While there was a time when organizations and professionals speculated on whether mobile devices could or should be adopted for use in the healthcare sector, that time has clearly passed, and the way forward is clear: mobile devices are here to stay.
Indeed according to MobiusMD, 90 percent of physicians already use smartphones to access electronic health records (EHR). They further found that 74 percent of patients say using mobile apps wearables and other mHealth tools helps them cope with and manage their conditions and 66 percent of the largest US hospitals offer mobile health apps.
Mobile Apps Security implications of HIPAA Compliance
Title II of the Health Insurance Portability and Accountability Act (HIPAA) sets the rules for sharing personal health information and preventing unsanctioned use. Specifically, it covers patient privacy protections and security controls for health and medical records and other forms of Protected Health Information (PHI) and Electronic Protected Health Information (ePHI). The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Specifically with regards to mobile apps, ensuring privacy and confidentiality can be achieved with secure authentication, data-at-rest encryption and data-in-transit encryption. HHS has published great resources for mobile health app developers.
Secure Authentication in Mobile Health Apps
In order to ensure good data protection in mHealth apps, app makers should first ensure secure authentication to the app. Access to mobile health apps should at a minimum require a patient to enter their username and password each time they open the app. Apps should also log a patient out after a certain time of non-use. Preferably, mHealth apps should also use biometric authentication (FaceID or TouchID) or multi-factor authentication to achieve a higher level of secure authentication.
Data-at-Rest Encryption in Mobile Health Apps
The second element of data protection is ensuring that all patient information, not just protected health information, is stored encrypted in the app. mHealth app makers can achieve this by encrypting the application sandbox with AES-256 encryption. In addition, strings, resources, in-app preferences may also store patient data so they should be encrypted as well.
Data-in-Transit Encryption in Mobile Health Apps
Finally, app makers should ensure that the mobile health app communicates with backend servers over an encrypted channel so that patient data sent or received cannot be intercepted by a Man-in-the-Middle or other network-based attack. In addition, app makers should take measures to validate digital certificates (both client-side and server-side) and ensure the authenticity of certificates and CAs.
The Cost of a HIPAA Breach
Given the rising fear of a HIPAA breach — a fear that is fueled by an increasing spate of high profile penalties, such as the $1.2 million settlement between the OCR and a Boston specialty hospital after a physician’s laptop with ePHI was stolen, and the $1.7 million settlement between the OCR and the Alaska Department of Health and Social Services after a USB with ePHI was stolen — some CIOs in the healthcare sector are moving to lock down mobile devices, and therefore significantly limit ePHI and other confidential data access and control. Yet, while this approach solves compliance needs, it triggers two difficult and potentially intractable problems: surging patient demand, and circumvention via BYOD.
With respect to the first problem, the drive towards accessing and transmitting ePHR is not exclusively driven by physicians and other healthcare professionals; patients are also looking to reap the benefits. As noted by the Frost & Sullivan white paper Moving Beyond the Limitations of Fragmented Solutions, “as our healthcare system transitions to electronic health records (EHR), consumers are demanding digital access to personal health information.” As such, any move to limit the accessibility and sharing of ePHRs is ultimately going to prevent this patient/consumer demand from being met.
And with respect to the second problem, while IT staff can lock down corporately-owned devices, they have no way to maintain total control over personally-owned devices (BYOD), and even partial control raises user privacy concerns. Nor, frankly, is such control a practical expectation. As Ken Congdon, the editor-in-chief of Health IT Outcomes notes: “Unlike other IT initiatives that are the brainchild of the IT department or driven by federal incentives, the BYOD movement is being propelled by the end users themselves — namely doctors and nurses. An overwhelming number of clinicians want to use their own mobile devices (e.g. tablets, smartphones) on the job. Denying these caregivers a means to do so in line with IT policies will only encourage some to sidestep IT roadblocks and use personal devices haphazardly. Better to find a way to address the BYOD demand as securely as possible, than to stand in the path of the avalanche”.
Given the above, it’s clear that healthcare sector CIOs appear stuck between the proverbial “rock and a hard place”. On the one hand, they wisely fear the consequences of a HIPAA compliance breach, which could lead to huge fines and major, long-term reputation damage. And on the other hand, locking down devices to prevent access to files in the face of physician and patient demand, and fosters BYOD use that could ironically lead to data leakage rather than prevent it.
However, this only appears to be an unsolvable problem, because there is an option for CIOs that allows them to choose compliance and productivity, rather than one or the other.
Appdome Helps Healthcare Organizations Achieve HIPAA Compliance While Protecting Patient Data
Major healthcare provider uses Appdome’s no-code mobile security and development platform to implement a full suite of mobile app security, privacy, data protection and compliance features into any iOS or Android app – instantly without any coding. This ensures that mobile apps have the security needed to protect user and patient data and achieve HIPAA compliance, as well as other regulations.
Healthcare organizations retain complete control over ePHI on mobile devices so they can identify and thwart misuse, and fully comply with the HIPAA Security Rule.
Doctors and other healthcare professionals, along with authorized agents, brokers and members get access to ePHRs they need on any mobile app, and they can rest assured that patient data is protected.