How to protect patient data and become HIPAA compliant
Learn about how the HIPAA Privacy and Security rules apply to data security in mobile health apps
App shielding protects eHealth apps against both static and dynamic cyberattacks and helps your organization become HIPAA compliant.
According to a report from Knight Ink and Approov, the 30 most popular eHealth apps are highly vulnerable to cyberattacks, enabling unauthorised access to full patient records such as protected health information (PHI) and personally identifiable information (PII). With the surge in demand for eHealth apps, as well as the rise of Bring Your Own Device (BYOD), cyberthreats facing healthcare organisations are growing increasingly complex.
In the US, the law governing the management, storage, and transmission of PHI is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA breaches, potentially devastating to both patients and healthcare workers, can also have severe reputational and monetary consequences for the companies responsible. For context, the average cost of a healthcare data breach rose to $9.42 million in 2021. Even for smaller companies, costs can be significant, with each HIPAA violation costing between $100 and $50,000 per patient record.
Why app shielding is important for healthcare apps
The latest Hype Cycle from Gartner recommends that high-value apps that store or access sensitive information should consider adopting application shielding.
Download the Gartner® Hype Cycle™ for Application Security 2022, to read more about why high-value apps must consider app shielding and recommendations from Gartner.
The app security implications of HIPAA compliance
While the goal of the HIPAA Privacy Rule is to ensure that all forms of PHI remain private, the HIPAA Security Rule differs in that it only applies to electronic protected health information (ePHI). The latter requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI.
Broadly speaking, eHealth apps and the APIs they call upon must be secured to prevent unauthorised access to personal data, and to ensure compliance with HIPAA and other regulations concerning personal health information. While there are lots of resources and guides on how to make apps HIPAA compliant, a good starting point is to make sure that you have the most important technical safeguards in place.
The HIPAA encryption requirements include both data-in-transit and data-at-rest encryption. All patient data, not just PHI, should be stored encrypted in the eHealth app. App developers should also ensure that the app communicates with backend servers over an encrypted channel, so that patient data cannot be intercepted by network-based attacks.
Review access controls
Access controls should include unique user identification, automatic logoff (apps must have a timeout that terminates a session after a certain amount of time), and permission limitations. As indicated by the HIPAA Privacy Rules, no one should see more patient health information than is required to carry out their responsibilities.
Ensure appropriate authentication
You also need to make sure that you put the appropriate patient authentication controls in place. In addition to username and password, your app should use biometric authentication or multi-factor authentication to achieve a higher level of security.
Secure your SDLC
Building security into your software development lifecycle (SDLC) is fundamental to creating an HIPAA compliant app. By continuously reviewing code for potential security vulnerabilities, you can prevent many from going into the production release.
Mitigate the OWASP Top 10
The OWASP Mobile Top 10 lists the 10 most common threats to mobile apps. We recommend that you focus on these while designing your eHealth app. Download our OWASP Mobile Top 10 checklist here, and explore how you can mitigate these threats.
In addition, it’s advisable to review the HIPAA Journal’s HIPAA Compliance Checklist, as well as the US Department of Health and Human Services’ (HHS) resources for eHealth app developers.
Beyond compliance with app shielding
Compliance with HIPAA and passing security assessments are just the tip of the iceberg when it comes to healthcare cybersecurity. A certain level of data protection is required by law, but as the threat landscape quickly evolves and becomes increasingly sophisticated, a comprehensive app shielding solution is required.
App shielding protects patient data against both static and dynamic cyberattacks. App shielding modifies an application’s byte or binary code, making it more resistant to intrusion, tampering, reverse engineering, and malware attacks, and should be your first line of defence when securing your eHealth app. With app shielding, sensitive app data such as patient data, encryption keys or backend API keys, are protected against attacks on user devices or within the app itself. By using techniques such as code obfuscation, layered encryption, and whitebox-backed security solutions like Secure Local Storage (SLS) and Secure Application ROM (SAROM), ePHI confidentiality is maintained.
When your app carries sensitive patient data, you should go beyond basic security to protect your app. Promon SHIELD™ is the most comprehensive app shielding solution on the market, and offers the security you need to protect patient data and achieve HIPAA compliance.