Assuring medical apps
Your app ensures that the medical data stays private!
You must be sure to correctly handle personal data within your organization. Another important issue is that the end-users of your app, too, can correctly handle personal data, namely by deploying your app’s functionalities.
All this should ensure you avoid any negative media attention or run the risk of breaking the law and having fines imposed on you by the supervisory bodies. But even more importantly, this should ensure that you can guarantee the security and privacy of the patients who use your application.
Our privacy tests will find out whether you have implemented the correct, adequate control measures that ensure that the related medical app complies with the requirements set and is thus compatible with the environment of a specific standard. The main standards we may include in our privacy assessment are:
- The NBA / NOREA framework (NBA = Netherlands Institute of Chartered Accountants; NOREA = the professional association for IT auditors in the Netherlands)
- Privacy Article 29 Data protection working party (Opinion 02-2013 on apps on smart devices)
- Wbp (Dutch Personal Data Protection Act)
- Analysis of European Privacy Regulation (optional)
The privacy regulation regards the new European privacy directive that is being developed. The outlines of this regulation have now become known. As far as possible they have already been made part of our privacy tests. One key issue to be aware of in this respect is that this directive/regulation is still being developed. The test activities and/or scope of the other activities may still need to be modified in the light of this regulation once it has become final.
Your app is secure!
The increasing level of cybercrime requires you to be more proactive in dealing with known vulnerabilities. An up-to-date understanding of the vulnerabilities of your online presence can help to prevent cybercriminals from taking advantage of known vulnerabilities. One of the ways to do this is to carry out security tests on your applications. You can also carry out a periodic analysis - or have this done for you - into the major vulnerabilities in a web application or in its underlying infrastructure. When it comes to protecting your online operations, it is of crucial importance that you understand your vulnerabilities and can act on this information. The main security tests that can be performed as part of the Assuring Medical Apps service are as follows:
The care-related NEN tests and ISO tests are not intended to be ‘pentests’ (penetration tests for applications/systems) but concentrate instead on processes and functionality. Hospitals and care organizations are aware of the NEN and ISO obligations. As you are a developer, you need to comply with these directives when you develop a medical application. When you do, you will be delivering an application that is compatible with an environment that has either been certified in accordance with this directive or else complies with it. This prevents a situation where for instance a hospital finds that using your application means that it is no longer complying with its own standards that it drew up and/or with the standards that it must comply with by law.
Your app functions normally!
The test work carried out as part of our Assuring Medical Apps service are explicitly not a substitute for the existing CE test. The developer of the app will itself have to go through the CE test process that is organized by an institution known as a “notified body.” Our Assuring Medical Apps service is intended to prevent you - the developer - having to pay for a test or CE marking twice. The process of obtaining a CE marking is compulsory for those medical apps that are equipped with certain specific functionalities, which is why we have made the following tests part of our service:
An analysis of your process/documentation that shows whether your app requires CE marking;
(if applicable) an analysis of whether the process to obtain CE marking has been completed successfully*
Test work that checks whether the dossier requirements for obtaining CE marking are up to date and in order: is the European Medical Devices Directive MDD 93/42/EEC being complied with?
Test work to check whether your processes comply with the MEDDEV 2.12-1 directive: requirements for reporting and evaluating incidents that relate to medical devices.
During the CE test process, we will carry out a review of the process gone through and of compliance with the requirements. Deloitte’s review will basically be based on the process you have gone through with your app and the certification institution authorized in this regard.
* Note: the certification for CE marking is carried out by an institution authorized for this purpose and accordingly must be carried out by this party. Deloitte will solely focus on the relevant requirements and on checking whether these have been complied with.
Your app is easy to use!
The term “usability” refers to how user-friendly the application is. It defines both how easy and convenient the app is to use and the way in which the user can find information within the app. The overall experience that the user has when using an application is known as the “user experience.”
There are a number of compulsory directives in the field of usability too. These directives generally stipulate requirements for the development process and for the technical dossier (which is often referred to therein as the “engineering file”). These directives are set out in such documents as IEC 62366-1:2015 part 1 (which was made final in 2015) and in the related guidance document IEC/TR 62366-2.
Since you are an app developer, it makes very good sense for you to go through these requirements and to start complying with them right from the development process onwards. The requirements largely resemble the MEDDEV dossier requirements that relate to that part of the process for CE marking but they are not absolutely identical. These systems of standards include a number of other requirements that primarily relate to the secure use of the applications.
Here, we are talking about a type of “usability” that differs from usability in the sense of user convenience and design, which generally have large sums of money spent on them.
As part of our Assuring Medical Apps service, we carry out test work to check whether the measures that you have implemented in order to be able to use the application within an ISO norm 62366 environment are adequate.
Your app is monitored continuously!
We advise you to supplement the (one-off) test work for an application - as described on the other tab pages - with the App Monitoring service that Deloitte also offers as part of its overall services package. Both cybercriminals and other parties that go on the prowl for vulnerabilities are constantly thinking up new ways to penetrate an organization; in addition, existing infrastructure and applications are being modified all the time, with legislation and regulations imposing stricter and stricter requirements on medical applications all the time too. This is why you need to be sure that any app that you arrange for us to test:
- Has not been wrongfully modified in terms of its technical functionality;
- Continues to work in the same way at all times in terms of its technical functionality;
- Is the most recent version of the app; you can do this by letting us look at how the app is modified when it is updated. This in turn gives you the reassurance you need when an update is performed.
- And that the updates have included the latest security patches.
In our App Monitoring service, Deloitte creates a “fingerprint” of the app once the test work relating to security, privacy and other issues has been completed. This fingerprint is then continuously subjected to an advanced form of app monitoring in respect of the technical functionalities of the app. Deloitte monitors the functionalities and potential vulnerabilities of your software version. You will be notified immediately if deviations/incidents occur in respect of this version. If there is an incident or if a vulnerability or other type of change in the app is discovered then you will be alerted by email. You can then use our tailor-made security dashboard to check out the details of the alert and to tell us about your follow-up measures. These incidents can then be discussed with you and resolved, after which a “new” fingerprint will be made so the App Monitoring service can be carried out all over again.
This monitoring service will ensure that you and your customers can rely on your app continuing to work the way it should. Our App Monitoring service is offered in the form of a subscription, according to which the price charged for the initial test work will be lower too. This model will show you a complete breakdown of your expenditure for the entire year.