Digital healthcare application (DiGA) providers in Germany now face a fresh challenge. From January 1, 2025, if you’re an organization offering a DiGA to users in the German market, you must meet the updated data security requirements set by the Bundesamt für Sicherheit in der Informationstechnik (BSI).
The updated rules apply to new apps seeking certification as well as the 64 apps that have already been approved by the Federal Institute for Drugs and Medical Devices (BfArM).[1] This mandate was established through the Datenschutzkonferenz (DSK) resolution.
With the compliance requirements, DiGA developers face significant pressure in mobile app security. If you don’t comply, your app will not only suffer financial and reputational damage but could also be taken off the market until you achieve compliance. With that in mind, finding a timely solution to meet the enhanced security requirements is a top concern for digital healthcare companies.
Here's a closer look at the steps you can take to secure your app and comply with the regulations.
In 2019, Germany passed the Digital Care Act (DVG) which marked an important milestone in eHealth. It aimed to improve access to app-based care by integrating them into mainstream healthcare through prescription and reimbursement of digital therapeutics. The DiGA designation was created to clearly differentiate certified medical apps from general health and fitness apps.
But the BSI’s new requirements mark a major shift in how DiGAs were previously evaluated for security. Since 2019, DiGAs were assessed under the "Fast Track" procedure managed by the BfArM. This process allowed you to bring mobile products to market within three months by undergoing a streamlined evaluation, including a data security review. The focus was on ensuring that apps met baseline criteria for functionality, safety, and data security.
The process also required apps to demonstrate positive care effects through clinical studies. Depending on the strength of evidence, apps were granted either a 24-month provisional approval (during which time they’d have to produce additional clinical data) or a permanent approval. Approved apps were published in a database that clinicians could search.
For example, for help with insomnia and mental health challenges, a patient could receive a prescription for the relevant app from their provider and insurers could issue the activation code.
While this approach helped in getting digital health innovations to users swiftly, it left some security gaps, especially as cyber threats became more sophisticated.
Today, even if you’ve been certified through the Fast Track procedure, you’re subject to the new regulations and must demonstrate compliance with the new BSI requirements.
The BSI’s new guidelines highlight how important data security is for digital health apps. With the healthcare industry becoming increasingly digitized, a single breach could expose patients' private health information, leading to identity theft or financial fraud. The ripple effect of such a breach can be devastating, not just for the affected individuals but also for the trust that users place in digital health solutions and the organizations behind them.
If your DiGA doesn’t meet these new security standards, the consequences are serious. Non-compliance may result in your app being pulled from the market. But the impact doesn’t stop there. Your company’s reputation can be impacted, especially in an industry where trust is paramount.
It’s also important to consider the long-term impact of the erosion of trust. Healthcare providers rely on these apps to deliver care and manage patient data securely. If your app is perceived as a weak link, it could jeopardize partnerships and your industry standard.
While digital health apps have always undergone a security review, the new BSI requirements emphasize data security evaluations for web apps, mobile apps, and backend systems. Since almost two-thirds of DiGA offerings are mobile apps[2], securing these platforms is more critical than ever.
The BSI’s new guidelines emphasize a more rigorous testing process, particularly in areas where apps are vulnerable to cyber attacks. So, instead of a quick security check as part of the broader Fast Track evaluation, your app will now undergo a dedicated and thorough examination focused solely on data security. This will ensure that your app is not just functional but also resilient against cyber threats.
The examination process for mobile apps is divided into eleven test aspects, with each one including recommended, mandatory, and optional factors. To test these, the BSI framework is divided into two main phases: Check and Examine.
Check: The Check phase involves a plausibility assessment of your app’s documentation and security claims by a BSI examiner who audits manufacturer-provided documentation. The examiner ensures your app’s security features are sound on paper.
Examine: During the second phase, each app must undergo extensive penetration testing conducted by a BSI-accredited examiner. They verify that all the security measures you’ve implemented can withstand real-world cyber attacks.
The BSI’s updated guidelines emphasize that data security isn’t just an afterthought—it’s a core requirement that must be integrated into your app’s design and development. By focusing on both the documentation and the practical implementation of security measures, the BSI ensures that only the most secure apps make it to the market.
While your app must pass each of the eleven penetration tests, Test Aspect 11 focuses on a critical area for developers that many may find difficult to solve on their own: app hardening against growing risks like reverse engineering and tampering.
Test aspect 11 of the BSI's Technical Guideline TR-03161 is one of the most critical components of the BSI’s guidelines that focuses on the resilience of mobile health apps. This aspect requires DiGAs to implement advanced hardening measures that go beyond standard security features like encryption and authentication.
During the Examine phase of Test Aspect 11, the following app hardening measures must score a pass by the BSI examiner’s penetration testing. The DiGA app must:
Effective app hardening against these threats is complex, and implementing the measures to pass the tests isn’t easy. The process requires specialized knowledge and resources, which many DiGA developers might not have in-house. Ready-to-implement solutions are limited, and even if you develop an in-house solution, keeping up with BSI requirements, emerging threats, and effective app hardening techniques takes time and effort.
Often, the organizations developing the apps rely on software partners to develop these apps. The reality is that while they can assist with developing an app hardening solution to meet these needs, agency partners quickly propose expensive and lengthy projects for bespoke solutions. These are often untested and the costs can quickly add up for development and maintenance.
As a result, DiGA teams are left exploring what other options exist for compliance.
The journey to compliance is anything but straightforward, and according to many organizations in the space, several key challenges are making this process even more difficult:
To meet the BSI’s new data security requirements, you need to act quickly and upgrade your app hardening to prevent reverse engineering, tampering and other threats. Manufacturers who meet these stringent requirements are likely to increase trust with physicians and patients and stand out from the competition. Conversely, failure to comply could lead to significant financial and operational setbacks—or take your health app off the market altogether. But the right partner can help you reach your compliance goals quickly and cost-effectively.
Promon SHIELD® offers a proven solution that simplifies the compliance process and ensures your app is ready for the BSI’s rigorous examination. Our team of experienced experts understands the German DiGA market and partners with your team to develop a roadmap that fits your unique needs. Here’s why leading DiGA developers like you are choosing it: