February 21, 2023

How Build38 helps eHealth companies to comply with BSI technical guidelines

Comply BSI in eHealth - Build38


How Build38 helps eHealth companies to comply with BSI technical guidelines

Healthcare data security is a governmentally regulated area of scope and it is governed by Federal Laws coming under the jurisdiction of BSI’s guidelines. Bundesamt für Sicherheit in der Informationstechnik (BSI), the Federal Office for Information Security in Germany, is the authority which is responsible for IT Security related issues of the state, businesses, and society.  The area of responsibility for the authority is defined by the law of Federal Office of Information Security which include all things including promoting the preventative and protective practices to secure the federal and public domains from system and infrastructure attacks.

One of the main responsibilities of the BSI is to oversee the transition to modern yet secure mobile applications that provide functionality to the users in the most secure way possible. This refers to the BSI TR – 03161, in which BSI highlights the requirements for Healthcare Applications on the mobile phone and the backend systems that are supporting the security sensitive operations and dealing with personal data in the healthcare area.

Healthcare data security is a governmentally regulated area of scope and it is governed by Federal Laws coming under the jurisdiction of BSI’s guidelines. The importance of healthcare related data security cannot be stressed enough. An attacker that could get their hands on the glucose level  of an individual or other disease related information, could sell this information on the dark web for a hefty amount and/or blackmail the individual with such information, wrong medication advice as per engineered or manipulated data from the healthcare devices or disclose the data publicly. Thus, the data sanctity must be ensured to keep the individuals safe from harm’s way.
Myth Buster: Can I use Cloud Technologies for processing sensitive data while also being compliant to BSI’s Regulations? Isn’t Cloud a no-go for sensitive data processing? Nope, Cloud is not an evil word in the world of healthcare and identity related data processing. The Cloud solutions that meet the requirement of BSI C5 (Cloud Computing Compliance Controls Catalogue) [KCC-C5] or equivalent attestation or certification can continue to carry on providing business value to the Healthcare providers.
BSI has outlined detailed criteria or requirements that are important to impose on the mobile applications that are developed either in native or hybrid frameworks and are offering healthcare related services from within the application. This also includes the applications that gather data from other devices and DiGA (Digitale Gesundheitsandwendungen = digital health applications) applications.

Some of the highlights of the mobile application protection are as follows

  • Data security: Protection of the data (which can be biometric, healthcare data or data taken from other health devices) that must be stored inside the device and the application sandbox this includes the misuse, extraction, manipulation and third party sharing of data while also following the purpose limitation.

  • Authentication: A user with the right credentials should be able to access the services, and the service provider should monitor the permissions regularly and signs of elevation of those privileges, which might give them unintended access to other people’s data.

  • Eavesdropping: The customer or user’s data should be secure even when it is in-transit. The measures taken for providing this kind of security should range from using the up-to-date cryptographic material with the right algorithms, endpoint security and proper TLS Configuration.

  • Integrity and Memory structures: the sanctity of the mobile application and all its resources must be ensured thus not allowing the application to be reverse engineered and to protect the data inside the memory. The integrity of the application should be checked before connecting to the backend for service utilization and the environment must be ensured to not have elevated privileges of any kind.

  • Network Security: improved network security processes and use of well-versed frameworks and libraries, certificate pinning, server and client verification as well as fallback mechanisms for a failed or interrupted network connection.

These are some of the high-level requirements from the mobile application side and now to touch base on the backend systems high level requirements (to read more detailed guidelines, in German, please check out the pages from BSI)

  • Mandatory architecture: the background system being an integral part of the architecture where sensitive information might be stored or processed for carrying out the business functions. This also means that sensitive information will not be in plain text and the access to the backend via the APIs is restricted, monitored, and fully documented.

  • Authentication mechanisms: Strong mechanisms for authentication (two-factor) and authorization, as separated functionalities. The authentication factor can also be triggered from the background system and re-authentication must be required at regular intervals.

  • Data storage and data protection: Strong encryption of data and purpose limitation of storage of data in the background systems, such as removing of irrelevant meta data outside of the scope of critical service delivery.

  • Network communication: implementation of end-to-end encryption, strong CA’s, firewalls, and modern secure practices such as use of secure libraries and frameworks to achieve an uninterrupted and secure backend service.

  • Cryptographic implementation: Secure implementation of the PKI, such as no hardcoding of any secret or private keys, single purpose usage of cryptographic keys. Use of modern and secure algorithms, protocols, key strengths, cipher suites, RNGs and so on.

Both approaches require, in addition, organizational and source code security which are just as crucial as other elements of the BSI guidelines. To get started with providing a healthcare related mobile application in the German market, service providers need a lot of R&D resources to implement the DevSecOps practices as well as those technical requirements outlined in the guideline by BSI. To achieve a level of service compliance that passes through BSI regulations and testing criteria, this is where Build38’s Trusted Application Kit (T.A.K) comes in.

Build38’s Trusted Application Kit (T.A.K) is the security anchor that eHealth companies need to for service enablement in the regulated healthcare space in Germany. The feature rich security layers of the T.A.K provide the necessary framework, that helps companies achieve compliance for TR-03161-1 out of the box, as a result empowers companies to focus on business expansion and process improvement.

T.A.K ensures Trust on First Use (TOFU) which enables strong app-device binding that makes it nearly impossible for an attacker to change or manipulate the application. This includes the static protection of applications where an attacked would try to decompile the application and do harm. In addition, dynamic protection whereby preventing access to resources at runtime through hooking frameworks and/or manipulating the resources in memory.

Build38 helps you to secure healthcare data and meet compliance

A collective of these features can put the eHealthcare service providers on track for their BSI approval process. To learn more about enablement of eHealthcare related applications, contact us today for more in-depth insights. By staying up-to-date on the latest mobile application security trends and investing in reliable mobile app security solutions, businesses can reduce their chances of becoming the target of malicious attacks and can better protect their customers as well. 

Related posts

Discover the next generation 
of mobile app security