Data protection and IT security for medical devices and DiGA

Digital health solutions are under particular scrutiny: authorities, payers and patients expect the highest standards when it comes to protecting sensitive health data. BAYOOCARE supports you in meeting these requirements systematically and verifiably – from the initial conception to the ongoing operation of your medical devices, software as a medical device and digital health applications.

Data protection and IT security for medical devices and DiGA

Digital health solutions are under particular scrutiny: authorities, payers and patients expect the highest standards when it comes to protecting sensitive health data. BAYOOCARE supports you in meeting these requirements systematically and verifiably – from the initial conception to the ongoing operation of your medical devices, software as a medical device and digital health applications.

Your added value

We create legal certainty and organizational clarity for you. You demonstrably fulfill the requirements of MDR/IVDR, DSGVO, BDSG and, for digital health applications, also DVG, DiGAV and the technical guidelines of the BSI. Instead of maintaining parallel systems for quality, information security and data protection, you establish an integrated management system that utilizes synergies and avoids redundancies. You reduce liability risks, strengthen patient confidence and increase acceptance among payers, notified bodies and the Federal Institute for Drugs and Medical Devices.

Regulatory requirements: Data protection and IT security as a legal obligation

Particularly strict requirements apply to the protection of personal data in the healthcare sector. The GDPR defines health data as special category data with increased protection requirements. The MDR and IVDR explicitly require state-of-the-art IT security for all medical devices – including software as a medical device and networked systems.

There are additional obligations for digital health applications: The Digital Healthcare Act and the DiGAV set out in detail how data protection and data security are to be implemented, from lawful consent and data minimization to authentication, encryption and logging.

Since April 1, 2022, an information security management system in accordance with ISO 27001 or ISO 27001 based on IT-Grundschutz (BSI standard 200-2) is required for inclusion in the DiGA directory. The BfArM requires a corresponding certificate for this. In addition, since January 1, 2025, DiGA manufacturers must meet the requirements of the technical guideline BSI TR-03161 and prove this with a certificate.

Notified bodies and auditors expect a systematic approach in accordance with recognized standards. Those who do not meet these requirements risk delays in approvals, deviations in audits and, in the worst case, sanctions under the GDPR or conditions imposed by supervisory authorities.

Our approach:
Integrated management for
Data protection & information security

We do not view data protection and IT security in isolation, but as an integral part of your existing organization. Our approach combines regulatory compliance with pragmatic feasibility.

Analysis of initial situation and requirements

We work with you to clarify which regulatory and normative requirements specifically apply to your product portfolio – such as MDR, IVDR, GDPR, BDSG, DiGAV, BSI guidelines and standards such as ISO 27001, IEC 81001-5-1, IEC 62304 or ISO 82304. On this basis, we identify gaps in existing processes, documents and technical measures and develop a prioritized action plan.

Development or expansion of the management system

Many manufacturers already have a quality management system in accordance with ISO 13485 or ISO 9001. We expand this system to include information security and data protection so that you can establish an integrated management system instead of parallel structures. This includes the definition of roles and responsibilities such as information security officers and data protection officers, the creation of guidelines and procedural instructions, training concepts for your employees and clear reporting lines and escalation channels.

Systematic risk analysis

Together, we identify relevant assets: patient and user data, applications, backend systems, interfaces to third-party systems and cloud services.

We assess threats such as unauthorized access, data leakage, ransomware, distributed denial of service attacks and technical vulnerabilities.
Based on this, we define appropriate organizational and technical protective measures based on recognized models such as ISO 27001, IT baseline protection or the Johner Institute’s IT security guidelines.

Anchoring in the product life cycle

Data protection and IT security are integrated into all phases of the product life cycle – from the purpose and requirements definition to architecture, implementation and verification through to validation, market launch and market surveillance. We support you in the implementation of security-by-design and privacy-by-design, in the establishment of secure software development practices and in test strategies with a security focus – such as code analysis, fuzz testing and penetration tests. We also support you in setting up regulated processes for updates, patches and incident management.

Verification and auditability

We take care of setting up the necessary documentation for you: risk assessments, processing directories, descriptions of technical and organizational measures, security concepts, reports on tests and audits as well as assignments to regulatory requirements such as DiGAV checklists.

This enables you to create traceable evidence for notified bodies, data protection supervisory authorities, auditors and the BfArM.

Would you like to systematically implement data protection and IT security for your medical devices or DiGA?

Arrange a non-binding initial consultation with our experts. We will analyze your initial situation, clarify regulatory requirements and develop an individual roadmap for your project. Get in touch with us, we look forward to hearing from you.

Typical components of our services

Our services in the field of data protection and IT security for medical devices, DiGA and networked healthcare solutions include

We design and implement an information security management system in accordance with ISO 27001 or on the basis of BSI IT baseline protection. We integrate information security and data protection into existing quality management systems, for example in accordance with ISO 13485 or ISO 9001. We create and optimize guidelines, processes and work instructions for information security, data protection and secure software development.

We carry out or moderate risk analyses with a focus on data protection and IT security, including the definition and prioritization of measures. We advise you on technical security measures – such as access concepts, encryption, logging, backup strategies and hardening of systems. We accompany internal and external audits, provide support with certification projects such as ISO 27001 or BSI TR-03161 as well as with official audits and providing evidence to the BfArM.

Specialized in-depth courses

GDPR compliance consulting

We support you in the legally compliant processing of health data, the definition of roles and responsibilities, processing directories, data protection impact assessments, the protection of data subjects’ rights, contracts with processors and the practical implementation of privacy-by-design and privacy-by-default.

IT security throughout the entire product life cycle

We offer specific support in the implementation of safety requirements in the development, testing, operation and market surveillance of medical software, networked medical devices and DiGA – including secure update strategies, incident response processes and continuous improvement.

Implementation of ISO 27001 standards for data security

We support you in designing and implementing an ISMS, defining the scope, risk management, action planning, internal audits, management assessments and preparing for certification – tailored to the specific requirements of medical device manufacturers and DiGA providers.

Frequently asked questions

Data protection and IT security for medical devices and DiGA raise many questions. We have answered the most frequently asked ones for you – from ISMS requirements and ISO 27001 certification to the obligations for DiGA manufacturers. Your question is not listed? Please feel free to contact us.

ISO 27001 is an international standard for information security management systems with a risk-based approach. It defines requirements for an ISMS and allows a flexible choice of measures. BSI IT-Grundschutz (ISO 27001 based on BSI Standard 200-2) is a German approach with predefined catalogs of measures. ISO 27001 is internationally recognized, more flexible and often more cost-effective to implement, while IT baseline protection provides detailed technical specifications. Both approaches are permissible for DiGA manufacturers.

No, not in general. MDR and IVDR require state-of-the-art IT security, but not a certified ISMS. Exception: Since April 1, 2022, DiGA manufacturers require an ISMS certificate in accordance with ISO 27001 or ISO 27001 based on IT baseline protection for inclusion in the DiGA directory. An ISMS is also recommended for other manufacturers.

Yes, it is even recommended. ISO 13485 and ISO 27001 have many parallels – both are based on management system approaches with process orientation, risk assessment and continuous improvement. An integrated management system avoids redundancies, uses common processes for internal audits, management reviews and document control and significantly reduces the overall workload. Many manufacturers add information security aspects to their ISO 13485 system instead of setting up a separate ISMS.

BSI TR-03161 is a technical guideline from the German Federal Office for Information Security with specific security requirements for healthcare applications – such as authentication, encryption, logging and access concepts. Since January 1, 2025, all DiGAs must meet the requirements in accordance with Section 139e (10) SGB V and provide evidence of this with a TR certificate. The TR-03161 certification replaces the separate penetration test for DiGA.

The duration depends on your initial situation. For manufacturers with an existing QM system and good IT documentation, we estimate four to six months until certification readiness. Without prior knowledge or with complex organizational structures, it can take six to twelve months. The decisive factors are the scope, number of locations, degree of process maturity and availability of internal resources. We recommend a phased approach with early quick wins.

DiGA manufacturers are obliged to report safety deficiencies to the BfArM immediately. The BfArM examines the incident and requests a technical statement. They must demonstrate that defects have been rectified and that the DiGA meets the requirements. In the event of serious violations, the BfArM can remove the DiGA from the directory. In addition, GDPR reporting obligations apply to supervisory authorities and data subjects in the event of data protection violations. An incident response concept is essential.

Yes, even medical devices in risk class I must meet all MDR requirements, including state-of-the-art IT security and data protection in accordance with the GDPR. The classification refers to medical risk, not cybersecurity. Software as a Class I medical device that processes personal data or is networked is subject to the same requirements as higher classes. DiGA are typically class I or IIa.

BAYOOCARE - Alfred Koch - CEO & PRRC

Alfred Koch

CEO | PRRC

How to contact us

Are you planning a project or do you have very specific regulatory questions about placing your medical device on the market? No matter what phase of your project you are in, we will be happy to support you. The quickest way to reach us – feel free to write to us.

Contact form

Preferred contact method
Data protection notice *