For mHealth, mobile devices including wearables, present prolific opportunities for healthcare professionals to improve how they do their job and ultimately improve the level of care they give to patients. However, there are a variety of factors that organisations need to be aware of when developing mobile solutions for healthcare. As mHealth continues to change the way we manage wellbeing; security, privacy and protecting patient data must all be high on the agenda when considering its deployment.
Having sensitive medical information being made available, often on multiple devices, makes patients’ personal information vulnerable to unauthorised access or worse, unsolicited changes to a patient’s medical records. As such, governing bodies such as the FDA are enforcing regulations on the healthcare industry and solution providers, to ensure that the risk to patients is minimised. The FDA has decided however, that it will not regulate apps that don’t have what is defined as a “medical function, or medical device data systems (MDDSs)”. MDDSs are hardware or software products that transfer, store, convert formats, and display medical device data.
Therefore, companies need to consider all aspects of security and data protection, to ensure that they are not putting end users in a vulnerable position.
So what is needed to ensure the security of health apps, devices and assets?
Devices can be stolen, hacked or lost, as can the data coming in to and from the device. During the solution architecture phase of creating apps, it is important to review the data in transit, to ensure the data is being sent in the most secure manner for the context of the app.
For health apps, it’s not so much the app that needs to be secured, but the back-end systems where the data is stored. Data that is stored off the device is at risk of a breach of any back-end or cloud-based systems. The data needs to be sent over a HTTPS connection, or for some health apps, it might be over a VPN connection, to ensure it is direct and secured.
While using an SSL connection will protect the data in transit, the data also needs to be encrypted on the device before sending. This entails using a decryption key on the device and server to facilitate this.
Encryption of data at rest is also an important consideration, as is the data that is actually being sent or stored. During the solution architecture phase, the data being proposed for the app is analysed to see what data is needed in the app, whether it needs to be persisted and the potential impact of data leakage. With high risk data, this information needs to be sent in an encrypted form and never cached or stored.
When it comes to third party health devices, such as wearables, which are being securely paired via Bluetooth, intercepting data proves to be difficult without direct access to the device it is paired with.
How can we secure the data that is being transmitted?
Through good planning. If a dataset is considered sensitive then it should be properly evaluated before being used in an app. Data should never be sent in the clear. Certificate pinning can (and should) be used as an addition to SSL. This means that as well as the device checking the authenticity of the server, the server can also ensure the incoming request is authentic.
The responsibility to secure mHealth data, users and apps lies with the developers and companies creating them. Any breach of the data would be catastrophic for the companies behind the apps focused on mHealth. Already, Apple has revised its rules, which will dictate that any developer selling health information onto third parties will have their apps removed from the App Store.
However responsibility also has to lie with the end users. Care needs to be taken to protect their devices and to ensure they use password protection, or other tools such as TouchID, where available, to protect their devices. In an enterprise environment mobile device management (MDM) policies need to be implemented by companies, to ensure that data and privacy is not lost through careless use.
Google and Apple have put in place the appropriate protection for the data stored on devices, to protect the users against the consequences of any fallout. When it comes to mobile app security, companies need to work closely with developers to ensure that all aspects of security and data privacy are considered. The failure to do so will not only affect the adoption and use of the app, but leave sensitive data vulnerable to misconduct, leaving you in deep water.