As the mHealth (mobile health) vertical continues to expand from healthcare apps to fitness trackers, from doctor appointment scheduling helpers and peer support communities, the control, and privacy that the end users have over our personal health records is being increasingly jeopardized.
New applications and digital health resources keep emerging which make it unclear whether or not the sensitive data stored within will be secured and covered under the Health Insurance Portability and Accountability Act (HIPAA).
The Health Insurance Portability and Accountability Act, or HIPAA, was enacted in 1996 in order to protect healthcare insurance for workers and establish “national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers.”
Back when HIPAA was enacted in the mid-1990’s, the personal healthcare landscape was entirely different and the access to unprecedented applications and devices which have the potential to gain access to our private health data were over a decade away from being shipped to market. As the mHealth market continued to grow and undergo rapid change and innovation, HIPAA worked to adapt to these changes through a new rule in early 2013 that expanded the rights of individuals when it came to electronic health records as well the requirements to U.S. Department of Health and Human Services (HHS) business associates that receive protected health information, such as contractors and subcontractors.
Fast forward to 2016, where almost 200,000 mobile health apps and countless mHealth internet of things (IoT) devices are publicly available, the challenge to properly safeguard all the data that these devices receive is a growing concern. The rapid growth in mHealth comes in parallel to an even more interesting statistic, the fact that two-thirds of Americans favor digital healthcare management over physical management.
Gil Bashe, the executive vice president of Makovsky Health, illustrates the impact that mHealth technology has on consumers, especially millennials, as he notes that “smartphones and wearables are driving a major behavioral shift in consumer health and wellness, beyond a desire to speed access to information, consumers are using technology to engage proactively in managing their health – and a personality of ‘search’ is influenced by specific medical conditions.”
Add to this the expanding role that our devices play when it comes to managing our health and the fact that according to Makovsky Health’s Fifth Annual “Pulse of Online Health” survey, 88 percent of Americans are willing to share their personal information for the sake of improving care and treatment options. While this has the potential to streamline physician-patient engagement, it also opens the door to serious breaches of sensitive personal health data as the development of mHealth IoT devices and applications could outpace the rules and regulations needed to secure the data contained within.
In mid-June 2016, the U.S. Department of Health and Human Services (HHS) published their report “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA,” which examines the gap between data collecting health IT applications and devices which are HIPAA compliant and those that are not.
The traditional healthcare industry protects a patient’s healthcare information in three main ways:
When it comes to the growing industry of mHealth application and devices, however, it’s increasingly unclear how, or if, sensitive personal data is collected by applications and devices is covered by HIPAA, or any other protection layer.
This sensitive personal health data is referred to as Protected Health Information (PHI) and it includes information such as blood tests, MRIs, confidential communication between patients and their doctors, schedules of specific appointments and anything else which makes the data able to personally identify the patient as well as anything that is exchanged with a HIPAA compliant entity.
Information contained in most fitness applications or diet applications would not include PHI, but doctor’s appointment scheduling software could contain parts of PHI, as could a medication reminder application. As mHealth technology advances, the gray area of protection for health data widens. Applications such as peer support groups for clinical conditions, or circumstances, could find themselves holding onto sensitive health data which is either borderline or falls under PHI.
mHealth application developers should seek to become HIPAA compliant sooner, rather than later, in their development as if there is a chance that the application will need to communicate, or interact, with a HIPAA compliant application in the future, their application must also be compliant or if there’s a chance that their application could contain PHI. Through the implementation of a static code analysis (SCA) solution, developers are able to mitigate security, compliance and quality issues in the code in the earliest stages of the software development lifecycle.
Creating a secure software development lifecycle (sSDLC) using Checkmarx’s CxSAST static analysis solution is the first step in ensuring that your mHealth application is not only HIPAA compliant, but also free of other security and quality issues which could result in crippling breaches and exploits of the sensitive data that your users trust you to keep secure.
Checkmarx’s CxSAST helps applications find and mitigate vulnerabilities and compliance issues before the code makes it to production where it can cost up to 100 times more in developer time and company resources to fix the issue. To learn more about how CxSAST can help your application achieve HIPAA compliance, click here.
To learn more about breaches and dangers facing health related applications, be sure to read Internet of Things (IoT): Hack My Hospital
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.