Data Privacy and Security in Digital Therapeutics Development


Voluntis’ Chief Information Security Officer (CISO), Dominique Burey, and Marie Roca our Data Protection Officer (DPO), discuss some frequently-asked questions about cybersecurity and data privacy for digital therapeutics (DTx).

Can you describe your role at Voluntis?

Marie: As DPO, my work consists of applying the General Data Protection Regulation (GPDR) which is the European Union’s regulations for data privacy, within the company and assisting our internal experts in the application of this regulation. My role is a bit different in the United States, where overall data protection laws are not as strict as GDPR, but health data is protected under the Health Insurance Portability and Accountability Act (HIPAA).

Dominique: As CISO, I oversee all security aspects at Voluntis, including product security and Voluntis’ Information System security. I guarantee the security of our production environment, our internal IT infrastructure and of the daily data of Voluntis’ employees.

Why are data privacy and security crucial for DTx?

Dominique: As DTx solutions manage health data, data privacy and security are key, not just because of the sensitive, personal nature but also to protect the data from being hacked.

Marie: It is necessary to put data security at the heart of our products, so we have developed our “privacy-by-design” approach to guarantee a high level of protection of our users’ data.

Dominique: Given the architecture of our solutions, which are mobile applications linked to a web portal, some data will be transmitted over the Internet and through non-trusted domains. Therefore, we need to carefully manage the security of our solutions to avoid data being hacked or disclosed.

What are the risks for the users?

Dominique: There are 3 types of risk:

  • The first is related to data integrity. Data could be modified, leading to a medical risk for the patient; for example, entering wrong data could lead to an incorrect dosage.
  • The second is related to confidentiality. An unauthorized or untrustworthy person could access data that is not properly secured. If personal data was to fall into the wrong hands and misused, this could affect our users in their daily lives – for example, they could be denied a bank loan or insurance.
  • The third is related to availability. A untrustworthy person could launch an attack on the patient app or healthcare professional web portal to make them unusable or inaccessible for a given period of time. This could also lead to medical risk if, for example, a physician cannot interact with a patient.

Marie: This is why our privacy-by-design approach is so important. Not only does it address the privacy and security of user data, but it also ensures that a DTx solution is available when patients need it.

DTx data privacy and cybersecurity

How do you integrate security and data privacy into DTx

Marie: There are two important aspects of this. On one hand, we integrate GDPR requirements such as establishing the terms of use and privacy policy, obtaining the consent of users to store and use their data, and informing them on how long data will be retained and on what we will do with it. Within the company, we also create and implement processes to check that we are compliant with the regulation.

Dominique: On the other hand, we monitor all data flows and detect potential cybersecurity vulnerabilities. We then determine mitigations that will considerably reduce the risk of exploiting these vulnerabilities. In concrete terms, these mitigations can be:

  • New lines of code.
  • New elements of the user manual.
  • Improvement or implementation of internal policies such as setting up a data backup or checking the logs.
  • Making sure our suppliers meet the appropriate regulatory compliance and cybersecurity requirements.

Considering security and data privacy, what makes a DTx safe?

Marie: A safe digital therapeutic is a DTx that is fully compliant with GDPR, as well as all cybersecurity and data privacy processes to maximize product security. At Voluntis, this means documenting all product development processes and incorporating a deep test phase where all requirements are checked.

Dominique: We follow the same process for cybersecurity. All mitigations that have been put in place to limit breakage are verified by manual testing, code review or vulnerability scan to check that all the vulnerabilities detected have been addressed and therefore no longer exist. We also work with a third-party company to hack our products and thus get inside the software. This is called “pen-testing”, and it reassures us that our products are protected against all types of threats.

Marie: At Voluntis, we consider patient safety foremost in everything we do. We apply ISO:14971 for medical device risk management and IEC:62304 for software development lifecycle management. Our Quality Management System is one of our strengths as well: our QMS is certified ISO:13485 for Medical Device, it is audited every year by our notified body, and through our Medical Device Single Audit Program (MDSAP) certification it is recognized in several countries, including Canada and the United States. These certifications demonstrate the robustness of our internal QMS and the importance we place on quality and safety in our products. But that’s not all. Our privacy-by-design approach is also a key differentiator for us because we focus our attention on HIPAA and GDPR compliance throughout the product lifecycle. At Voluntis, security is top of mind for each and every DTx solution we create.

If you wish to know more about our privacy and security expertise, please click here.

Get in touch!

Would like to partner with us? Got a question or a comment?

Contact us