Article: Johner Institut on meeting German DIGA requirements

includes overview on regulatory requirements:

  • MDR
  • DVG
  • BSI 200-1 BSI-Standard 200-1, Managementsysteme für die Informationssicherheit
  • BSI 200-2 BSI-Standard 200-2, IT-Grundschutz-Methodik
  • BSI TR03161 Sicherheitsanforderungen an digitale Gesundheitsanwendungen
  • ISO 27001:2017
  • ISO/IEC 82304-1 Gesundheitssoftware – Teil 1: Allgemeine Anforderungen für die Produktsicherheit
  • ISO/IEC 82304-2 Health Software – Part 2: Health and wellness apps – Quality and reliability [future – includes a “seal”]
  • IEC 8001-5-1 Safety, security and effectiveness in the implementation and use of connected medical devices or connected health software – Part 5-1: Security – Activities in the product lifecycle

Germany: Referentenentwurf DVMPG

Draft for new German law to modernize health care
(Digitale Versorgung und Pflege – Modernisierungs-Gesetz – DVPMG)

This includes important changes to DIGAV!
(See “Artikel 8”, page 44ff)

  • From 1.Jan 2023 DIGA (digital health applications) would need to be able to export data into a the electronic patient file (elektronische Patientenakte)
  • Also new requirements on certified information security management (from no later than 1 Jan 2022) and a BSI certificate on data security (from 1 Jan 2023). This also applies to digital health applications which are already registered.
  • Also new requirements on integrating with the electronic patient card for authentication (elektronische Gesundheitskarte) – unless the DIGA is purely web-based. (31 Dec 2020)
  • Also the vendor needs to ensure that the provided health information is kept up-to-date.

EDPB and SchremsII

Final version at