If a confidential conversation is required, the parties involved usually look for a protected space to ensure that they can communicate with each other undisturbed. What is self-evident in the real world should not be ignored on the World Wide Web. Nevertheless, many people use video services that were developed outside the EU and do not meet the requirements of the European General Data Protection Regulation (EU GDPR). For this reason, the company Meedio has set itself the goal of developing a European video consultation solution and thus creating a place where people can meet in complete security, even in the digital space. Meedio has entrusted TÜVIT with the testing and certification of the solution in order to be able to objectively prove compliance with data protection and information security.
The certification of the video consultation solution was accompanied by extensive requirements. These are set out in Annex 31b of the Federal Medical Practitioners' Contract (Bundesmantelvertrag-Ärzte; BMV-Ä) and serve as a basic condition for being listed as a certified video service provider by the National Association of Statutory Health Insurance Physicians (Kassenärztliche Bundesvereinigung; KBV). As a result, Meedio had on the one hand to provide independent proof of data protection. To this end, the TÜVIT experts examined the processing operations of the video service in accordance with Article 42 GDPR, based on an exemption in Annex 31b BMV-Ä. In this context, they examined, among other things, the principles, lawfulness and security of data processing, as well as the process documentation and the rights of data subjects.
In addition, the information technology security of the solution was also put on the test bench in accordance with Annex 31b BMV-Ä. As part of this, the IT security experts first carried out penetration tests to evaluate the existing security measures. This was followed by an audit using TÜVIT's own Trusted Site Video Consultation (TSVC) testing and certification process, which was used to inspect the IT infrastructure relevant to video communication. The main focus here was on the technical and organizational measures for transmission and the underlying encryption. For example, the experts checked whether data could be viewed or stored contrary to the specifications.
Meedio's video consultation solution successfully met all test criteria in terms of both data protection and information technology security. As a result, the video service provider received two certificates at once: According to Article 42 GDPR as well as according to TSVC. At the same time, Meedio meets the requirements that the KBV places on a certified video service.
"With Meedio, we have tested and certified a video service provider for the first time whose solution can be used not only in the healthcare sector, but also across all industries," says Tobias Mielke, Technical Expert Management Systems (Data Protection and Information Security) and Senior Consultant Business Security & Privacy at TÜVIT. "The fact that data protection and privacy are particularly important in that context is now confirmed by the two certificates issued."