Zerforschung Collective Discovers Security Flaws in Edupression, Digital Health Application
The Zerforschung collective recently revealed that they found security gaps in the digital health application (DiGA) edupression. Specifically, the team led by IT security expert Lilith Wittmann discovered a security gap “at interfaces” of Edupression. They alerted the manufacturer Sofy GmbH, who quickly closed the gap. However, the Austrian data protection authority has been notified, as per the Handelsblatt.
The security flaw allowed the Zerforschung team to gain access to names, customer numbers, e-mail addresses, and health data such as information on medication and mood. The Federal Office for Drugs and Medical Devices (BfArM), responsible for approving prescription-only DiGAs, is now looking into “further requirements for the implementation of the penetration tests.”
Edupression is currently included in the DiGA directory until August 25, 2023, and has over 2,000 testers. Health insurance companies can grant permanent admission after 24 months, provided that the manufacturer proves the app’s effectiveness.
Not the First Time for a DiGA Leak
This discovery is not the first time that security flaws have been found in a DiGA. As early as June 2022, Zerforschung found security gaps in the depression DiGA Novego and the digital diary for cancer patients Cankado. As a result, the latter was removed from the DiGA directory on April 21, 2023, since it failed to demonstrate a positive supply effect, according to the BfArM.
New Test Criteria for DiGAs and DiPAs
In September 2022, the BfArM released new test criteria for DiGAs and digital care applications (DiPAs), which also require a data protection certificate from the BSI. These measures aim to ensure the safety, security, and effectiveness of digital health applications for patients.
Overall, the discovery of security flaws in edupression highlights the importance of maintaining strong cybersecurity measures in the healthcare sector. As more DiGAs and DiPAs are developed, it is crucial to conduct thorough penetration tests and data privacy assessments to prevent potential data breaches and other security threats.
