Seven safeguards for your mHealth app

With cyberattacks from all sources on the rise, and mHealth apps being used by providers in care coordination, telehealth, patient engagement and PHRs, Practice Unite, which has some experience in this area through designing customized app platforms for healthcare organizations’ patient and clinician communications, in its blog notes seven points for developers to keep in mind:

1. Access control– unique IDs assigned to each user, remote wiping of the mHealth app from any user’s device.
2. Audit controls
3. Authentication
4. Integrity controls, such as compartmentalization, to ensure that electronically transmitted PHI is not prematurely altered or corrupted
5. Transmission security: data encryption at rest, in transit, and on independently secured servers protects PHI at each stage of transmission
6. Third party app integration–must fully comply with HIPAA safeguards
7. Proprietary data encryption

But all seven points need backing from the top on down in a healthcare organization. (More in the article above)

Why healthcare doesn’t encrypt: correct, incorrect assumptions

As our readers know, we’ve preached the Gospel of Data Security for quite awhile, to the point where even The Gimlet’s Eyes have crossed. Based on this smart analysis in Healthcare IT News (done by an outsider to healthcare), there are real reasons why HIT leaders are reluctant to implement encryption and security that would be SOP for other types of organizations. Mr. Schuman sorts the ‘drag the feet’ factors:

  1. Outdated but still widely believed: Encryption makes information less accessible across a broad network, increasing retrieve and review time. There is increased, not decreased, pressure to increase access, including by practices and patients, as part of  Meaningful Use (US).
  2. Encryption as a barrier: Providers see encryption as increasing time, decreasing  usability of systems, making workarounds more difficult.
  3. Encryption not permitted: Equipment designed with a specific hardware/software configuration block security add-ins. The logic is that any add-ins, even for security, could and do compromise performance. They thus violate manufacturers’ warranties and leave hospitals/practices open to legal action if equipment does not perform as intended.
  4. It’s complicated and pricey: Encrypting proliferating devices multiplicity of devices and systems takes manpower–it’s not only not there, but also expensive. Good intentions, but little money, is there.

The solution may lie in encrypting data between applications, not in the hardware/software itself. Hat tip to reader ‘Klondike Playboy’ John Boden.