where personal data is processed, including external systems and providers. GDPR and national laws must be observed for all locations.
If personal data is processed in the cloud as part of a DiGA, cloud providers must be checked with regard to the GDPR. There is an information paper from the BfArM entitled:
“Information on the permissibility of data processing outside Germany in connection with the BfArM review procedure pursuant to Section 139e Fifth Book of the German Social Code (SGB V)” Source: BfArM
The BfArM provides an assessment there and offers specific answers in an FAQ. Accordingly, DiGA is not permitted to process personal data outside the EU solely on the basis of Article 46 GDPR (standard contractual clauses) or Article 47 (binding corporate rules) (see Section 4 (3) DiGAV).
Since the EU-US Privacy Shield Agreement is no longer sufficient for this, the use of service providers from the USA is not permitted. For service providers with a branch in the EU and a parent company in the USA, the use of services is possible “under certain conditions”. The main requirement is that the flow of personal data to the USA is completely excluded. The responsibility for this lies with the DiGA manufacturers.
Encryption of personal data with storage of the keys in the EU is mentioned as a possible solution. However, there is no more detailed information on this.
Therefore, DiGA manufacturers are recommended to operate in the familiar legal area and, for example, to follow the BSI Grundschutz and C5 guidelines for German cloud providers.
Data protection and security
For data security, the DiGAV requires processes such as an information security management system (ISMS) in accordance with ISO 27000 or BSI Standard 200-2 as well as specific measures. The following measures are of interest for cloud-based solutions:
Further security requirements can be found in the technical guideline BSI TR-03161. The inspection aspects listed therein are even more detailed than the requirements of the DiGAV, but in some cases contradict the requirements of the DiGAV.
In case of doubt, the fulfillment of the requirements formulated in the DiGAV should be sought. The technical guideline BSI TR-03161 refers several times to the guidelines on cryptography BSI TR-02102-1 and BSI TR-02102-2. If the aim is to fulfill the requirements of BSI TR-03161, this must be planned in good time. The impact on the system architecture and development of the DiGA should not be underestimated.