{"id":350316,"date":"2023-11-16T04:29:42","date_gmt":"2023-11-16T09:29:42","guid":{"rendered":"https:\/\/platohealth.ai\/bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security-regdesk\/"},"modified":"2023-11-21T12:41:58","modified_gmt":"2023-11-21T17:41:58","slug":"bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security-regdesk","status":"publish","type":"post","link":"https:\/\/platohealth.ai\/bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security-regdesk\/","title":{"rendered":"BfArM Guidance on Fast-Track Process for Digital Health Applications: Data Security | RegDesk","gt_translate_keys":[{"key":"rendered","format":"text"}]},"content":{"rendered":"
The new article addresses the aspects related to the data security measures to be introduced by the parties involved in operations with digital health products. <\/span><\/p>\n<\/div><\/div>\n \n\t\t\t<\/div>\n <\/p>\n \t\t\t\t <\/p><\/div>\n <\/p>\n <\/p>\n The German regulating authority in the sphere of healthcare products (BfArM<\/a>) has published a guidance document dedicated to the regulatory status of digital health applications (DiGA).<\/p>\n The document provides an overview of the respective regulatory requirements based on the existing legal framework and also highlights the key points to be taken into consideration by medical device manufacturers (software developers) and other parties involved to ensure compliance thereto.<\/span><\/p>\n At the same time, provisions of the guidance are non-binding in their legal nature, nor are they intended to introduce new rules or impose new obligations. <\/span> \n\t\t\t<\/div>\n <\/p><\/div>\n <\/p>\n First of all, the authority emphasizes the importance of data security, focusing on the protection of confidentiality, integrity, and availability of data processed via a DiGA. <\/span> The DiGAV data security specifications derive from publications and recommendations of the Federal Office for Information Security (BSI). <\/span> It is also important to note that the BSI will clarify data security requirements for DiGA verification by <\/span>January 1, 2024<\/b>.<\/span> <\/p>\n \t\t\t\t The scope of the guidance covers, inter alia, the matters related to the information security management system to be designed and implemented by a responsible party. <\/span> As explained by the authority, the applicable requirements for the ISMS were detailed in the DiGAV. From April 1, 2022, an ISMS that aligns with ISO 27001 or its counterpart based on IT-Grundschutz is mandatory.<\/span><\/p>\n<\/div><\/div>\n <\/p>\n Despite the ISMS requirement being effective from April 1, 2022, the DiGAV mandates several processes for all DiGA to ensure security is an ongoing process, including:<\/span><\/p>\n <\/p>\n As it was mentioned before, the data security requirements derive from the BSI-IT Grundschutz catalogues. <\/span> For instance, such requirements as central authentication are mainly for web applications, while others like authorization checks are already embedded in systems (e.g., Android and iOS).<\/span><\/p>\n<\/div><\/div>\n <\/p>\n For DiGA with high protection requirements, additional precautions are necessary. These requirements include inter alia, the following ones:<\/span><\/p>\n <\/p>\n In summary, the document additionally emphasizes that data security is vitally important for digital health applications. <\/span> <\/p>\n https:\/\/www.bfarm.de\/SharedDocs\/Downloads\/DE\/Medizinprodukte\/diga_leitfaden.pdf?__blob=publicationFile<\/a><\/p>\n<\/div><\/div>\n \n\t\t\t<\/div>\n <\/p><\/div>\n <\/p>\n RegDesk<\/strong> is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.<\/p>\n<\/div><\/div>\n \n\t\t\t<\/div>\n <\/p><\/div>\n <\/p><\/div>\n \t\t<\/div>\n \n\t<\/div>\n <\/p><\/div>\n <\/p>\n –><\/p>\n The new article addresses the aspects related to the data security measures to be introduced by the parties involved in operations with digital health products. Table of content The German regulating authority in the sphere of healthcare products (BfArM) has published a guidance document dedicated to the regulatory status of digital health applications (DiGA). The […]<\/p>\n","protected":false,"gt_translate_keys":[{"key":"rendered","format":"html"}]},"author":2,"featured_media":350323,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[52],"tags":[],"acf":[],"gt_translate_keys":[{"key":"link","format":"url"}],"_links":{"self":[{"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/posts\/350316"}],"collection":[{"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/comments?post=350316"}],"version-history":[{"count":1,"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/posts\/350316\/revisions"}],"predecessor-version":[{"id":350322,"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/posts\/350316\/revisions\/350322"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/media\/350323"}],"wp:attachment":[{"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/media?parent=350316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/categories?post=350316"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/tags?post=350316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/span>\n\t\t\t<\/div>\n<\/p><\/div>\n
<\/span>Table of content<\/span><\/h2>\n<\/div><\/div>\n
<\/span>
<\/span>The authority also reserves the right to make changes to the guidance and recommendations provided therein, should such changes be reasonably necessary to reflect corresponding amendments to the underlying legislation.<\/span><\/p>\n<\/div><\/div>\n<\/span>Data Security: Key Points<\/b><\/span><\/h2>\n
<\/span>
<\/span>The DiGAV (Digital Health Applications Ordinance) categorizes data security requirements into two:<\/span><\/p>\n\n
\n<\/span><\/li>\n
<\/span>They incorporate processes from BSI standards 200-1, 200-2, and 200-3, supplemented by elements from the IT-Grundschutz compendium related to DiGA.<\/span><\/p>\n
<\/span>From <\/span>June 1, 2024,<\/b> the BSI will provide compliance verification processes. Manufacturers must show compliance by January 1, 2025.<\/span><\/p>\n<\/div><\/div>\n<\/span>\n\t\t\t<\/div>\n
<\/span>Information Security Management System (ISMS)<\/b><\/span><\/h2>\n
<\/span>
<\/span>The authority acknowledges that ensuring information security is challenging due to rapidly evolving threats and DiGA developments. <\/span>
<\/span>
<\/span>The DiGAV promotes the idea of treating information security as an ongoing process integrated within an organization rather than a set of technical measures. <\/span>
<\/span>
<\/span>This approach is further supported within an ISMS, as described in ISO Standard 27001 and the BSI Standard 200-1.<\/span><\/p>\n<\/span>Security as a Process<\/b><\/span><\/h2>\n
\n
\n<\/span><\/li>\n
\n<\/span><\/li>\n
<\/span>Tests are primarily to be conducted by BSI-certified centres and, importantly, repeated when significant changes occur.<\/span>
\n<\/span><\/li>\n<\/span>BSI Basic Protection Modules and Technical Guidelines<\/b><\/span><\/h2>\n
<\/span>
<\/span>The BSI IT Baseline Protection Compendium describes potential IT security threats and countermeasure requirements. These guidelines help clarify which requirements apply to specific technologies.<\/span><\/p>\n<\/span>Requirements for Increased Protection Needs<\/b><\/span><\/h2>\n
\n
\n<\/span><\/li>\n
<\/span><\/li>\n<\/ul>\n<\/div><\/div>\n<\/span>Conclusion<\/b><\/span><\/h2>\n
<\/span>The DiGAV, supported by BSI guidelines, provides a comprehensive framework to ensure that data is protected at all levels, with special attention to continuous improvement and adaptation to the evolving digital landscape.<\/span><\/p>\n<\/div><\/div>\n<\/span>Source<\/span><\/h2>\n
<\/span>How Can RegDesk Help?<\/span><\/h2>\n
\n\t\t\t\t\t\t\t\tWant to know more about our solutions? Speak to a RegDesk Expert today!
\n\t\t\t\t\t\t\t<\/h5>\n\n