{"id":350316,"date":"2023-11-16T04:29:42","date_gmt":"2023-11-16T09:29:42","guid":{"rendered":"https:\/\/platohealth.ai\/bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security-regdesk\/"},"modified":"2023-11-21T12:41:58","modified_gmt":"2023-11-21T17:41:58","slug":"bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security-regdesk","status":"publish","type":"post","link":"https:\/\/platohealth.ai\/bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security-regdesk\/","title":{"rendered":"BfArM Guidance on Fast-Track Process for Digital Health Applications: Data Security | RegDesk","gt_translate_keys":[{"key":"rendered","format":"text"}]},"content":{"rendered":"<div id=\"et-boc\" class=\"et-boc\">\n<div class=\"et-l et-l--post\">\n<div class=\"et_builder_inner_content et_pb_gutters3\">\n<div class=\"et_pb_section et_pb_section_0 et_section_regular\">\n<div class=\"et_pb_row et_pb_row_0\">\n<div class=\"et_pb_column et_pb_column_1_2 et_pb_column_0  et_pb_css_mix_blend_mode_passthrough\">\n<div class=\"et_pb_module et_pb_text et_pb_text_0  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<p><span>The new article addresses the aspects related to the data security measures to be introduced by the parties involved in operations with digital health products. <\/span><\/p>\n<\/div><\/div>\n<p> <!-- .et_pb_text -->\n\t\t\t<\/div>\n<p> <!-- .et_pb_column --><\/p>\n<div class=\"et_pb_column et_pb_column_1_2 et_pb_column_1  et_pb_css_mix_blend_mode_passthrough et-last-child\">\n<div class=\"et_pb_module et_pb_image et_pb_image_0\">\n<p>\t\t\t\t<span class=\"et_pb_image_wrap \"><img decoding=\"async\" src=\"https:\/\/platohealth.ai\/wp-content\/uploads\/2023\/11\/bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security-regdesk.jpg\" alt=\"medical device regulations in Germany\" title=\"germany medical device regulations\" data-et-multi-view=\"{&quot;schema&quot;:{&quot;attrs&quot;:{&quot;desktop&quot;:{&quot;src&quot;:&quot;https:\/\/platohealth.ai\/wp-content\/uploads\/2023\/11\/bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security-regdesk.jpg&quot;,&quot;alt&quot;:&quot;medical device regulations in Germany&quot;,&quot;title&quot;:&quot;germany medical device regulations&quot;,&quot;srcset&quot;:&quot;https:\/\/platohealth.ai\/wp-content\/uploads\/2023\/11\/bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security-regdesk.jpg 800w, https:\/\/platohealth.ai\/wp-content\/uploads\/2023\/11\/bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security-regdesk-1.jpg 150w, https:\/\/platohealth.ai\/wp-content\/uploads\/2023\/11\/bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security-regdesk-2.jpg 300w, https:\/\/platohealth.ai\/wp-content\/uploads\/2023\/11\/bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security-regdesk-3.jpg 768w, https:\/\/www.regdesk.co\/wp-content\/uploads\/2019\/04\/germany-flag-std_1-75x75.jpg 75w&quot;,&quot;sizes&quot;:&quot;(max-width: 800px) 100vw, 800px&quot;},&quot;tablet&quot;:{&quot;src&quot;:&quot;&quot;}}},&quot;slug&quot;:&quot;et_pb_image&quot;}\"><\/span>\n\t\t\t<\/div>\n<\/p><\/div>\n<p> <!-- .et_pb_column --><\/p><\/div>\n<p> <!-- .et_pb_row --><\/p>\n<div class=\"et_pb_row et_pb_row_1\">\n<div class=\"et_pb_column et_pb_column_4_4 et_pb_column_2  et_pb_css_mix_blend_mode_passthrough et-last-child\">\n<div class=\"et_pb_module et_pb_text et_pb_text_1  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<h2><span class=\"ez-toc-section\" id=\"Table_of_content\"><\/span>Table of content<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<\/div><\/div>\n<p> <!-- .et_pb_text --><\/p>\n<div class=\"et_pb_module et_pb_text et_pb_text_2  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<p>The German regulating authority in the sphere of healthcare products (<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bfarm.de\/EN\/Home\/_node.html\">BfArM<\/a>) has published a guidance document dedicated to the regulatory status of digital health applications (DiGA).<\/p>\n<p><span>The document provides an overview of the respective regulatory requirements based on the existing legal framework and also highlights the key points to be taken into consideration by medical device manufacturers (software developers) and other parties involved to ensure compliance thereto.<\/span><\/p>\n<p><span>At the same time, provisions of the guidance are non-binding in their legal nature, nor are they intended to introduce new rules or impose new obligations. <\/span><span><br \/><\/span><span><br \/><\/span><span>The authority also reserves the right to make changes to the guidance and recommendations provided therein, should such changes be reasonably necessary to reflect corresponding amendments to the underlying legislation.<\/span><\/p>\n<\/div><\/div>\n<p> <!-- .et_pb_text -->\n\t\t\t<\/div>\n<p> <!-- .et_pb_column --><\/p><\/div>\n<p> <!-- .et_pb_row --><\/p>\n<div class=\"et_pb_row et_pb_row_2\">\n<div class=\"et_pb_column et_pb_column_4_4 et_pb_column_3  et_pb_css_mix_blend_mode_passthrough et-last-child\">\n<div class=\"et_pb_module et_pb_text et_pb_text_3  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<h2><span class=\"ez-toc-section\" id=\"Data_Security_Key_Points\"><\/span><b>Data Security: Key Points<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span>First of all, the authority emphasizes the importance of data security, focusing on the protection of confidentiality, integrity, and availability of data processed via a DiGA. <\/span><span><br \/><\/span><span><br \/><\/span><span>The DiGAV (Digital Health Applications Ordinance) categorizes data security requirements into two:<\/span><\/p>\n<ul>\n<li><b>Basic Requirements<\/b><span>: Applicable to all digital health applications. They must be met without exceptions unless they are irrelevant to specific DiGA types.<\/span><span><br \/>\n<\/span><\/li>\n<li><b>Additional Requirements for High Protection Needs<\/b><span>: These are for DiGA that require extensive protection due to the nature of data processed, supply scenarios, or usage context.<\/span><\/li>\n<\/ul>\n<p><span>The DiGAV data security specifications derive from publications and recommendations of the Federal Office for Information Security (BSI). <\/span><span><br \/><\/span><span>They incorporate processes from BSI standards 200-1, 200-2, and 200-3, supplemented by elements from the IT-Grundschutz compendium related to DiGA.<\/span><\/p>\n<p><span>It is also important to note that the BSI will clarify data security requirements for DiGA verification by <\/span><b>January 1, 2024<\/b><span>.<\/span><span><br \/><\/span><span>From <\/span><b>June 1, 2024,<\/b><span> the BSI will provide compliance verification processes. Manufacturers must show compliance by January 1, 2025.<\/span><\/p>\n<\/div><\/div>\n<p> <!-- .et_pb_text --><\/p>\n<div class=\"et_pb_module et_pb_image et_pb_image_1\">\n<p>\t\t\t\t<span class=\"et_pb_image_wrap \"><img decoding=\"async\" src=\"https:\/\/platohealth.ai\/wp-content\/uploads\/2023\/11\/bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security-regdesk.png\" alt=\"FDA Guidance on Distinguishing Medical Device Recalls from Enhancements: Key Concepts and Definitions\" title=\"BfArM on fast track (data security)2\"><\/span>\n\t\t\t<\/div>\n<div class=\"et_pb_module et_pb_text et_pb_text_4  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<h2><span class=\"ez-toc-section\" id=\"Information_Security_Management_System_ISMS\"><\/span><b>Information Security Management System (ISMS)<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span>The scope of the guidance covers, inter alia, the matters related to the information security management system to be designed and implemented by a responsible party. <\/span><span><br \/><\/span><span><br \/><\/span><span>The authority acknowledges that ensuring information security is challenging due to rapidly evolving threats and DiGA developments. <\/span><span><br \/><\/span><span><br \/><\/span><span>The DiGAV promotes the idea of treating information security as an ongoing process integrated within an organization rather than a set of technical measures. <\/span><span><br \/><\/span><span><br \/><\/span><span>This approach is further supported within an ISMS, as described in ISO Standard 27001 and the BSI Standard 200-1.<\/span><\/p>\n<p><span>As explained by the authority, the applicable requirements for the ISMS were detailed in the DiGAV. From April 1, 2022, an ISMS that aligns with ISO 27001 or its counterpart based on IT-Grundschutz is mandatory.<\/span><\/p>\n<\/div><\/div>\n<p> <!-- .et_pb_text --><\/p>\n<div class=\"et_pb_module et_pb_text et_pb_text_5  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<h2><span class=\"ez-toc-section\" id=\"Security_as_a_Process\"><\/span><b>Security as a Process<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span>Despite the ISMS requirement being effective from April 1, 2022, the DiGAV mandates several processes for all DiGA to ensure security is an ongoing process, including:<\/span><\/p>\n<ul>\n<li><b>Protection Needs Analysis<\/b><span>: Manufacturers must analyze DiGA to determine data protection needs. Significant changes to DiGA will necessitate a re-evaluation.<\/span><span><br \/>\n<\/span><\/li>\n<li><b>Release, Change, and Configuration Management<\/b><span>: The manufacturer must set up processes that ensure rapid updates and releases align with regulatory guidelines.<\/span><span><br \/>\n<\/span><\/li>\n<li><b>Penetration Tests<\/b><span>: DiGA manufacturers must conduct tests to replicate possible attacks and identify security vulnerabilities. <\/span><span><br \/><\/span><span>Tests are primarily to be conducted by BSI-certified centres and, importantly, repeated when significant changes occur.<\/span><span><br \/>\n<\/span><\/li>\n<li><b>Directory of Libraries Used and Market Observation<\/b><span>: Manufacturers must maintain a directory of third-party products used in DiGA and establish market surveillance processes.<\/span><\/li>\n<\/ul>\n<\/div><\/div>\n<p> <!-- .et_pb_text --><\/p>\n<div class=\"et_pb_module et_pb_text et_pb_text_6  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<h2><span class=\"ez-toc-section\" id=\"BSI_Basic_Protection_Modules_and_Technical_Guidelines\"><\/span><b>BSI Basic Protection Modules and Technical Guidelines<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span>As it was mentioned before, the data security requirements derive from the BSI-IT Grundschutz catalogues. <\/span><span><br \/><\/span><span><br \/><\/span><span>The BSI IT Baseline Protection Compendium describes potential IT security threats and countermeasure requirements. These guidelines help clarify which requirements apply to specific technologies.<\/span><\/p>\n<p><span>For instance, such requirements as central authentication are mainly for web applications, while others like authorization checks are already embedded in systems (e.g., Android and iOS).<\/span><\/p>\n<\/div><\/div>\n<p> <!-- .et_pb_text --><\/p>\n<div class=\"et_pb_module et_pb_text et_pb_text_7  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<h2><span class=\"ez-toc-section\" id=\"Requirements_for_Increased_Protection_Needs\"><\/span><b>Requirements for Increased Protection Needs<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span>For DiGA with high protection requirements, additional precautions are necessary. These requirements include inter alia, the following ones:<\/span><\/p>\n<ul>\n<li><b>Encrypted Data Storage<\/b><span>: Data on servers (e.g., in clouds) must be encrypted. The encryption method (hard drive encryption, database encryption, etc.) and key management depend on protection needs and risk analysis.<br \/>\n<\/span><\/li>\n<li><span><b>Two-factor Authentication for Health Data Access<\/b><span>: Only individuals with two-factor authentication can access health data.<\/span><br \/><\/span><\/li>\n<\/ul>\n<\/div><\/div>\n<p> <!-- .et_pb_text --><\/p>\n<div class=\"et_pb_module et_pb_text et_pb_text_8  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span><b>Conclusion<\/b><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span>In summary, the document additionally emphasizes that data security is vitally important for digital health applications. <\/span><span><br \/><\/span><span>The DiGAV, supported by BSI guidelines, provides a comprehensive framework to ensure that data is protected at all levels, with special attention to continuous improvement and adaptation to the evolving digital landscape.<\/span><\/p>\n<\/div><\/div>\n<p> <!-- .et_pb_text --><\/p>\n<div class=\"et_pb_module et_pb_text et_pb_text_9  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<h2><span class=\"ez-toc-section\" id=\"Source\"><\/span>Source<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bfarm.de\/SharedDocs\/Downloads\/DE\/Medizinprodukte\/diga_leitfaden.pdf?__blob=publicationFile\">https:\/\/www.bfarm.de\/SharedDocs\/Downloads\/DE\/Medizinprodukte\/diga_leitfaden.pdf?__blob=publicationFile<\/a><\/p>\n<\/div><\/div>\n<p> <!-- .et_pb_text -->\n\t\t\t<\/div>\n<p> <!-- .et_pb_column --><\/p><\/div>\n<p> <!-- .et_pb_row --><\/p>\n<div class=\"et_pb_row et_pb_row_3\">\n<div class=\"et_pb_column et_pb_column_4_4 et_pb_column_4  et_pb_css_mix_blend_mode_passthrough et-last-child\">\n<div class=\"et_pb_module et_pb_text et_pb_text_10  et_pb_text_align_left et_pb_bg_layout_light\">\n<div class=\"et_pb_text_inner\">\n<h2 dir=\"ltr\"><span class=\"ez-toc-section\" id=\"How_Can_RegDesk_Help\"><\/span>How Can RegDesk Help?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p dir=\"ltr\"><strong>RegDesk<\/strong> is a holistic Regulatory Information Management System that provides medical device and pharma companies with regulatory intelligence for over 120 markets worldwide. It can help you prepare and publish global applications, manage standards, run change assessments, and obtain real-time alerts on regulatory changes through a centralized platform. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Global expansion has never been this simple.<\/p>\n<\/div><\/div>\n<p> <!-- .et_pb_text -->\n\t\t\t<\/div>\n<p> <!-- .et_pb_column --><\/p><\/div>\n<p> <!-- .et_pb_row --><\/p><\/div>\n<p> <!-- .et_pb_section --> <!-- .et_pb_section -->\t\t<\/div>\n<p><!-- .et_builder_inner_content -->\n\t<\/div>\n<p><!-- .et-l --><\/p><\/div>\n<p><!-- #et-boc --><\/p>\n<div class=\"blog-form\">\n\t\t\t\t\t\t\t&lt;!&#8211; <\/p>\n<h5 class=\"blog-form-title\">\n\t\t\t\t\t\t\t\tWant to know more about our solutions? Speak to a RegDesk Expert today!<br \/>\n\t\t\t\t\t\t\t<\/h5>\n<p>&#8211;&gt;<\/p>\n<div id=\"form-in-blog\"><\/div>\n<\/p><\/div>\n<ul class=\"plato-post-bottom-links\">\n<li class=\"plato-post-bottom-link-amplifi\">SEO Powered Content &amp; PR Distribution. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.amplifipr.com\">Get Amplified Today.<\/a><\/li>\n<li class=\"plato-post-bottom-link-platodata-network\">PlatoData.Network Vertical Generative Ai. Empower Yourself. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/platodata.network\">Access Here.<\/a><\/li>\n<li class=\"plato-post-bottom-link-platoaistream\">PlatoAiStream. Web3 Intelligence. Knowledge Amplified. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/platoaistream.com\">Access Here.<\/a><\/li>\n<li class=\"plato-post-bottom-link-platoesg\">PlatoESG. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/platoesg.com\/aiwire\/carbon\/\">Carbon,<\/a> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/platoesg.com\/aiwire\/cleantech\/\">CleanTech,<\/a> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/platoesg.com\/aiwire\/energy\/\">Energy,<\/a> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/platoesg.com\/aiwire\/environment\/\">Environment,<\/a> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/platoesg.com\/aiwire\/solar\/\">Solar,<\/a> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/platoesg.com\/aiwire\/waste-management\/\">Waste Management.<\/a> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/platoesg.com\">Access Here.<\/a><\/li>\n<li class=\"plato-post-bottom-link-platohealth\">PlatoHealth. Biotech and Clinical Trials Intelligence. <a href=\"https:\/\/platohealth.ai\" target=\"_blank\" rel=\"noopener\">Access Here.<\/a><\/li>\n<li class=\"plato-post-bottom-link-source\"><span>Source:<\/span> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.regdesk.co\/bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security\/\">https:\/\/www.regdesk.co\/bfarm-guidance-on-fast-track-process-for-digital-health-applications-data-security\/<\/a><\/li>\n<\/ul>\n","protected":false,"gt_translate_keys":[{"key":"rendered","format":"html"}]},"excerpt":{"rendered":"<p>The new article addresses the aspects related to the data security measures to be introduced by the parties involved in operations with digital health products. Table of content The German regulating authority in the sphere of healthcare products (BfArM) has published a guidance document dedicated to the regulatory status of digital health applications (DiGA). The [&hellip;]<\/p>\n","protected":false,"gt_translate_keys":[{"key":"rendered","format":"html"}]},"author":2,"featured_media":350323,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[52],"tags":[],"acf":[],"gt_translate_keys":[{"key":"link","format":"url"}],"_links":{"self":[{"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/posts\/350316"}],"collection":[{"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/comments?post=350316"}],"version-history":[{"count":1,"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/posts\/350316\/revisions"}],"predecessor-version":[{"id":350322,"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/posts\/350316\/revisions\/350322"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/media\/350323"}],"wp:attachment":[{"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/media?parent=350316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/categories?post=350316"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/platohealth.ai\/wp-json\/wp\/v2\/tags?post=350316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}