Unprotected Patient Data: Security Gaps in Healthcare Apps


Status: 06/16/2022 05:12

Since October 2020, health insurance companies have also had to pay for digital health apps, although the benefit is often in doubt. According to information from NDR and WDR users could also access the data of other patients.

By Svea Eckert and Markus Grill, NDR / WDR

When digital health apps started in October 2020, then Health Minister Jens Spahn (CDU) called them a “world first”. Germany is “the first country to have prescription apps”. Although little known to date, patients have since not only been able to get a prescription for drugs from their doctor, but also a prescription for a health app, which they then redeem with their health insurance company. The cash register distributes an activation code for the recipe, which you type in the app and can be used for free.

Marco Grill

Rely only on the manufacturer’s information

Unlike some politicians, many pundits aren’t thrilled with apps at all. The main sticking points so far have been the lack of evidence of the benefit and the high prices charged by the app makers. The Federal Institute for Drugs and Medical Devices (BfArM) must check apps before they can be refunded. However, this is not an “own technical check”, as the BfArM admits, but only an examination of the documents submitted by the manufacturers. Gerhard Schillinger, medical expert of the Federal Association AOK, criticizes: “The data protection requirements specified by the legislator were too low. You have to rely solely on information from the manufacturer.”

There are now 31 digital health apps (DiGAs) that doctors can prescribe at the expense of health insurance companies. Most of these are said to help with depression and behavioral disorders. On average, each app costs the health insurance company 428 euros, but not once, but on a quarterly basis.

Huge vulnerabilities in two apps

Computer experts from the voluntary collective “zerforschung” have now discovered huge security holes in at least two of these apps. They notified the app makers immediately after the discovery. The producers conceded NDR and WDR the problem is assured that the gaps have now been filled. The data protection authorities of North Rhine-Westphalia and Hamburg are familiar with the cases, as is the BfArM.

On the one hand, the vulnerability concerns the “Novego: Coping with Depression” app. Previously, if a user of this app wanted to download their data, they could change their user ID number so that they could get the email address and username of other patients. Chief Executive Norbert Paas assures that three hours after the “zerforschung” team informed his company of the vulnerability, the gap was technically closed.

Patient data could also be accessed with the Cankado app, developed for women with breast cancer. In a written statement to the BfArM, CEO Timo Schinköthe admits “a specific but untapped security risk”. However, only “the abstract risk situation should be classified as high”. Indeed, according to internal research, no one had addressed this security gap in the past 500 days, except for the “zerforschung” team.

The app hasn’t made any profits so far

Schinköthe’s app for people with breast cancer costs EUR 499.80 per quarter. However, he states that it is “a purely subsidized business” and that the company “has not yet generated the direct costs” that developing the app has cost. This is probably also due to the low number of users so far. Schinköthe explains that only around 300 patients have been prescribed the app so far.

At the end of last year, the Central Association of Compulsory Health Insurance Funds had to send the Bundestag a first budget report on the new DiGAs. It is said that in the first year the apps would have caused only a total cost of twelve million euros. But only 50,000 patients would have a prescribed app, out of a total of 73 million policyholders of health insurance companies. However, health insurers fear that apps are mainly developed for those diseases that are “associated with high prevalence”, that is, that are widespread, such as obesity, anxiety disorders, sleep disturbances, or headaches. back.

Questionable pricing policy

Above all, the pricing policy seems questionable. For example, the BfArM notes “sometimes large price increases” for apps that are already on the market if they are reimbursed by health insurance companies. “The prices are completely utopian,” agrees Gerhard Schillinger of the Federal Association AOK. “Some apps have increased their prices tenfold.” A migraine app, for example, used to cost € 64.99 before, and the price for health insurance companies was then raised to € 879.96 per year, AOK reports.

The app law, which Spahn is responsible for, allows manufacturers to choose the price completely free in the first year, similar to new drugs. Manufacturers don’t have to prove how expensive the development was, nor what additional therapeutic benefits the app actually has. Only in the first year should manufacturers therefore demonstrate the benefit and agree a reasonable price with the health insurance companies.

“So far, however, all remuneration negotiations for the DiGAs, which have been permanently included in the BfArM directory, have failed,” federal association AOK said upon request. An arbitration board therefore had to fix the prices. The price of the apps has been significantly reduced in each case. The Somino app for anxiety disorders can now cost just 225 euros per quarter instead of the previous 464 euros. For the Velibra app, which aims to help with anxiety and panic disorders, the manufacturer gets only 230 euros instead of the previous 476 euros. And the price of the Elevida app, designed to help patients with multiple sclerosis, was reduced to € 243 in the quarter from € 744.

Health insurance companies don’t see transparency

In her report to the Bundestag, Stefanie Stoff-Ahnis, board member of the Central Association of Health Insurance Funds, criticizes the fact that health insurance companies have to finance apps even if “there is no evidence”. How the prices asked by producers are obtained is “completely unknown and not transparent,” she says the report. “Manufacturers have the opportunity to set any price that does not have to be proportional to the positive effect on supply caused by the digital health application.”

Many drugs are new and expensive in Germany too. But they still need to be audited by the Institute for Quality and Efficiency in Health Care (IQWiG). The price that pharmaceutical companies receive is then measured by the extent of the actual benefit to patients. On request, however, IQWiG communicates that it has not yet received a single order from the ministry to evaluate a DiGA.

Vulnerabilities in health apps

Marcus Engert, NDR, June 16, 2022 7:15 am

About the author


Leave a Comment