es.te services GmbH is a service company active throughout Germany in the health, sport and exercise market. Its main focus is on providing consultancy and support services and developing assistive technology for the rehab sport segment.

Rehab sport is a medico-rehabilitative service incorporated in the German Social Code in 1974 and since funded by health insurance schemes. People with physical and mental impairments are entitled to up to 50 training sessions to boost their strength and stamina and improve their flexibility and coordination.

Over this period the aim is to strengthen the rehab patient’s sense of personal responsibility so that he or she is motivated to keep it up and exercise on a long-term basis. Since 2001 all insured persons in Germany have been legally entitled to the provision of rehab sport.

Since 1999 es.te services GmbH has developed industry software that has grown into an entire product family – RESI | REHASPORT SIGNATUR MANAGEMENT.

A RESI keystone is the RESIsign signature system, which collects on a signature pad and processes digitally the rehab patient’s proof of attendance that is required for billing the health insurance provider.

Initial situation

Customer confidence in an organisation’s performance and integrity is particularly important for a company’s success. The existence and security of information is an important building block in relation to trust and to the fulfilment of business and compliance requirements.

As a result of increasingly dynamic markets and the further development of norms such as GDPR, companies face more exacting security standards in information and communication technology. These technologies offer opportunities but are always accompanied by risks. To make optimal use of the opportunities, the risks that come with them must be identified, evaluated and made manageable for the company.

That is the only way in which optimal use can be made of information and communication technology by providing the company’s business processes with measurable and perceptible added value (such as by means of a PDCA model).

Security of information technology is a priority and a strategic objective at es.te services GmbH. To come closer to this target the RESIsign signature system was to be checked for security and certificated. The system, XenApp, is an application hosted on Citrix.

Approach

It was to be a graduated procedure, starting with a purely technical audit of the signature system and its related backend components.

For Trusted Device certification a graduated version of the Trusted Application certification was used. As part of the Trusted Application audit, checks are undertaken in the categories of security management, operation, technical security and data protection. The catalogue of requirements is based on various standards and statutory specifications, such as ISO 27001, German data protection law and ISO 27033, along with criteria of TÜV TRUST IT’s own and standard information security best practices.

The Trusted Device certification process consists of several steps. They include an analysis of the infrastructure and services and of the application as both an unauthorised and an authorised user. In addition there is an analysis of the internal infrastructure. These sub-scenarios are used to simulate the classic threat from the Internet. For the analysis both publicly accessible tools and TÜV TRUST IT tools were used. All tool-based results are verified manually in order to eliminate possible false positives.

Benefits

es.te services GmbH sought to ensure by means of the security test that there were no relevant vulnerabilities when using the RESIsign signature process, thereby ensuring end customer confidence.

Following a successful RESIsign test of the signature process the RESIsign system was awarded the Trusted Device certificate.

“We were most impressed by the input that by es.te services GmbH provided. The findings were acted on swiftly and reliably using the measures recommended,” said Stefan Möller, Head of Sales at TÜV TRUST IT.

Thomas Roth, RESI project manager at es.te services GmbH, had this to say about the collaboration with TÜV TRUST IT: “We were delighted by how smoothly the certification progressed, by the competence and by how consistently pleasant communication was. We are absolutely satisfied with the outcome.”

“No vulnerabilities were identified in the course of certification that could possibly have compromised secure transmission of rehab sport data,” said TÜV TRUST IT consultant Mohammad-Kheri Murad.