What are the admission criteria for QPP

Health app: Despite approval, security gaps in the app on prescription

Security researchers have discovered several security flaws in the Velibra health application. The Federal Institute for Drugs and Medical Devices (BfArM) recently found the app, which is supposed to help patients with anxiety and panic disorders, safe and approved it for a prescription at the expense of health insurance companies. Apparently there was no real check.

  1. FLYERALARM Digital GmbH, Würzburg
  2. HEINE Optotechnik GmbH & Co. KG, Gilching

Security researchers Martin Tschirsich and André Zilch looked at the web app shortly before Velibra was officially included in the directory for digital health applications (DiGA). By entering an e-mail address for the password reset function, Tschirsich was able to find out whether the corresponding e-mail address is registered with the service. This can be used to determine, for example, whether someone is using the service and has psychological problems accordingly.

Accounts were easy to take over

More seriously, the account reset code sent to the registered email address was only four characters long and valid for 24 hours. Unauthorized persons could have taken over the account of the person concerned by simply trying out and guessing the short code.

The user names and e-mail addresses of the registered persons could also be queried via an API without authentication. According to Tschirsich, even the DiGA vouchers that the health insurances issue for the use of the service could be viewed - both used and unused. The Velibra manufacturer Gaia AG immediately fixed the security gaps after a report. A previously commissioned pentesting company had not discovered or warned of the obvious security gaps.

Does the BfArM even check?

  1. Masterclass: Data Science with Pandas & Python
    9/10 September 2021, online
  2. Advanced Python - Advanced programming topics
    17./18. June 2021, online
Further IT training

From the point of view of security researchers, it is even more serious that the BfArM does not even superficially examine digital health applications. According to the DiGA regulation, no data should be transferred to the USA without the Privacy Shield, not even with standard contractual clauses, but Velibra had integrated external fonts and a tool for bug reporting from the USA.

According to Handelsblatt, the BfArM does not see its responsibility. As prescribed by law, check the manufacturer's information for plausibility: "In the case of false information, consequences, such as deletion from the directory, must be expected", informed the authority of the Handelsblatt. The Federal Ministry of Health simply did not equip the Federal Institute for extensive tests on data protection and security.

"When it comes to pharmaceuticals, you don't rely on the manufacturer's information, you ask for evidence," criticized Tschirsich. He hopes that in the future the BfArM will fulfill its function as a manufacturer-independent inspection body, for example through internal or external audits of health applications. That would be an opportunity to make up for some trust, security and data protection in the health app market, which is plagued with data protection problems and security gaps.