Cybersecurity for Health Tech and DiGA

Health Tech & DiGA

Digital health apps / digital care apps · BSI TR-03161 · SaMD · Cloud-native

Cybersecurity for Health Tech & DiGA

DiGA manufacturers, DiPA providers, telemedicine platforms, and health SaaS companies combine young tech architectures with especially strict regulatory requirements. BfArM listing, BSI TR-03161, SaMD compliance, NIS2, and GDPR at the same time — at startup and scale-up speed. We deliver awareness, phishing simulation, vulnerability management, and managed SOC that fit cloud-native, CI/CD-driven development realities.

Free Risk Assessment

THE REALITY

Startup speed meets enterprise regulation.

Health-tech companies move with weekly releases, cloud-native architectures, and agile teams — and at the same time must comply with the strictest regulations outside the financial sector. Traditional security offerings do not scale culturally or operationally. At the same time, an incident at a DiGA is an existential event: BfArM listing, partner contracts, and user trust are at stake.

TR-03161

BSI Technical Guideline for eHealth applications — mandatory for BfArM listing, with specific requirements for architecture, authentication, and cryptography.

Class IIa+

Many DiGA qualify as software as a medical device — meaning the MDR applies with its own cybersecurity requirements and reporting obligations.

3 regimes

parallel obligations under DVG/DVPMG, MDR and NIS2 — with partly conflicting reporting deadlines and documentation requirements.

Sources: BfArM DiGA directory · BSI TR-03161 · DVG · DVPMG · MDR (EU) 2017/745 · NIS2UmsuCG.

THE REALITY

Startup speed meets enterprise regulation.

TR-03161

BSI Technical Guideline for eHealth applications — mandatory for BfArM listing, with specific requirements for architecture, authentication, and cryptography.

Class IIa+

Many DiGA qualify as software as a medical device — meaning the MDR applies with its own cybersecurity requirements and reporting obligations.

3 regimes

parallel obligations under DVG/DVPMG, MDR and NIS2 — with partly conflicting reporting deadlines and documentation requirements.

Sources: BfArM DiGA directory · BSI TR-03161 · DVG · DVPMG · MDR (EU) 2017/745 · NIS2UmsuCG.

Regulatory context

Three regimes, one product — and all three require proof.

A typical digital health platform is assessed simultaneously under BfArM product rules, under the MDR as a medical device, and under NIS2 as part of the healthcare sector. Each regime creates its own evidence requirements — but they all rest on the same technical foundations: secure architecture, documented risk management, incident response.

01 · DiGA / DiPA

BfArM listing & BSI TR-03161

DiGA under Section 33a SGB V and DiPA under Section 40a SGB XI must be listed in the BfArM directory. Part of the listing requirements: data protection and data security in accordance with BSI TR-03161, GDPR-compliant processing, and proof of medical evidence. Re-audits are conducted regularly; in the event of deficiencies, delisting is possible — with a direct loss of revenue.

02 · MDR / SaMD

Software as a medical device

Most digital health applications (DiGA) are medical devices under MDR (EU) 2017/745, usually at least Class IIa. This means that the essential requirements, including IT security, from Annex I apply, as do the MDCG 2019-16 Cybersecurity Guidance, post-market surveillance obligations, and safety reporting to the BfArM and notified bodies within tight deadlines.

03 · NIS2

Important setup

Digital health providers fall under NIS2 via two routes: DiGA manufacturers as manufacturers of medical devices (Class IIa+) under Annex 1 of the BSIG; telemedicine and healthcare SaaS providers as providers or suppliers of healthcare services. From 50 employees or €10 million in annual turnover and balance sheet total, the obligations under § 30 BSIG (ten risk management measures), § 32 BSIG (24h/72h/30-day reporting requirements), and § 38 BSIG (personal liability of management) apply. Fines under § 65 BSIG of up to €7 million or 1.4% of revenue for important entities.

Legal sources: § 33a SGB V (DiGA entitlement) · § 139e SGB V (DiGA directory) · § 40a SGB XI (DiPA entitlement) · DVG · DVPMG · BSI TR-03161 · MDR (EU) 2017/745 · MDCG 2019-16 · NIS2UmsuCG · GDPR Articles 9, 32, 33.

Regulatory context

Three regimes, one product — and all three require proof.

01 · DiGA / DiPA

BfArM listing & BSI TR-03161

02 · MDR / SaMD

Software as a medical device

03 · NIS2

Important setup

TYPICAL ATTACK SCENARIOS

The attack patterns that digital health products are really exposed to.

Cloud-native architectures, open APIs and direct patient access create attack surfaces that traditional healthcare security approaches do not address. The typical patterns are now well documented — and call for tech-native countermeasures.

API and Broken Object Level Attacks

Digital health platforms are API-driven by design. Typical vulnerabilities according to the OWASP API Top 10: broken object-level authorization (BOLA), insufficient authentication mechanisms, and excessive data exposure. A single logic error can make other patients' data directly accessible — triggering an immediate reportable incident to the BfArM and under the GDPR.

CI/CD and supply chain compromise

Compromised developer credentials, trojanized npm/PyPI packages, manipulated GitHub Actions — all of them can deploy signed, trusted code into your production environment. For a digital health app, that could potentially mean an app in the store that forwards patient data directly to third parties.

Cloud misconfigurations

Publicly accessible S3 buckets, misconfigured IAM roles, forgotten test environments with production data — recurring causes of health data breaches. In fast-growing teams, configuration changes slip below security’s radar until a bug bounty hunter or an attacker finds them.

Account Takeover & Credential Stuffing

DiGA users often use passwords that have been leaked elsewhere. Credential stuffing attacks on login endpoints are a постоян issue. Without rate limiting, MFA options, bot detection, and attentive monitoring, accounts are taken over on a large scale — giving access to therapy and symptom data.

OUR SOLUTIONS

Security built into the development workflow.

Four services that don’t slow down engineering velocity, but protect it. Awareness for development, phishing for everyone, vulnerability management for cloud infrastructure and applications, SOC monitoring for production.

Continuous training

Phishing Simulation as a Service

Tech-native lures: fake GitHub security alerts, AWS billing emails, investor due diligence requests, fabricated bug bounty reports. Measurable metrics per team, CSV export for compliance reports. Continuous evidence trail for ISO 27001 and NIS2 audits.

Service

Employee Resilience

Security Awareness Training

Role-based content for Engineering, Product, QA, Customer Success, Compliance, and Sales. Developer modules on secure coding, secrets management, dependency hygiene, and CI/CD security. Compliance evidence for BfArM listing, NIS2, and ISO 27001.

Service

Know the attack surface

Vulnerability Management

Continuous discovery for cloud infrastructure (AWS, Azure, GCP), container images, dependencies, and external attack surface. Prioritization based on exploit availability and business criticality — not on CVSS score alone. Integration into your Jira, Linear, or GitHub issue workflows.

Service

24/7 Managed SOC

Incident Detection & Response

Detection for cloud audit logs, API anomalies, credential stuffing patterns, and unusual developer activity. Monitoring of the entire AWS/Azure control plane, integration with Office 365, Okta, and GitHub. Ready-made GDPR Article 33 notifications, and BfArM and notified body templates for MDR cases.

Service

WHY ENTROPY CS

The security partner for digital health that speaks the language of tech.

Generic healthcare security providers don’t understand Kubernetes clusters. Generic DevSecOps providers don’t know DiGA requirements. We are deliberately built for the overlap.

Engineering-compatible

We integrate into your existing dev workflows—Jira, Linear, GitHub, Slack—instead of building parallel tool stacks. Findings are prioritized and automatically routed; your team stays in flow instead of jumping between dashboards.

Regulation as a feature

We address BfArM listing, ISO 27001, MDR, and NIS2 in parallel. The evidence from our services is formatted to be audit-ready — instead of spending weeks preparing for the re-audit at the last minute.

Scale-up-ready

We start lean and grow with you. Seed stage gets what seed stage really needs; Series A and B get expanded scope without changing providers. Scalability as a built-in principle, not an afterthought.

Answers specifically for Health Tech & DiGA.

The questions we regularly hear from CTOs, CISOs, VPs of Engineering, and Compliance Officers at digital health companies.

We are still pre-revenue / seed stage. Do we already need this?

Does NIS2 apply to us as a purely tech company?

We conduct a pentest once a year. Isn't that enough?

How do you work with our ISO 27001 consultant?

Our developers are against "security theater". How do you win them over?

How much does that cost for a typical health-tech startup?

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Call: +49 30 863283641

FREE RISK ASSESSMENT

30 minutes. An honest picture of your security posture.

Every conversation begins with a free risk assessment — 30 minutes, no obligation. You will then receive a written report with your cybersecurity maturity level, risk areas, and immediate measures.

Book assessment now

Call: +49 30 863283641