Information Security for Digital Health Applications (DiGA).

What are Digital Health Applications (DiGA)?

Digital health applications are "digital helpers" for patients. They were developed to detect and treat diseases and support a self-determined lifestyle. DiGA are CE-marked medical devices.

DiGA certifications according to various standards

DIN EN ISO 13485 is the standard that describes a quality management system for medical devices (QMS). An established QMS is the prerequisite for a conformity assessment procedure with which a DiGA becomes a reimbursable medical device.

The establishment of a management system in accordance with ISO/IEC 27001 enables an organization to effectively protect data and information of customers and other parties, to safeguard their rights and interests, and thus to meet legal requirements. With a certified ISMS, the organization demonstrates that it protects the confidentiality, integrity and availability of its assets.

ISO 27799:2016 contains additions to ISO/IEC 27001 that must be observed when introducing an ISMS in the healthcare sector. It is thus aimed at users who handle healthcare data and takes into account the special requirements and environmental conditions in the medical sector.

This standard contains many detailed suggestions for extending the general protective measures from ISO/IEC 27001 and also lists supplementary measures.

Penetration testing, or "pentesting," provides valuable data on the status of the vulnerability of systems under real conditions. Penetration testing is a complement to an information security management system (ISMS), which is why it is mandatory for digital health applications, for example.

For whom is the special combination of standards relevant?

The combination presented here is relevant for DiGA manufacturers and their contract developers (software) and mandatory by the DiGAV.

In order to provide you with more information and solid guidance, our parent company GUTcert has developed a guide and checklist.

What are the advantages of combining DIN EN ISO 13485 + ISO/IEC 27001?

With the Digital Health Care Act (DVG), the Social Code Book V was amended in such a way that a new group of medical devices, the "Digital Health Applications" became reimbursable. The "Verordnung über das Verfahren und die Anforderungen zur Prüfung der Erstattungsfähigkeit digitaler Gesundheitsanwendungen in der gesetzlichen Krankenversicherung" (DiGAV) (Regulation on the procedure and requirements for reviewing the reimbursability of digital health applications in statutory health insurance) specified the requirements for DiGA. Manufacturers of DiGA must provide evidence of certification to the Federal Institute for Drugs and Medical Devices BfArM for the following

  • Information security management systems: ISO/IEC 27001 (from 01.04.2022) and
  • Medical device quality management systems DIN EN ISO 13485:2021
  • In addition, according to § 139e SGB V, certificates are required for
  • data security according to BSI specifications (from 01.01.2023) and
  • data protection (from 01.04.2023)

No final procedures have yet been named for certification for data security and data protection. We will inform about further updates at this point.

Take advantage of the joint certification by GUTcert and Berlin Cert: With a combined certification procedure, you save additional effort; your personal contact person accompanies you throughout the entire process.

The prerequisite for certification is an established management system according to DIN EN ISO 13485 and ISO/IEC 27001, which also takes into account the supplements according to DIN EN ISO 27799. An internal audit and a management assessment must be available for the audit (stage 2) at the latest. It is recommended that an internal audit and the management evaluation have already been carried out when the application is submitted, so that the new system has already undergone an internal audit (if necessary by an external auditor) before the application is submitted.

How does a DiGA certification work?

The total duration of a certification procedure is at least 6 months from application to issuance of the certificate.

There is no separate certification for DIN EN ISO 27799; the special requirements are also checked as part of ISO/IEC 27001.

For a non-binding offer or further questions regarding costs and effort, please do not hesitate to contact us.