Zum Hauptinhalt springen

BSI TR-03161

The Technical Guideline TR-03161 from the German Federal Office for Information Security (BSI) imposes rigorous security requirements on applications in the German healthcare sector, specifically defining security requirements for digital health applications (DiGA) and related mobile, web, and backend services.

azuma nori ships with pre-configured, agentic compliance matrices explicitly designed to analyze source code against BSI TR-03161 targets. Our system automates the validation of all three parts of the TR, bridging the gap between regulatory requirements and technical implementation.

Overview of TR-03161 Parts

The guideline is structured into three main parts, covering different layers of a typical modern healthcare application stack. Below is a general overview of each part and how azuma nori helps ensure compliance.

Part 1: Security Requirements for Mobile Applications

Part 1 specifically targets iOS and Android mobile applications integrating into the healthcare ecosystem.

  • Core Requirements: Covers secure storage of sensitive data on the device, secure communication from the mobile client, prevention of data leakage through UI or backups, and device attestation/binding.
  • Automated Validation: azuma nori verifies that mobile implementations correctly utilize OS-level secure enclaves (Keychain for iOS, Keystore for Android) for sensitive data. It also checks for the correct implementation of hardware attestation and secure device binding flows as mandated by the TR.

Part 2: Security Requirements for Web Applications

Part 2 defines the baseline security requirements for web applications and their APIs.

  • Core Requirements: Mandates strict network boundaries, robust authentication (such as OpenID Connect with strong factors), session management, and secure communication channels (TLS).
  • Automated Validation: azuma nori validates that architectural boundaries defined in Infrastructure-as-Code (IaC) or configuration files align with BSI isolation requirements, and ensures proper integration with IDPs (like azuma doa).

Part 3: Security Requirements for Backend Systems

Part 3 evaluates the secure implementation of backend systems, with a heavy focus on cryptographic operations.

  • Core Requirements: Demands the exclusive use of vetted and approved cryptographic algorithms (referencing BSI TR-02102-1), secure key generation, secure random number generation, and correct implementation of hashing and encryption.
  • Automated Validation: Our sub-agents scan your internal dependencies and file implementations to confirm that vetted libraries (e.g., specific BCrypt distributions, OpenSSL) are exclusively used. If ad-hoc hashing algorithms or custom symmetric encryptions are identified in the scope, the system immediately flags them as non-compliant against O.Cryp_2. The exact line numbers and imports used for cryptographic operations are mapped back to the TR-02102-1 guidelines within the final assessment report.

Automating Compliance

By automating TR-03161 checks directly on the developer's workstation, software manufacturers can continuously ensure compliance with BSI requirements, vastly reducing the time and cost required before undergoing formal certification audits.