Security problems found in two DiGAs. What you can do to avoid them.

Germany is the first country in the EU where digital health apps (also known as DiGAs) can be prescribed and used by patients to treat or manage diseases. Currently, there are 31 approved DiGAs for prescriptions to help patients with different health issues, including depression and behavioural disorders.

In the current German framework, the BfArM is responsible for checking the safety and security of apps before they can be listed for reimbursement. However, this process doesn't consist of an inspection or a penetration test, but instead, it is just an analysis of documents submitted by the manufacturers.

Consequently, the hacker collective Zerforschung examined and tested approved DiGAs and discovered security gaps in two of them. Manufacturers were informed immediately after the discovery; they admitted the problem to both NDR and WDR and assured them they had closed the gaps in the shortest time possible.

Security issues that were discovered

As discovered by the security team, both apps had errors in the Identity Management (IAM) component of their system. This component should correctly implement the "triple A" - Authentication, Authorisation, and Accounting of all user operations.
More in detail, these were the scenarios and discovered problems:

In Novego, a depression support service, the error was related to requests for data export (related to the data portability requirement set by the GDPR). The download operation created a link with a short number at the end, corresponding to the user ID. By changing the numbers, malicious users could download other app users' data. The download included all personal data such as e-mail address, gender, the therapy program used, and results of self-assessment tests. The team ensured that the gap was technically solved and closed three hours after the Zerforschung team notified the company of the vulnerability.
In Cankado, a DiGA providing support for breast cancer treatment, anyone could register as a doctor and access the data of other profiles or clinical organisations due to the lack of access control on specific APIs. The available information included name, e-mail, address, plain text passwords, diagnoses, medical reports, and other sensitive and highly private information.

A worrying additional fact is that these security issues were present for a very long time and that no one had addressed them in the past 500 days - except for the Zerforschung team.

What are the risks for your business?

Failing to ensure appropriate security levels may significantly impact your users and business. Some of the risks are:

Reporting a data breach to your Data Protection Authority (DPA). This would eventually mean investigations, costly and time-consuming legal activities, and eventual fines. In addition, you will need to prove you have done your GDPR homework during investigations.
Your app could be delisted as DiGA. We don't yet have cases for privacy-related delisting, but BfArM has already decided several times to suspend or remove applications that don't satisfy their criteria.
You could lose main contracts and run out of business. One of the most critical cases in the EU has been provided by Vastaamo, a Finnish psychotherapy clinic and company that went from 16M Euro revenue to bankruptcy and a criminal investigation against the CEO after a breach.
Losing reputation from end-users: the whole community of healthcare startups and companies rely on users' reputations and trust. If you don't protect users' data, you will lose their trust instantly, damaging your reputation. It will have a direct impact on your revenues and has the potential to drive you out of business.
Losing reputation in the market and investors: scandals can also affect your reputation towards your stakeholders. Digital Health is complex because of the variety of actors and stakeholders involved (users, payers, providers, suppliers). In addition, investors will seek proof of your solidity and perform all sorts of due diligence.

What can you do to avoid security issues?

We at Chino.io believe that patient data security can't be an afterthought in product creation, left for once you are on the market. If an app is on the market and processes patient data, it must also be mature enough to keep that data safe and comply with GDPR.

Planning and implementing a compliance strategy from day 0 allows you to manage these issues correctly and in a faster way.

One example relates to Babylon Health. In 2020, the startup claimed a data breach caused by a software error. The ICO ended its enquiry into the violation, and no further action was taken against Babylon Health. However, their proven compliance and detailed information provided to the Authority led to a €0 fine. This is solid proof that proven compliance can save you from running out of business and avoid potential criminal investigations when something goes wrong. And most importantly, it ensures that you care for your users' data security.

By working with digital health startups and organisations in the last years, we have identified three main key areas to tackle security correctly and be compliant quickly, and reducing the risks:

Analyse your risks from day 0: You can set up a proper roadmap to solve all security and data protection activities by listing your risks and performing an impact assessment. Of course, no applications are perfect at MVP or version 1 stage, but planning a clear roadmap will help you prioritise and have a clear vision. In addition, you may search for trusted partners who can advise you on the technical and organisational measures you need to implement. GDPR and data security are complex and rarely understood in a startup's initial phases - and trusted partners can help you reduce the risk of non-compliance and thus have the possibility to grow your business.
Implement essential technical security requirements: technical requirements can be very complex and require prioritisation, considering your short-term and long-term goals and plans. Typically the highest priority requirements are related to IAM (Identity Management, Authentication, Authorisation), mapping data processing flows, and data security (pseudonymisation, encryption, segregation - as mandated by art 32 of GDPR). You can find helpful information in our blog post if you want to know more about pseudonymisation and encryption.
Implement key legal measures: your business is data-driven, and your innovation is probably based on innovative data processing and usage (to treat certain conditions). Since GDPR is about regulating data management, you must clarify your legal obligations and implementing correct Privacy Policies, Data Processing Agreements, and Consent collection is vital. Users and customers are paying more and more attention to those aspects, and since policies are contracts, correct agreements will enable you to do (or forbid you to do) certain things with data.

If you are interested in the regulatory and reimbursement frameworks for DTx, be sure to check out our latest blog post.

Scheme with green boxes showing the main point on avoid security issues in digital health apps — Key points to implement to avoid security issues.

About Chino.io

At Chino.io, we support several companies (from early-stage startups to large organisations) in solving data security and legal compliance for their health IT products. With our know-how and technology, we help companies prioritise, implement and document all the security requirements for GDPR, HIPAA, and national reimbursement schemes such as DVG (for DiGAs). Contact us if you want to discuss how data security and compliance can impact your company.