There are many privacy and data protection regulations that healthcare organizations need to abide by with regards to Protected Health Information (PHI) and Electronic Protected Health Information (ePHI). In Europe, data protection and privacy of PHI and ePHI are governed by the General Data Protection Regulation (GDPR). In the UK, they are governed by the Data Protection Act (DPA) and the Common Law Duty of Confidentiality (CLDC). In this blog I will discuss the impact of these regulations on mobile healthcare apps, a.k.a. mHealth apps.
Privacy and Data Protection Regulations for mHealth Apps in the EU
All patient information collected in the European Union, is subject to GDPR. The General Data Protection Regulation is a European Union law that governs data protection and privacy. It was put in place to protect the personally identifiable information (PII) of consumers and hold companies, organizations and government agencies to a higher standard when it comes to collecting, storing, and using PII. Specifically with regards to mobile apps (including mHealth apps), GDPR imposes three continuous requirements. They are data protection, data minimization and privacy by design.
Data Protection in Mobile Healthcare Apps
In order to ensure good data protection in mHealth apps, app makers should first ensure secure authentication to the app. Access to mobile health apps should at a minimum require a patient to enter their username and password each time they open the app. Apps should also log a patient out after a certain time of non-use. Preferably, mHealth apps should also use biometric authentication (FaceID or TouchID) or multi-factor authentication to achieve a higher level of secure authentication.
The second element of data protection is ensuring that all patient information, not just protected health information, is stored encrypted in the app. mHealth app makers can achieve this by encrypting the application sandbox with AES-256 encryption. In addition, strings, resources, in-app preferences may also store patient data so they should be encrypted as well.
Finally, app makers should ensure that the mobile health app communicates with backend servers over an encrypted channel so that patient data sent or received cannot be intercepted by a Man-in-the-Middle or other network-based attack. In addition, app makers should take measures to validate digital certificates (both client-side and server-side) and ensure the authenticity of certificates and CAs.
Data Minimization in Mobile Healthcare Apps
Data Minimization under GDPR requires that personal data processing is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Privacy by Design in Mobile Healthcare Apps
In GDPR, the term “Privacy by Design” means nothing more than “data protection through technology design.” As discussed in a previous blog, it is one of the most critical and toughest parts of the law. In short, privacy by design means that organizations and developers must implement “appropriate technical measures” that ensure data protection and integrate “the necessary safeguards” into the processing of personal data in order to meet the requirements of the GDPR and protect the rights of data subjects (ie: patients).
Mobile health apps collect, record and store data. In addition, mHealth apps retrieve data from and transmit data to cloud or backend servers that control the service provided by the app. Apps also have stored deep inside the code of the app itself and in the app’s preferences, critical information about networks, users, profiles and services used by the app. Apps are treasure troves of personal information and pathways to personal information. Because of this, healthcare organizations must fully protect and secure their apps (with encryption, obfuscation, app hardening, jailbreak/root protection), to protect patient data and the app’s source code and logic.
Right To Be Forgotten in Mobile Healthcare Apps
One other requirement under GDPR is the right to be forgotten (art 17). When a mHealth app is written with privacy by design in mind (obfuscation, encryption, app hardening, jailbreak/root protection), complying with art 17 can be easily achieved. Upon request by a patient to erase all their personal information, the healthcare organization can delete the patient’s account (username, password and all patient data) from the backend server. From that moment, the patient will no longer be able to login to the app. And as long as the developers have implemented mobile app security best practices (ie: encrypting all data and obfuscating the source code, logic, and debug info), then none of the information that might remain in the app can be accessed using static or dynamic analysis.
Penalties and Fines for GDPR Noncompliance
GDPR has the biggest teeth of any privacy and data protection regulation in the world. The fines and penalties for GDPR noncompliance can be as high as high €20M ($22M USD) or 4% of a company’s annual revenue (whichever is higher). Hence, it’s not a surprise to see why experts agree that GDPR could be much more significant than HIPAA, not only punitively, but also in scope. And those teeth bite: several healthcare providers in Sweden were given multi-million Euro fines for GDPR violations.
Privacy and Data Protection Regulations for mHealth Apps in the UK
In the UK, the legal frameworks covering how patient data must be looked after and processed are the Data Protection Act (DPA) and the Common Law Duty of Confidentiality (CLDC).
The DPA brought GDPR into UK law. The Act states that “the GDPR applies to the processing of personal data to which this Chapter applies but as if its articles were part of an Act extending to England and Wales, Scotland and Northern Ireland.”
The CLDC requires that the collection and processing of personal data is fair, lawful, and transparent. This means there must always be a valid lawful basis for the collection and processing of data as defined under data protection legislation.
Since the Data Protection Act brought the GDPR into law in the UK, the fines for non-compliance are the same.
Recommendations to Mobile App Makers at Healthcare Organizations
Ensuring compliance with GDPR and the Data Protection Act is critical for mobile health apps. Using Appdome, healthcare organizations can fully secure their mHealth apps and meet all the different regulations around the world. Appdome is a Mobile App Security and Fraud Prevention Platform that automatically builds security into mobile apps, without the need for coding.
The Appdome platform includes the following security and fraud prevention components to help mobile healthcare apps comply with the regulations:
- ONEShield™ by Appdome hardens the mobile healthcare app and protects it from attempts to debug, tamper with, or reverse engineer.
- TOTALData™ Encryption is the most important component on the Appdome platform to help healthcare organizations comply with GDPR and the Data Protection Act. With TOTALData Encryption, app makers can protect and secure all PHI and ePHI records with AES-256 data-at-rest encryption including encryption of patient data stored in strings, resources and app preferences.
- TOTALCode Obfuscation obfuscates the binary code, native and non-native libraries, and the app’s flow control and logic.
- Secure Communications protects all mHealth app data-in-transit against network-based attacks such as MitM and ensures the validity of all endpoints and any intermediate systems in between mobile healthcare apps and their backend with secure certificate pinning, mobile client certificates, and more.
- OS Integrity protects the healthcare app from operating in unsafe environments, such as on Jailbroken/Rooted devices.
- Appdome Biometrics adds FaceID, Touch ID and complex passcodes to mobile healthcare apps and helps prevent unauthorized access.
- Mobile Fraud Prevention protects mHealth apps against automated attacks that interact with the mobile app in a fraudulent way or that use the app in a fraudulent way.
- Mobile Malware Prevention provides local, on-device protection against malware attacks that are meant to harm the application or/and its users.
- Mobile Piracy Prevention protects mobile apps from being trojanized, prevents fraudsters from creating fakes and mods, and prevents unauthorized re-signing and re-distribution of apps.