Digital health apps (DiGA) are intended to provide technical assistance with a wide range of illnesses and complaints and to facilitate processes such as creating diaries. The hacker collective Zerforschung took a close look at two DiGAs and found significant security deficiencies.
Hardly any effective security mechanisms in use
Research encountered some hair-raising vulnerabilities. The Novego app, for example, is intended to support people with depression. Since the GDPR stipulates that patients must be able to export their data, Novego also offers this. The download takes place via a link with a short number at the end, which turns out to be a user ID. By changing the numbers, the data of other app users could be downloaded. In addition to the e-mail address, this also included gender, which therapy program was used, and the results of self-assessments intended to record the severity of the depression.
The Cankado app, on the other hand, is designed to help breast cancer patients classify symptoms as to whether they should be clarified by a doctor. Anyone can register as a doctor here. Due to the lack of further checks, access to the data of other doctors or institutions was also possible via API access. This includes: name, e-mail, address, plain text passwords, diagnoses, diary data, medical reports and other highly private information worth protecting.
The IT researchers have contacted the manufacturers and, according to their own information, they have now corrected the errors. Nevertheless, these tests show that IT security and patient data protection are often not a priority for DiGAs. The Hackerverbund sums it up as follows: “Patient data security is not optional. Not something that can be ‘followed up’ after an app has been used by patients for a year. If an app is market-ready enough to In order to process patient data, it must also be mature enough to keep it to itself. Therefore, we currently see no other way than to take all apps that have not yet implemented sufficient security precautions off the market for the time being.”
DiGA costs under criticism
Such blatant safety deficiencies are all the more serious given that the costs of the DiGAs that can be prescribed on prescription are horrendously high – on average 400 euros per quarter, reports the Pharmazeutische Zeitung. While the average price of DiGAs was still 329 euros in October 2020, it rose to 456 euros in March 2022 after price increases by four manufacturers. Health insurance companies that criticize the costs are partly justified by the fact that the requirements for security and data protection would drive them.
Prescribable DiGAs are checked by the Federal Institute for Drugs and Medical Devices (BfARM) and end up in the DiGA directory of the BfARM. The law on the digital modernization of supply and care paved the way for the DiGAs in 2019, and they were included in standard care. Since autumn 2020, doctors have been able to prescribe the apps to patients on prescription.
A provisional inclusion is also possible without a sufficient evaluation of the effectiveness. A permanent inclusion can take place after 24 months in the course of negotiations with the health insurance companies, whereby the manufacturer must prove the effectiveness of the app. According to Apotheke Adhoc, however, there has only been one completed negotiation so far.
To home page
#Digital #health #apps #reveal #highly #sensitive #data