According to MobiusMD, there are over 350,000 mHealth apps available in major app stores, a number that includes medical as well as wellness, health and fitness apps. Available apps have roughly doubled since 2015 driven by increased smartphone adoption and ongoing heavy investment in the digital health market. MobiusMD also found that 87 million people in the US used a health or fitness app monthly in 2020. That’s about 30% of adult smartphone owners, a number that’s expected to remain relatively stable in the next three years.
And MobiusMD also noted that most smartphone users have used their device to gather health-related information, with Pew Research Center putting that number at 62%, making mHealth a more common smartphone activity than online banking (57%), job searches (42%) or accessing school work or educational content (30%).
So 1 in 3 of all smartphone users in the US use an mHealth app at least once a month, most of which gather some level of protected health information (PHI). That’s a lot of apps that have to be HIPAA compliant.
Mobile Apps Security implications of HIPAA Compliance
Title II of the Health Insurance Portability and Accountability Act (HIPAA) sets the rules for sharing personal health information and preventing unsanctioned use. Specifically, it covers patient privacy protections and security controls for health and medical records and other forms of Protected Health Information (PHI) and Electronic Protected Health Information (ePHI). The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Specifically with regards to mobile apps, ensuring privacy and confidentiality can be achieved with secure authentication, data-at-rest encryption and data-in-transit encryption. HHS has published great resources for mobile health app developers.
Secure Authentication in Mobile Health Apps and Mobile Wellness Apps
In order to ensure good data protection in mHealth apps, app makers should first ensure secure authentication to the app. Access to mobile health apps should at a minimum require a patient to enter their username and password each time they open the app. Apps should also log a patient out after a certain time of non-use. Preferably, mHealth apps should also use biometric authentication (FaceID or TouchID) or multi-factor authentication to achieve a higher level of secure authentication.
Data-at-Rest Encryption in Mobile Health Apps and Mobile Wellness Apps
The second element of data protection is ensuring that all patient information, not just protected health information, is stored encrypted in the app. mHealth app makers can achieve this by encrypting the application sandbox with AES-256 encryption. In addition, strings, resources, in-app preferences may also store patient data so they should be encrypted as well.
Data-in-Transit Encryption in Mobile Health Apps and Mobile Wellness Apps
Finally, app makers should ensure that the mobile health app communicates with backend servers over an encrypted channel so that patient data sent or received cannot be intercepted by a Man-in-the-Middle or other network-based attack. In addition, app makers should take measures to validate digital certificates (both client-side and server-side) and ensure the authenticity of certificates and CAs.
The Cost of a HIPAA Breach
Given the rising fear of a HIPAA breach — a fear that is fueled by an increasing spate of high profile penalties, such as the $1.2 million settlement between the OCR and a Boston specialty hospital after a physician’s laptop with ePHI was stolen, and the $1.7 million settlement between the OCR and the Alaska Department of Health and Social Services after a USB with ePHI was stolen — some CIOs in the healthcare sector are moving to lock down mobile devices, and therefore significantly limit ePHI and other confidential data access and control. Yet, while this approach solves compliance needs, it triggers two difficult and potentially intractable problems: surging patient demand, and circumvention via BYOD.
With respect to the first problem, the drive towards accessing and transmitting ePHI is not exclusively driven by physicians and other healthcare professionals; patients are also looking to reap the benefits. As noted by the Frost & Sullivan white paper Moving Beyond the Limitations of Fragmented Solutions, “as our healthcare system transitions to electronic health records (EHR), consumers are demanding digital access to personal health information.” As such, any move to limit the accessibility and sharing of ePHIs is ultimately going to prevent this patient/consumer demand from being met.
And with respect to the second problem, while IT staff can lock down corporately-owned devices, they have no way to maintain total control over personally-owned devices (BYOD), and even partial control raises user privacy concerns. Nor, frankly, is such control a practical expectation. As Ken Congdon, the editor-in-chief of Health IT Outcomes notes: “Unlike other IT initiatives that are the brainchild of the IT department or driven by federal incentives, the BYOD movement is being propelled by the end users themselves — namely doctors and nurses. An overwhelming number of clinicians want to use their own mobile devices (e.g. tablets, smartphones) on the job. Denying these caregivers a means to do so in line with IT policies will only encourage some to sidestep IT roadblocks and use personal devices haphazardly. Better to find a way to address the BYOD demand as securely as possible, than to stand in the path of the avalanche”.
Given the above, it’s clear that healthcare sector CIOs appear stuck between the proverbial “rock and a hard place”. On the one hand, they wisely fear the consequences of a HIPAA compliance breach, which could lead to huge fines and major, long-term reputation damage. And on the other hand, locking down devices to prevent access to files in the face of physician and patient demand, and fosters BYOD use that could ironically lead to data leakage rather than prevent it.
However, this only appears to be an unsolvable problem, because there is an option for CIOs that allows them to choose compliance and productivity, rather than one or the other.
Achieve HIPAA Compliance While Protecting Patient Data in Mobile Health and Wellness Apps
Major mHealth and wellness providers use Appdome’s no-code mobile security and fraud prevention platform to implement a full suite of mobile app security, privacy, data protection and compliance features into any iOS or Android app – instantly without any coding. This ensures that their mobile apps have the security needed to protect user and patient data and achieve HIPAA compliance, as well as other regulations.
Healthcare and wellness organizations retain complete control over ePHI on mobile devices so they can identify and thwart misuse, and fully comply with the HIPAA Security Rule.
Doctors and other healthcare professionals, along with authorized agents, brokers and members get access to ePHIs they need on any mobile app, and they can rest assured that patient data is protected.