In order to be included in the register of reimbursable digital health applications (DiGa), the fast-track procedure at the BfArM must be completed. With the Digital Supply and Care Modernization Act (DVPMG), the corresponding guideline included the requirement that company applicants must have a penetration test carried out for their DiGa application.
Penetration tests: With the DVPMG, this requirement was included in the DiGAV for all DiGA. Ensuring the security of the data throughout the entire application process and all conceivable usage scenarios is an essential requirement for DiGA.
Inofficial translation of:
Penetration tests enable the simulation of possible attack patterns and can thus help to uncover security gaps. For the product version for which inclusion in the DiGA directory is requested, a penetration test must have been carried out for all components. These tests are to be repeated as required, e.g. B. when new interfaces are added. The implementation concept for penetration tests of the BSI and the current OWASP top 10 security risks are to be used as the basis for the pentest design. Upon request, the BfArM must be provided with proof of the execution of the corresponding tests.
https://www.bfarm.de/SharedDocs/Downloads/DE/Medizinprodukte/diga_leitfaden.pdf
(document status as of 18 March 2022)
In principle, the requirements for a DiGa pentest can be summarized as follows:
- Implementation concept for penetration tests of the BSI
- OWASP Top 10
- for all components
- to be repeated as required (e.g. new interfaces)
I have already had several discussions with manufacturers of DiGA apps that they only want to have the actual mobile app (i.e. usually the iOS and Android versions) checked. However, the scope should not include an underlying API, which is used to implement some business functionality, which handles user authentication and is intended to serve as a central storage location for health data.
Of course, a “Mobile App” and an “API” are two different things and the regulation speaks of digital health applications (so Mobile Apps). However, this interpretation of the regulation does not achieve the goal and is simply wrong. The penetration test is intended to ensure “the security of the data throughout the application process” and the penetration test must be carried out for “all components”. Of course, this means that backend systems and APIs in the background are also included in the scope of the penetration test and not just the actual mobile app from the Android or Apple store.