Assuring medical apps
Your app ensures that the medical data stays private!
You must be sure to correctly handle personal data within your organization. Another important issue is that the end-users of your app, too, can correctly handle personal data, namely by deploying your app’s functionalities.
All this should ensure you avoid any negative media attention or run the risk of breaking the law and having fines imposed on you by the supervisory bodies. But even more importantly, this should ensure that you can guarantee the security and privacy of the patients who use your application.
Our privacy tests will find out whether you have implemented the correct, adequate control measures that ensure that the related medical app complies with the requirements set and is thus compatible with the environment of a specific standard. The main standards we may include in our privacy assessment are:
- The NBA / NOREA framework (NBA = Netherlands Institute of Chartered Accountants; NOREA = the professional association for IT auditors in the Netherlands)
- Privacy Article 29 Data protection working party (Opinion 02-2013 on apps on smart devices)
- Wbp (Dutch Personal Data Protection Act)
- Analysis of European Privacy Regulation (optional)
The privacy regulation regards the new European privacy directive that is being developed. The outlines of this regulation have now become known. As far as possible they have already been made part of our privacy tests. One key issue to be aware of in this respect is that this directive/regulation is still being developed. The test activities and/or scope of the other activities may still need to be modified in the light of this regulation once it has become final.
Your app is secure!
The increasing level of cybercrime requires you to be more proactive in dealing with known vulnerabilities. An up-to-date understanding of the vulnerabilities of your online presence can help to prevent cybercriminals from taking advantage of known vulnerabilities. One of the ways to do this is to carry out security tests on your applications. You can also carry out a periodic analysis - or have this done for you - into the major vulnerabilities in a web application or in its underlying infrastructure. When it comes to protecting your online operations, it is of crucial importance that you understand your vulnerabilities and can act on this information. The main security tests that can be performed as part of the Assuring Medical Apps service are as follows:
The care-related NEN tests and ISO tests are not intended to be ‘pentests’ (penetration tests for applications/systems) but concentrate instead on processes and functionality. Hospitals and care organizations are aware of the NEN and ISO obligations. As you are a developer, you need to comply with these directives when you develop a medical application. When you do, you will be delivering an application that is compatible with an environment that has either been certified in accordance with this directive or else complies with it. This prevents a situation where for instance a hospital finds that using your application means that it is no longer complying with its own standards that it drew up and/or with the standards that it must comply with by law.
Your app functions normally!
You probably have noticed that the Medical Device Regulation (MDR) has been published and is in effect. The MDR replaces the EU’s current Medical Device Directive (9342/EEC) and the EU’s Directive on active implantable medical devices (90/385/EEC). The transition period has started, after which all medical software needs to meet the regulation’s standards. Do you know whether your portal, medical application or other software classifies as a medical device? Do you know what to do when your digital health application requires an MDR mark? How will this impact your organization and processes? It is important that there is a right fit between what the regulations demand and the measures that are implemented. Our approach is based on the following guidelines:
- Regulation on medical devices
- Regulation on in vitro diagnostic medical devices
- Directive on active implantable medical devices 90/385/EEG
- Directive on in vitro diagnostic medical devices 98/79/EG
- Directive on medical devices 93/42/EEG
- Medical Devices Act (Wet op de medische hulpmiddelen)
- Policy regulations regarding administrative penalties Minister of Health, Welfare and Sport
- ISO 13485 Medical devices – Quality management systems – Requirements for regulatory purposes
- IEC 82304-1:2016 Health software – Part 1: General requirements for product safety
- IEC 62304: Software for medical devices – software life cycle processes
Your app is easy to use!
The term “usability” refers to how user-friendly the application is. It defines both how easy and convenient the app is to use and the way in which the user can find information within the app. The overall experience that the user has when using an application is known as the “user experience.”
There are a number of compulsory directives in the field of usability too. These directives generally stipulate requirements for the development process and for the technical dossier (which is often referred to therein as the “engineering file”). These directives are set out in such documents as IEC 62366-1:2015 part 1 (which was made final in 2015) and in the related guidance document IEC/TR 62366-2.
Since you are an app developer, it makes very good sense for you to go through these requirements and to start complying with them right from the development process onwards. The requirements largely resemble the MEDDEV dossier requirements that relate to that part of the process for CE marking but they are not absolutely identical. These systems of standards include a number of other requirements that primarily relate to the secure use of the applications.
Here, we are talking about a type of “usability” that differs from usability in the sense of user convenience and design, which generally have large sums of money spent on them.
As part of our Assuring Medical Apps service, we carry out test work to check whether the measures that you have implemented in order to be able to use the application within an ISO norm 62366 environment are adequate.
Your app is monitored continuously!
We advise you to supplement the (one-off) test work for an application - as described on the other tab pages - with the App Monitoring service that Deloitte also offers as part of its overall services package. Both cybercriminals and other parties that go on the prowl for vulnerabilities are constantly thinking up new ways to penetrate an organization; in addition, existing infrastructure and applications are being modified all the time, with legislation and regulations imposing stricter and stricter requirements on medical applications all the time too. This is why you need to be sure that any app that you arrange for us to test:
- Has not been wrongfully modified in terms of its technical functionality;
- Continues to work in the same way at all times in terms of its technical functionality;
- Is the most recent version of the app; you can do this by letting us look at how the app is modified when it is updated. This in turn gives you the reassurance you need when an update is performed.
- And that the updates have included the latest security patches.
In our App Monitoring service, Deloitte creates a “fingerprint” of the app once the test work relating to security, privacy and other issues has been completed. This fingerprint is then continuously subjected to an advanced form of app monitoring in respect of the technical functionalities of the app. Deloitte monitors the functionalities and potential vulnerabilities of your software version. You will be notified immediately if deviations/incidents occur in respect of this version. If there is an incident or if a vulnerability or other type of change in the app is discovered then you will be alerted by email. You can then use our tailor-made security dashboard to check out the details of the alert and to tell us about your follow-up measures. These incidents can then be discussed with you and resolved, after which a “new” fingerprint will be made so the App Monitoring service can be carried out all over again.
This monitoring service will ensure that you and your customers can rely on your app continuing to work the way it should. Our App Monitoring service is offered in the form of a subscription, according to which the price charged for the initial test work will be lower too. This model will show you a complete breakdown of your expenditure for the entire year.