Digital health applications (DiGA) in Germany face new data security requirements in 2025

Learn more about Germany's new data security requirements for digital health apps — and how to achieve compliance.

Digital health applications, or DiGA for short, have become an integral part of Germany's healthcare landscape since the Digital Care Act (DVG) was passed in 2019. The law enables physicians to prescribe certified medical apps and web applications to patients, with costs covered by statutory health insurance. These DiGAs have gained traction, with 64 apps receiving provisional or permanent approval from the Federal Institute for Drugs and Medical Devices (BfArM) as of August 2024.

However, a new hurdle looms on the horizon for DiGA providers. Starting January 1, 2025, all new and existing DiGA will be subject to heightened data security requirements introduced by the Federal Office for Information Security (BSI). This mandate, outlined in a resolution by Germany's data protection conference (Datenschutzkonferenz or DSK), presents both challenges and opportunities for the burgeoning DiGA market. This article explores the implications of this change for DiGA manufacturers.

Want to speak to an expert about app shielding and BSI compliance? Contact us for a no-obligation discussion and app assessment.

The rise of DiGA in German healthcare

The DVG law marked a pivotal moment in Germany's eHealth journey. By enabling the prescription and reimbursement of digital therapeutics, it sought to make app-based care more accessible and integrated into mainstream medicine. The DiGA designation was introduced to distinguish these certified medical tools from the plethora of general health and fitness apps available in app stores.

To be recognized as a DiGA and qualify for insurance coverage, an application must undergo an examination process with BfArM. This "fast-track" procedure, lasting up to three months, verifies product properties like data protection, functionality, user-friendliness, and interoperability. Crucially, it also requires manufacturers to provide evidence of positive care effects through comparative clinical studies.

Depending on the strength of evidence, a DiGA may receive permanent or provisional approval. Those in the latter category have 24 months to bolster their case for enduring inclusion in the official DiGA directory. If an app aces this test, it gets the DiGA seal of approval and a spot in BfArM's official app directory. Doctors and patients can browse the directory to find trustworthy apps for all sorts of health concerns, from mental health conditions like depression and anxiety to chronic diseases like diabetes and multiple sclerosis.

How do patients access DiGA?

Unlike ordinary health apps, patients cannot simply download a DiGA and bill their insurer. Instead, they must obtain a prescription from a physician or psychotherapist, or submit a reimbursement request to their insurance provider. 

Upon confirming the patient's eligibility, the insurer issues an activation code granting access to the prescribed DiGA. This approach ensures that patients can utilize the app at no upfront cost, reinforcing the notion of DiGA as medical tools integrated into the fabric of German healthcare.

New data security mandate from the BSI

While BfArM's fast-track procedure already considers data security, as of 2025 this aspect will be assessed separately according to BSI specifications. The BSI has issued technical guidelines covering mobile apps, web applications, and backend systems. 

Given that mobile applications constitute approximately 67% of DiGA offerings, these requirements are particularly relevant for most manufacturers. The examination of mobile applications is divided into eleven test aspects, each with mandatory, recommended, and optional requirements.

The testing process involves two main steps:

1. Check: BSI-accredited examiners assess the plausibility of manufacturer-provided information by auditing and evaluating documentation.
2. Examine: In addition to plausibility checks, examiners conduct penetration tests to verify the effectiveness of security measures.

The BSI guideline outlines the specific testing steps required for an accredited examiner to issue a certificate. While all criteria must be met, test aspect 11, focusing on app hardening against reverse engineering and tampering, presents a unique challenge for manufacturers.

The app hardening imperative

Test Aspect 11 of the BSI's Technical Guideline TR-03161 presents a significant challenge for DiGA developers. It mandates that mobile health applications implement advanced hardening measures to protect against platform-specific threats, particularly reverse engineering and runtime manipulation. These requirements go well beyond standard security features like encryption, authentication, or secure client-server communication.

The following app hardening measures must pass the penetration test by a BSI examiner:

1. The DiGA app detects manipulation of the operating system (e.g. root/jailbreak) and responds appropriately.
2. The DiGA app detects and prevents startup in a debug/development environment.
3. The DiGA app detects startup with unusual user rights.
4. The DiGA app runs in a secure runtime environment, checking the integrity of the device for operating system security, custom firmware, and hooking frameworks.
5. The DiGA app protects against man-in-the-middle attacks and is secure against bypassing authentication (circumventing certificate pinning).
6. The DiGA app performs an integrity check at every program start and during sensitive operations.
7. The DiGA app code is strongly obfuscated, including all strings, file names, classes, and methods that could provide hints about the program flow.

Implementing such measures often requires specialized expertise beyond the typical purview of app developers. Suitable off-the-shelf solutions are scarce, and the hardening tools and techniques are themselves constantly evolving. This leaves manufacturers with the daunting challenge of keeping pace with both BSI requirements and the state-of-the-art in application shielding.

Navigating the path to compliance

DiGA providers are now on the clock to implement the necessary hardening and other security measures by January 1, 2025. For many, this will require significant additional effort and expertise, whether developed in-house or procured through external vendors.

In discussions with DiGA manufacturers, several common concerns and obstacles have emerged:

• Divergent risk assessments: Some providers hold a different perspective than the BSI regarding the potential impact of data breaches and the necessity of extensive app hardening. Bridging this gap in threat perception can be a challenge.
  
  
• Know-how deficits: The niche skills required to implement BSI-compliant protections and withstand penetration testing are not always readily available within in-house development teams or external app development partners.
  
  
• Time and budget constraints: Evaluations of "DIY" hardening approaches often conclude they are not cost-effective. Meanwhile, existing third-party solutions are frequently deemed too complex to implement, reliant on problematic cloud architectures, or cost-prohibitive in light of DiGA business models and reimbursement rates.

Given these challenges, DiGA manufacturers are well-advised to begin the compliance process early. This may involve upskilling internal teams, vetting external solutions, or adapting business plans to the new technical and economic realities of the German market.

Reframing regulation as opportunity

The upcoming BSI requirements undoubtedly raise the bar for participating in Germany's digital health market. Implementing appropriate data security measures will consume additional resources and potentially delay time-to-market for new DiGA.  

At the same time, this mandate reflects a maturing approach to DiGA regulation and the integration of app-based care into mainstream medicine. By instilling greater confidence in the fundamental safety and privacy of these products, the BSI examination could actually boost physician and patient acceptance. The BfArM has characterized it as an overall improvement in medical device security.

From this view, investing in data protection is not merely a compliance checkbox but a means of enhancing the quality, reputation, and long-term viability of a DiGA offering. Manufacturers who proactively embrace this mindset may find themselves with a competitive edge as the market evolves.

The road ahead for DiGA

The introduction of DiGA has marked a significant step forward in Germany's eHealth journey. By enabling the prescription and reimbursement of digital therapeutics, the DVG law has made app-based care more accessible than ever. 

However, as the market matures, so too must the regulatory framework surrounding it. The upcoming BSI requirements reflect a natural progression towards more formalized and stringent quality assurance for digital health solutions.

While adapting to these new realities will pose challenges for manufacturers, it may also spur innovation in app hardening techniques and business models. The most successful DiGA providers will likely be those who view data security not as an obstacle but as an opportunity to differentiate through technical excellence and patient-centric design.

Ultimately, a more secure and trusted DiGA ecosystem benefits all stakeholders. For patients, it means greater peace of mind that the apps they rely on for their health and well-being are built to the highest data protection standards. For healthcare providers, it offers assurance that the digital tools they prescribe are not only clinically effective but also resilient against cyber threats. And for insurers, it provides a stronger foundation for the long-term sustainability and scalability of DiGA-based care.

As the first country to systematically integrate digital therapeutics into its public health system, Germany's experience with DiGA will be closely watched by policymakers, payers, and providers around the world. The BSI's evolving security framework, in particular, may serve as a model for other jurisdictions grappling with the challenges of regulating rapidly advancing digital health technologies.

For DiGA manufacturers operating in Germany, the message is clear: embracing data security is no longer optional—it is an essential prerequisite for market access and success. Those who rise to the challenge of meeting BSI standards will not only be well-positioned to thrive domestically but also to export their solutions to other countries following Germany's lead in digital health innovation.

App Shielding can help stop the threats facing healthcare apps. Book a demo today to learn how app shielding can protect your apps and help achieve compliance.