Over the past few years, businesses of all sizes have implemented employee wellness programs designed to improve the emotional, mental and physical well-being of their employees on and off the job. As a result, there has been an explosion in employee health and wellness apps in the workplace. The theory – and it’s a good one – is that by supporting employee health and wellness, people are happier, more well-balanced and more capable of innovation, operational excellence and better economic outcomes for businesses.
However, great programs come with complex and thorny issues that need to be navigated carefully when it comes to protecting the privacy rights of employees participating in these programs. In this blog, we’ll try to navigate the top 5 ways to make employee wellness apps enterprise-ready and safeguard employee privacy.
I will discuss the market dynamics of this explosive market, as well as the challenges faced by developers, IT departments, HR and benefits administrators, and enterprise security teams as they try to navigate the often complex, interdependent, and sometimes conflicting objectives of fulfilling the security, compliance and privacy requirements of employee wellness programs, systems, and mobile applications powering the revolution.
Yes, Mobile Apps for Employee Wellness Are “A Thing”
To meet the market demand for employee wellness, hundreds of Android and iOS app makers have entered the market with a dizzying ensemble of mobile apps offering all sorts of ways to live and work healthier, smarter, and gain a greater level of balance, satisfaction, fulfillment, and achievement. According to the European Connected Health Alliance, there are thousands of health and wellness apps available on Android and iOS that offer a broad collection of tools and programs designed to improve the health and well-being of employees – all of which include mobile applications as the primary employee interface.
What Are Employee Wellness Programs and Apps?
Employee wellness mobile apps provide an easy-to-use and convenient framework for improving the physical and mental health of all employees. These apps cover a wide variety of services and activities such as mindfulness, mediation, physical fitness, nutrition, benefits admin, mental health, employee assistance, eHealth, telehealth, stress mgmt & burnout prevention, and even treatment for conditions like anxiety, bipolar syndrome, depression, drug addiction and more. Employee Wellness mobile apps often interact with or plug into a company’s benefits administration software, human resource management platforms, or human capital management (HCM) systems and offer reporting capabilities that enable administrators to assess the effectiveness of their mobile wellness initiatives. So you can see why privacy might be an important thing. More on that later.
Some mobile wellness providers, such as Headspace, Calm, and Talkspace have built very successful ‘direct to consumer’ businesses based on wellness apps and are now moving upmarket to sell into enterprises – private employers or clinicians. Other companies like Whil, Ginger, and Lyra Health have focused on providing enterprise-focused solutions to clinicians or corporate enterprises from day 1. Regardless of how they got here, selling apps and services into large enterprise customers often requires extensive security, privacy, and compliance requirements, which the app-maker must deliver in order to be successful over the long term. Enterprise IT and Security organizations often require app-makers to deliver a multi-layered and sophisticated collection of security features to protect data, access and use of mobile apps when connected to the enterprise as well as offline.
Security Challenges for Developers of Employee Wellness Apps
A team of researchers from the U.S. National Library of Medicine in which they examined 20,000 mHealth apps and found that a significant number of mHealth apps expose users to serious security risks. Specifically, almost half of the 20k apps they evaluated rely on unencrypted communication, with as much as 23% of personal data (including usernames, passwords, geolocation information) transmitted over non-secure channels (lacking encryption, TLS or robust encryption algorithms) – all without the knowledge or awareness of the patient/mobile user.
In a related study, the same team of researchers conducted surveys with mobile developers of mHealth apps in an effort to understand the reasons for the poor mobile app security practices:
- 63% – Lack of security guidelines & regulations
- 56% – Developer lacks security expertise
- 19% – Lack of stakeholder involvement
- 16% – No/little developer attention to the security
- 13% – Lack of resources
- 13% – Project constraints during the mHealth app development process
- 13% – Lack of security testing
- 9% – Developers’ lack of motivation, ethical considerations
- 6% – Insufficient engagement of security experts during development
And that’s not the only study. Consumer Reports recently published the results of the evaluation of the privacy and data handling practices of 8 popular mental health and wellness apps. They found that there was extensive sharing of highly personal and sometimes confidential electronic health (eHealth) data with 3rd parties of dubious reputation. “Consumers have an understandable mistrust of apps and potential data misuse so mental health app makers need to set a high bar on privacy and security and be transparent about how data is used,” said Connie Chen, M.D., chief medical officer at digital mental health company Lyra Health.
And, if that’s not enough to make you cringe, the federal government is getting in on the game. There’s the FTC’s expanding reach in issuing a policy statement that requires wellness apps to adhere to disclosure requirements for data breaches, which was also endorsed by the AMA. Title II of the Health Insurance Portability and Accountability Act (HIPAA) sets the rules for sharing personal health information and preventing unsanctioned use. Specifically, it covers patient privacy protections and security controls for health and medical records and other forms of Protected Health Information (PHI) and Electronic Protected Health Information (ePHI). The HIPAA Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information. Specifically with regards to mobile apps, ensuring privacy and confidentiality can be achieved with secure authentication and encryption of data at rest and in transit. The U.S. federal Department of Health and Human Services (HHS) published a great resource for mobile health app developers.
5 Ways to Make Employee Wellness Apps Enterprise Ready
With all these concerns, here are the top 5 ways to make employee wellness apps enterprise-ready:
Encrypt Data at Rest Stored in Employee Health & Wellness Apps
So let’s start with Data Protection. To understand why data encryption is important, consider the types of data that are collected, stored and transmitted by employee wellness apps, as well as the sensitive backend systems that these apps communicate with. Employee Health and Wellness apps sometimes collect sensitive health information about employees, personally identifiable information (PII), such as DOB, SS #, home and work addresses. Or electronic personally identifiable health status, insurance plans, medical providers, medications, and pre-existing conditions. Each of these elements can be used by employers or insurance companies to make decisions about employment, termination, grant or deny treatment or coverage, and more. Not only is some of this information protected by HIPAA, but it’s also critical to encrypt this data to keep it out of the hands of entities that can use the information maliciously.
Protect Data in Transit for Employee Wellness Apps
It’s also important to protect data in transit, as it travels from mobile apps to backed systems. Many of the health and wellness apps are part of broad-based corporate benefits programs and as a result, they connect to and integrate with backend HR systems, critical systems of record, ERP, Human Capital Management systems, and even supply chain repositories This exposes enterprises to substantial risk in the form of significant expansion of the attack surface and new vectors to infiltrate protected enterprise networks with mobile malware, large-scale automated attacks using botnets, credential stuffing, or even ransomware. Finally, app makers should ensure that the mobile health app communicates with backend servers over an encrypted channel so that patient data sent or received cannot be intercepted by a Man-in-the-Middle or other network-based attack. In addition, app makers should take measures to validate digital certificates (both client-side and server-side) and ensure the authenticity of certificates and CAs.
Pass Enterprise Pen Tests without Sacrificing Employee Privacy
Enterprise IT and internal security teams are demanding that all Android and iOS mobile apps for work pass penetration tests, vulnerability assessments, and code scans before being put into production and the hands of mobile employees. Failing a pen-test or vulnerability scan can put a big roadblock in deployment, lead to canceled projects, degraded employee productivity, or an all-out prohibition of the app. At a minimum, consider protecting the app and source code against static and dynamic attack techniques using security features such as code obfuscation, tamper prevention, and debugger prevention to satisfy this requirement.
Best practices would also suggest adding standard enterprise protections like data encryption, jailbreak and root prevention and DLP protections (like blocking copy and paste). In this day and age, where protecting employee-patient privacy is at a premium, it’s even more important than ever to be able to provide this level of protection without putting an agent or profile on the employ-patient device. Device profiles, which often come with UEM, MDM and MAM systems can overreach in the data captured or exposed to the employer, undermining the wellness objectives that employers have.
Protect Against Mobile Malware and Automated Attacks
Health and Wellness apps are often targets of malware, trojans and droppers. There have been several high-profile cases where trojans (named “teabot” and “flubot”), were embedded inside a fake version of Uplift (a very popular wellness app). The fake app masquerades as a legitimate version of the wellness app Uplift. But in reality, the fake app contained malware whose goal was to target other apps on the user’s device, using the fake mHealth app as a vessel to carry the malware onto the device. According to an analysis report by Bitdefender, the malware can perform overlay attacks through Android Accessibility Services, intercept messages, perform various keylogging activities, steal Google authentication codes and even take full remote control of Android devices.”
Compliance – Stay Ahead of Evolving Regulations
The employer and or enterprise IT or security department may also be bound by industry regulations such as HIPAA, which mandate the protection of such data and can carry steep fines in the event of a breach. So as a developer of employee wellness apps, the protection obligations extend far beyond the dev team, and carry forward to the IT and Security departments who license such apps and provide them to their employees. We’ve written extensively on how to use Appdome to make mobile apps HIPAA compliant. Whether you’re subject to HIPAA or your enterprise customer is subject to HIPAA, here are the facts. HHS recently released sub-regulatory guidance about when and how HIPAA privacy and security rules apply to workplace wellness programs, concluding that HIPAA privacy and security rules apply to workplace wellness programs when those programs are part of a group health plan for employees.
And finally, if you’re an app developer who builds apps aimed at enterprise customers, your larger customers may require your apps to be compatible with UEM/MAM systems like VMware Workspace One, Microsoft Intune, BlackBerry and others. You can use Appdome to make any iOS and Android apps compatible with any leading UEM solution without any coding.
Developers of Employee Wellness Apps Can Build Enterprise-Grade- Security FAST
If you’re a developer of enterprise wellness apps, a robust in-app mobile security model is table-stakes. You don’t need to reinvent the wheel, and you don’t need to worry about adding additional resources to your team. Just use Appdome and automate mobile app security all as part of your existing development workflows. You don’t need to change a thing about how you build apps today.
I hope you found this blog a helpful starting point to protecting your workforce, users and data in your mobile enterprise wellness apps.
If you would like to see Appdome in action and you’ve got 15 minutes to spare, use the button below to request a live Appdome demo. I’d be happy to demonstrate how you can use Appdome to instantly build security and anti-fraud features into any mobile app in minutes.Request a Demo