Introducing Checkmarx Software Composition Analysis (CxSCA)

The Need for HIPAA Compliance in the Crowded Mobile Health Space

As the mHealth (mobile health) vertical continues to expand from healthcare apps to fitness trackers, from doctor appointment scheduling helpers and peer support communities, the control, and privacy that the end users have over our personal health records is being increasingly jeopardized.

New applications and digital health resources keep emerging which make it unclear whether or not the sensitive data stored within will be secured and covered under the Health Insurance Portability and Accountability Act (HIPAA).

What is HIPAA?


The Health Insurance Portability and Accountability Act, or HIPAA, was enacted in 1996 in order to protect healthcare insurance for workers and establish “national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers.”


How is HIPAA advancing?


Back when HIPAA was enacted in the mid-1990’s, the personal healthcare landscape was entirely different and the access to unprecedented applications and devices which have the potential to gain access to our private health data were over a decade away from being shipped to market. As the mHealth market continued to grow and undergo rapid change and innovation, HIPAA worked to adapt to these changes through a new rule in early 2013 that expanded the rights of individuals when it came to electronic health records as well the requirements to U.S. Department of Health and Human Services (HHS) business associates that receive protected health information, such as contractors and subcontractors.


What does the mHealth market look like today?

HIPAA Compliance

Fast forward to 2016, where almost 200,000 mobile health apps and countless mHealth internet of things (IoT) devices are publicly available, the challenge to properly safeguard all the data that these devices receive is a growing concern. The rapid growth in mHealth comes in parallel to an even more interesting statistic, the fact that two-thirds of Americans favor digital healthcare management over physical management.


Gil Bashe, the executive vice president of Makovsky Health, illustrates the impact that mHealth technology has on consumers, especially millennials, as he notes that “smartphones and wearables are driving a major behavioral shift in consumer health and wellness, beyond a desire to speed access to information, consumers are using technology to engage proactively in managing their health – and a personality of ‘search’ is influenced by specific medical conditions.”


Add to this the expanding role that our devices play when it comes to managing our health and the fact that according to Makovsky Health’s Fifth Annual “Pulse of Online Health” survey, 88 percent of Americans are willing to share their personal information for the sake of improving care and treatment options. While this has the potential to streamline physician-patient engagement, it also opens the door to serious breaches of sensitive personal health data as the development of mHealth IoT devices and applications could outpace the rules and regulations needed to secure the data contained within.


How is Personal Health Data Protected?


In mid-June 2016, the U.S. Department of Health and Human Services (HHS) published their report “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” which examines the gap between data collecting health IT applications and devices which are HIPAA compliant and those that are not.


The traditional healthcare industry protects a patient’s healthcare information in three main ways:

  1. HIPAA – A federal law that establishes nationwide privacy and security standards and imposes protections through its Privacy, Security, and Breach Notification Rules.
  2. Federal Trade Commission (FTC) – Consumer protection prohibition against acts or practices that are unfair or deceptive.
  3. Additional health privacy rules that are more protective of patient privacy than HIPAA, but which concern specific clinical conditions or circumstances, such as HIV/AIDS status, mental or reproductive health conditions, or the health information of teenagers.


When it comes to the growing industry of mHealth application and devices, however, it’s increasingly unclear how, or if, sensitive personal data is collected by applications and devices is covered by HIPAA, or any other protection layer.


This sensitive personal health data is referred to as Protected Health Information (PHI) and it includes information such as blood tests, MRIs, confidential communication between patients and their doctors, schedules of specific appointments and anything else which makes the data able to personally identify the patient as well as anything that is exchanged with a HIPAA compliant entity.


Information contained in most fitness applications or diet applications would not include PHI, but doctor’s appointment scheduling software could contain parts of PHI, as could a medication reminder application. As mHealth technology advances, the gray area of protection for health data widens. Applications such as peer support groups for clinical conditions, or circumstances, could find themselves holding onto sensitive health data which is either borderline or falls under PHI.

How physicians are using mobile devices. Source: Wolters Kluwer Health
How physicians are using mobile devices. Source: Wolters Kluwer Health [Click to enlarge]

Becoming HIPAA Compliant with the Help of Static Code Analysis


mHealth application developers should seek to become HIPAA compliant sooner, rather than later, in their development as if there is a chance that the application will need to communicate, or interact, with a HIPAA compliant application in the future, their application must also be compliant or if there’s a chance that their application could contain PHI. Through the implementation of a static code analysis (SCA) solution, developers are able to mitigate security, compliance and quality issues in the code in the earliest stages of the software development lifecycle.


Creating a secure software development lifecycle (sSDLC) using Checkmarx’s CxSAST static analysis solution is the first step in ensuring that your mHealth application is not only HIPAA compliant, but also free of other security and quality issues which could result in crippling breaches and exploits of the sensitive data that your users trust you to keep secure.
Checkmarx’s CxSAST helps applications find and mitigate vulnerabilities and compliance issues before the code makes it to production where it can cost up to 100 times more in developer time and company resources to fix the issue. To learn more about how CxSAST can help your application achieve HIPAA compliance, click here.


jumping 1

To learn more about breaches and dangers facing health related applications, be sure to read Internet of Things (IoT): Hack My Hospital


Jump to Category