The hidden risk of mHealth apps

Mobile device health (mHealth) apps have the potential to transform healthcare and achieve the triple aim of improving the patient experience, improving the health of populations and lowering healthcare costs. But their exploding use is also giving rise to new concerns about privacy and security.

mHealth apps are used to process and/or store protected health information (PHI) and are governed by the federal Health Insurance Portability Accountability Act (HIPAA) and the Heath Information Technology for Economic and Clinical Health (HITECH) Act. Together, they require “covered entities” such as insurance plans and healthcare providers to safeguard PHI. Under HIPAA, PHI security breaches require notification of persons whose protected information may have been compromised and can result in penalties up to $50,000 per incident.

Covered entities are liable for the security of PHI when the data is on the entity’s servers, says Adam H. Greene, J.D., MPH, formerly a senior health information technology and privacy specialist at the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) and now a partner in the Health IT/HIPAA practice at global law firm Davis Wright Tremaine.

“Essentially, if an app is offered by a HIPAA-covered entity, HIPAA will apply to the information when it is on the covered entity’s servers or a cloud provider’s servers on the covered entity’s behalf,” says Greene. “Once the information reaches the consumer’s phone, even through a HIPAA-covered, entity-issued app, it arguably is no longer subject to HIPAA.”

Related:The mobile future of workplace wellness

The biggest risk for covered entities is that the app “could be used as a public-facing gateway by hackers to impermissibly obtain protected health information. The purpose of the app generally does not matter--for example, a customer service app likely is covered by HIPAA in the same way as a wellness app,” says Greene.

For health insurers, the threat may not be limited to PHI stored on the device. Cell phones and other mobile electronic devices are attractive targets for thieves in part because they contain personal information that can be used in fraudulent financial transactions. Even with common security measures such as passwords, they’re often easy to compromise, according to Keith Katz, vice president for management products with the Orlando, Florida, app developer Kony, Inc.

Once a hacker has penetrated an app and gained access to a user’s credentials, he or she may be able to penetrate the company’s other data systems, obtaining even more sensitive and valuable information, says Katz.

“This is why a mobile centric comprehensive security solution is needed, typically referred to as an EMM solution,” Katz adds.

NEXT: Managing risks

Managing risk

HIPAA requires covered entities, including health insurance plans, to review their security risk analysis when deploying new technology or as the result of new security threats. The Administrative Safeguards’ provisions in the HIPAA Security Rule require a four-step risk analysis as part of that process:

• Evaluate the likelihood and impact of potential risks to PHI;

• Implement appropriate security measures to address those risks;

• Document (and in some cases give a rationale for) those security measures; and

• Maintain continuous, reasonable, and appropriate security protections.

Advises Greene, “Covered entities offering apps should ensure that the protected health information that is transmitted or stored by the covered entity through the app is included in the covered entity’s (HIPAA) information security risk analysis, and that the risk analysis considers a variety of threats.” In fact, the OCR takes into consideration updated risk assessment and security measures when determining penalties for HIPAA violations.

But HIPAA technical compliance guidelines have not been updated in the past eight years---the mobile health device app has emerged largely over the past six years---and mHealth app developers have long complained that current HIPAA compliance guidelines are inadequate.

In January, HHS Secretary Sylvia Burwell announced the OCR is developing new technical compliance guidelines to help mHealth developers meet HIPAA security requirements, though no release or compliance date has been named.

Additional regulations pertinent to mHealth security could also come as a result of a bi-partisan cybersecurity investigation, announced February 6 by the Senate Health, Education, Labor and Pensions Committee. The committee reportedly plans to consider mandatory encryption of all electronic PHI. The National Institute of Standards and a planned new “roadmap” for health information technology, in the final phase of development by the Office of the National Coordinator for Health Information Technology, might also provide new guidance of mHealth development over the coming months.

Still, while current guidance from the FDA and Federal Trade Commission (FTC) can help insurance plans avoid violating federal health device marketing or antitrust laws, approval or exemption of apps by those agencies does not imply compliance with HIPAA, say experts. Enforcement authority for the federal healthcare privacy and protection rules lies solely with the HHS’ OCR.

New and old solutions

The emergence of mHealth is requiring health plans to ramp up on and invest in digital technology platforms and systems such as virtual private networks (VPNs), virtual private cloud (VPC), and virtual mobile infrastructure (VMI). The latter is roughly equivalent to the virtual desktop infrastructure (VDI) technology now used on some personal computers, but VMI allows mobile devices to access apps on a remote computer rather than downloading it to a mobile device.

Related:Be aware of data mining risks

The extra security afforded by VMI makes it ideal for healthcare environments, particularly amid the growing popularity of Bring Your own Devices (BYODs), according to Israel Lifshitz of Nubo, which markets mobile workspace software.

But passwords are still the most common means used to protect health care data on mobile devices, according to the most recent Health Information Management Systems Society (HIMSS) poll. Health plans may wish to consider education programs that remind members, providers and business associates to install and enable authentication, encryption, wiping, remote disabling and other security measures on their mobile devices.

Even the use of encryption--highly encouraged by the HHS and generally considered to render data secure under HIPAA--may need to be reviewed in the mHealth environment. That’s because some downloadable mHealth apps include the encryption key, making it available to a hacker if a mobile device is stolen, security experts warn.

Bob Pieper is a freelance healthcare writer based in St. Louis.