Modern-day patients get so carried away by the benefits and convenience of smartphone health apps that they don’t think twice before trusting a provider with their sensitive and personally identifiable information. Providers too, do not bother to adopt all the stringent security measures that will protect patient data from unauthorized access, unless they are compelled to do so by regulatory authorities.
Healthcare mobile applications are double-edged swords. On one hand, mHealth apps have provided unthinkable outcomes for patients, doctors, and service providers. But, on the other hand, the usage of smartphone apps in healthcare has made patient data all the more vulnerable to security threats. Healthcare data is the most valuable data on the dark web these days. There have been incidents of health data breaches in recent years that have compromised the records of millions of patients.
This post discusses the reasons why there is an urgent need for regulatory governance and legal frameworks for healthcare app development.
The Current State of Healthcare App Security
Medical apps are supposed to follow certain practices, strategies, and regulatory compliances mandated by Government authorities; to minimize the chances of security breaches. But, do all health apps follow standard security practices? Let’s explore!
A distinguished cybersecurity researcher Alissa Knight conducted a thorough analysis of 30 popular smartphone healthcare apps, and the reports are alarming. All of these apps had security vulnerabilities. And, the loopholes identified in 30 apps together can expose the sensitive information of around 23 million users.
Here are some shocking stats of the research study:
1. The API keys of 77% of the medical mobile apps were hardcoded and some of these didn’t expire.
2. 7% of the apps had hardcoded usernames and passwords in the form of plain text.
3. 50% of the API vulnerabilities detected within healthcare would enable hackers to access private and sensitive patient information like personally identifiable data, EHRs (Electronic Health Records) health information, and medical billing details.
4. 100% of the 30 healthcare apps tested were exposed to BOLA (Broken Object Level Authorization) attacks. Such an attack is executed by counterfeiting the user IDs.
5. 100% of the apps didn’t implement the “certificate pinning” protocol that compels a health app to verify the certificate of the server against an authentic and known copy. This made the apps highly vulnerable to man-in-the-middle attacks.
Potential Risks of Hardcoding APIs
APIs establish communication between mobile apps and a hospital’s infrastructure, a Cloud service, or a physical server and facilitate data exchange. API keys are used for authenticating the application to other services like payment processing. API keys contain important and confidential information that needs to be secured. And, hardcoding of API keys and other crucial user credentials in mobile/web apps exposes health data to security breaches. According to research conducted by Gartner, by the year 2022 API vulnerabilities will be the major cause of data breaches for enterprise apps.
It’s a common practice of healthcare app developers to hardcode confidential app data directly into the app’s source code and employ obfuscation methodologies for securing the app. However, such security practices are not sufficient to protect health data. Professional hackers can effortlessly break into this data by carrying out the process of reverse-engineering the application. Once the hacker can access API keys, they can use this data to create new software that exactly resembles the actual application; this enables hackers to make arbitrary API calls. Also, the attackers can get access to the app’s back-end infrastructure for interacting with the servers and thereby collect sensitive patient information.
Consequences of Healthcare Data Breaches
Healthcare data breaches can lead to hefty fines for the app provider owing to HIPAA/GDPR violations as well as reputational damage for medical organizations.
Patients whose data gets compromised lose their privacy/secrecy and may face discrimination at their workplaces and social circles owing to certain health conditions. Certain businesses might misuse patient data and misdirect them into making unreasonable purchases. Leaked payment information and credentials can result in direct financial losses and exposed personal information may be misused by hackers to cause harm.
What’s the Solution for Healthcare App Security Woes?
There are regulatory compliances mandated for health apps like HIPAA, GDPR, FDA, etc. Nevertheless, these mandates fail to cover all areas of health app vulnerability, specifically smartphone health apps. There is an ambiguity concerning the regulatory compliance of mobile health applications put forth by the aforesaid entities. Hence, there is an urgent need for additional rules and regulations and more importantly clarity on mobile health app regulatory protocols. Regulatory bodies of the government and healthcare industry should devise additional guidelines for healthcare app developers and medical app distributers that are not included in regulatory compliances. Such guidance will help maintain parameters like the quality, transparency, accountability, genuineness, and reliability of a healthcare application.
Security Protocols to be followed during Healthcare App Development
Healthcare app developers must ensure that data is encrypted during storage as well as transit. This ensures that the health app follows the desired authentication requirements and prevents the device’s chances of being jailbroken. The app must be designed in a way that the server has the information on whether an app running on a user’s smartphone device has been tampered with or not. Besides implementing security measures during healthcare app development, an app must also be monitored continuously after deployment.
Take a look at how the data encryption process works!
Here’s how data is encrypted while being transferred to cloud storage systems!
Practices to Combat Healthcare App Security Threats
App Developers must furnish information on the app’s major stakeholders, monetization strategy, scientific sources, privacy policies/practices, consent methods, and so on to government authorities. This will enable the consumers to use healthcare apps securely and protect their privacy while app usage.
As per app store policies and the healthcare industry protocols concerning electronic transactions within an app, the consumers owe a refund from the app owners if the app fails to function as promised. But, not all apps adhere to this business protocol. Moreover, the app subscriptions can be unending unless consciously stopped by consumers. Furthermore, there isn’t any government regulation stating the reduction/regulation of in-app promotions and purchases in medical apps, other than the apps meant for kids.
For this reason, developers must strictly follow the legal protocols regarding consumer advertising and be transparent about the financial expenses that are involved in app downloads and usage. Also, app distributors must mandate time limits on the payment of subscriptions specifically if an app remains unused for a long duration, and activate refund practices in case of any unintended payments have been made by patients. Also, repeated requests for in-app purchases must be avoided particularly in apps that target vulnerable audience groups, like mental health apps.
Legal Framework for Multi-dimensional Assessment of Mobile Health Apps
Several health apps have been successful in escaping the attention of regulatory authorities as they are not even considered to fall under the category of healthcare devices. Moreover, even where regulatory frameworks exist, not all healthcare entities follow such regulations and there isn’t any protocol to make sure that all covered entities are complying with established standards. Furthermore, there’s hardly any regulatory guidance for apps implementing complex technologies like AI, ML, etc. as there’s no assessment model that will weigh the risk factors and implementation requirements of diverse digital technologies.
Therefore, international agencies and industry veterans urge the need for a legal framework that mandates a set of regulatory guidelines for classifying smartphone healthcare apps and defining the pre-market route of these apps. There has to be a common legal framework that assesses a health mobile app across multiple dimensions. This framework should be systematic and comprehensive enough to serve a wide range of functions including regulating market authorization/purchasing procedures, the secure usage of mHealth apps, etc.
Final Verdict:
The security vulnerabilities existing in modern-day medical apps and solutions and the severe repercussions of a data breach come with a heavy price for patients as well as providers. Hence, there is a dire need for legal frameworks and regulatory governance to protect healthcare data from security threats. Also, the government authorities must ensure that all healthcare apps are implementing the established standards.
If you are a healthcare provider and planning to create a highly functional future-friendly app that adheres to regulatory compliances it’s advisable to look for outsourced assistance. Partner with professional and experienced healthcare app development services in USA that will provide end-to-end encryption for the sensitive data flowing in the application.