In a previous blog, I discussed how privacy and data protection of patient data in the UK is governed by the Data Protection Act (DPA) and the Common Law Duty of Confidentiality (CLDC). The equivalent to DPA and CLDC in Canada is PIPEDA, the Personal Information Protection and Electronic Documents Act.
In this blog I will discuss the impact of PIPEDA on mobile healthcare apps, a.k.a. mHealth apps.
Privacy and Data Protection Regulations for mHealth Apps in the Canada
All personally identifiable information (PII) collected in Canada, is subject to PIPEDA. The Act governs how businesses, including healthcare organizations, must handle personal information in the course of commercial activity. Similarly, as with DPA and CLDC in the UK, PIPEDA requires that patient healthcare data must
- be collected with consent
- be used and disclosed for the limited purpose for which it was collected
- be accurate
- be accessible for inspection and correction and
- stored securely.
And unlike HIPAA which governs data protection and privacy of Protected Health Information (PHI) and Electronic Protected Health Information (ePHI), PIPEDA governs all personal identifiable information (PII) of the patient including:
- Age, name, ID numbers, income, ethnic origin, or blood type
- Opinions, evaluations, comments, social status, or disciplinary actions
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)
Secure Data Storage of Patient Data in Mobile Health Apps
There are 3 elements to ensure secure data storage: (1) ensure that only authorized users can open the app; (2) encrypt all data in the app and (3) encrypt the connection between the app and the backend server.
At an absolute minimum, app makers should require patients to enter their username and password each time they open the app. Patients should also automatically be logged out after a certain time of non-use. And apps should increase the access security by using biometric authentication or multi-factor authentication.
The second element of secure data storage is data encryption. Mobile healthcare app makers can achieve this with data-at-rest encryption of the application sandbox. In additional strings, resources, in-app preferences may also store patient data so they should be encrypted as well.
Finally, by encrypting all data-in-transit, patient data sent or received cannot be intercepted by network-based attacks such as Man-in-the-Middle. Finally, app makers should use best practices to validate both client-side and server-side digital certificates.
Penalties and Fines for PIPEDA Noncompliance
While Canada implemented PIPEDA to assure to EU that their privacy laws were similarly adequate GDPR, the fines for PIPEDA noncompliance are not as steep as compared to GDPR noncompliance. PIPEDA fines can be upto $100,000 (CAD) for each violation.
Recommendations to Mobile App Makers at Healthcare Organizations.
Ensuring compliance with PIPEDA is critical for mobile health apps. Using Appdome, healthcare organizations can fully secure their mHealth apps and comply with the Canadian Personal Information Protection and Electronic Documents Act.
Appdome is a Mobile App Security and Fraud Prevention Platform that automatically builds security into mobile apps, without the need for coding. The Appdome platform includes the following security and fraud prevention components that help healthcare organizations make their mHealth apps PIPEDA compliant:
- ONEShield™ by Appdome hardens the healthcare app and protects it from attempts to debug, tamper with, or reverse engineer.
- TOTALData™ Encryption is the most important module on the Appdome platform to help comply with PIPEDA. With TOTALData Encryption, app makers can protect and secure all patient records with AES-256 data-at-rest, strings, resources, in-app preferences, strings.xml values, and java class dex files encryption.
- TOTALCode Obfuscation obfuscates the binary code, native and non-native libraries, and the app’s flow control and logic.
- Secure Communications protects all mHealth app data-in-transit against MitM attacks and ensures the validity of all endpoints and any intermediate systems in between mobile healthcare apps and their backend with secure certificate pinning, mobile client certificates, and more.
- OS Integrity protects the healthcare app from operating in unsafe environments, such as on Jailbroken/Rooted devices.
- Appdome Biometrics adds FaceID, Touch ID and complex passcodes to healthcare apps and helps prevents unauthorized access.
- Mobile Fraud Prevention protects mHealth apps against automated attacks that interact with the mobile app in a fraudulent way or that use the app in a fraudulent way.
- Mobile Malware Prevention provides local, on-device protection against attacks that are meant to harm the application or/and its users.
- Mobile Piracy Prevention protects the app from becoming a trojan and prevents fraudsters from creating fakes and mods and from resigning and redistributing the app.