Security requirements in health applications

Author: Oficina DPD   /  14 of October of 2021

The Office of the Data Protection Officer is providing Healthcare organizations with a new document to verify and guarantee that health applications that deal with personal data meet the minimum and desirable requirements in terms of information security.

In accordance with the provisions of Royal Decree 3/2010, of 8 January, which regulates the National Security Framework (ENS) in the field of Electronic Administration, the preventive measures indicated in the guide CCN-STIC 857 Security Requirements for eHealth Applications.

It also proposes measures in accordance with the criteria of the  Open Web Application Security Project(OWASP), with the aim of ensuring both service availability and the integrity, authenticity, confidentiality and traceability of information.

Finally, it also includes a series of recommendations to mobile application developers on Data Protection and Privacy matters, extracted from the ENISA report called  proPrivacy and dataprotection in mobile applications.

The requirements as a whole are structured around 10 security objectives to be met by the manufacturers of the technological product:

  1. Final application testing
  2. Architecture testing
  3. Source code testing
  4. Third-party software testing
  5. Cryptography testing
  6. Authentication testing
  7. Data storage and protection testing
  8. Network communication testing
  9. Platform-specific interaction testing
  10. Resilience testing

The result of the evaluation in accordance with the proposed objectives is collected automatically in an executive summary generated by the tool itself, available in the Resources and documentation section of the Office of the DPO website.

For more information and inquiries contact