Digital health apps (DiGA) are intended to provide technical assistance with a wide range of illnesses and complaints and to facilitate processes such as creating diaries. The hacker collective Zerforschung took a close look at two DiGAs and found significant security deficiencies.
Hardly any effective security mechanisms in use
Research encountered some hair-raising vulnerabilities. The Novego app, for example, is intended to support people with depression. Since the GDPR stipulates that patients must be able to export their data, Novego also offers this. The download takes place via a link with a short number at the end, which turns out to be a user ID. By changing the numbers, the data of other app users could be downloaded. In addition to the e-mail address, this also included gender, which therapy program was used, and the results of self-assessments intended to record the severity of the depression.
The Cankado app, on the other hand, is designed to help breast cancer patients classify symptoms as to whether they should be clarified by a doctor. Anyone can register as a doctor here. Due to the lack of further checks, access to the data of other doctors or institutions was also possible via API access. This includes: name, e-mail, address, plain text passwords, diagnoses, diary data, medical reports and other highly private information worth protecting.
The IT researchers have contacted the manufacturers and, according to their own information, they have now corrected the errors. Nevertheless, these tests show that IT security and patient data protection are often not a priority for DiGAs. The Hackerverbund sums it up as follows: “Patient data security is not optional. Not something that can be ‘followed up’ after an app has been used by patients for a year. If an app is market-ready enough to In order to process patient data, it must also be mature enough to keep it to itself. Therefore, we currently see no other way than to take all apps that have not yet implemented sufficient security precautions off the market for the time being.”
DiGA costs under criticism
Such blatant safety deficiencies weigh all the more heavily because the costs of the DiGAs that can be prescribed on prescription are horrendously high – on average 400 euros per quarter, reports the Pharmazeutische Zeitung. While the average price of DiGAs was still 329 euros in October 2020, it rose to 456 euros in March 2022 after price increases by four manufacturers. Health insurance companies that criticize the costs are partly justified by the fact that the requirements for security and data protection would drive them.
Prescribable DiGAs are checked by the Federal Institute for Drugs and Medical Devices (BfARM) and end up in the DiGA directory of the BfArM. A spokesman for the BfArM told heise online that they were not involved in the tests for market access requirements and thus in the CE certification of the DiGAs. The manufacturers certify their products themselves, possibly involving a medical device certification body. The test procedure then follows and is primarily aimed at the ability of the listed apps to be prescribed and reimbursed. The law on the digital modernization of supply and care paved the way for the DiGAs in 2019, and they were included in standard care. Since autumn 2020, doctors have been able to prescribe the apps to patients on prescription.
A provisional inclusion is also possible without a sufficient evaluation of the effectiveness. A permanent inclusion can take place after 24 months in the course of negotiations with the health insurance companies, whereby the manufacturer must prove the effectiveness of the app. According to Apotheke Adhoc, however, there has only been one completed negotiation so far.
Updated 06/16/2022 4:49 p.m
Details on the approval process of the DiGAs added.
To home page
#Digital #health #apps #reveal #highly #sensitive #data