On September 15, 2021, the Federal Trade Commission (FTC) issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the health breach notification rule. The rule requires the makers of these apps to notify consumers and others when their health data is breached.
Health apps, which can track everything from glucose levels and heart health to fertility and sleep, collect sensitive and personal data from individuals. These applications must meet requirements to ensure the security of the information they collect.
Still, hackers have managed to target health apps. “Modern healthcare applications, like other applications, typically rely not only on the client component, but also on a cloud backend,” said Drew Bagley, vice president and legal counsel for privacy and cyber policy for CrowdStrike, a cybersecurity technology company based in Sunnyvale, California. “We have seen many cases of adversaries taking full advantage of software supply chains. Adversaries target vulnerabilities using legitimate software packages. Thus, when an attack occurs, it is difficult to detect and mitigate stealthy propagation techniques that infect other systems on the network.
Congress has included specific provisions to strengthen the privacy and security protection of web-based businesses under the US Salvage and Reinvestment Act 2009. The act directed the FTC to ensure what companies contact their customers in the event of a security breach. The FTC subsequently issued the Health Breach Notification Rule, which requires sellers of personal health records and associated entities to notify consumers, the FTC and, in some cases, the media. The rule ensures that entities not covered by HIPAA are held accountable when sensitive consumer health information is breached. Businesses that fail to comply with the rule could face financial penalties of up to $ 43,792 per violation per day.
To make it harder for hackers to break into a network used by an application, Bagley said industries such as healthcare should integrate behavior-based attack detection solutions into their security systems, improve controls. management of privileged credentials and adopt real-time vulnerability management. “Ultimately, consumers should review the security and privacy practices of healthcare apps,” Bagley said.
The Health Sector Cybersecurity Coordination Council (HC3) of the Ministry of Health and Social Services provides a number of suggestions for defending against hackers. These include implementing whitelist technology to ensure that only authorized software is used and providing access control based on the principle of least privilege.
Latest surveys suggest spending on application security is set to increase 12.2% this year, from $ 3.3 billion to $ 3.7 billion, according to Seth Robinson, senior director of technology analysis at CompTIA, a non-profit trade association that issues professional certifications for information technology. industry. “The amount spent on application security, while increasing dramatically, is probably still insufficient. This is largely because so many companies have operated for so long in a secure perimeter mindset, and the concepts of securing individual applications or developing applications with integrated security are still not widely adopted. in the commercial landscape, ”said Robinson.
Keatron Evans, senior security researcher for Madison, Wis., Infosec Institute, which provides role-based security awareness and training solutions for enterprises, said application program interfaces (APIs) used by apps is a bigger problem than the apps themselves. These APIs allow apps to share information with other apps, such as a person’s location. “In some cases, they also accept or ingest information from other applications, locations or entities,” Evans said. “They are generally not secure and need to be locked out of the box. However, this locking process rarely occurs.
Because physicians need to access information immediately, Evans said performance, speed, accessibility and ease of use take precedence over safety in most healthcare environments. “In some cases, doctors generate insecurity due to the expectation of faster and easier access,” Evans said.
This may be the case, for example, of a physician who wants 3 gigabyte X-ray or CT images for the greater visual detail they provide compared to the 200-megabyte resolution. “However, making the 3 gigabyte image on the iPad of a doctor connected to WiFi across the network appear in the fast rendering time he expects means that some security checks need to be removed or at least relaxed, ”Evans said.
In some cases, doctors have to compromise between complying with HIPAA or detecting life-threatening illnesses earlier. Evans suggests doctors advise patients on cybersecurity issues and educate them about the potential risks associated with adding apps. “However, a doctor telling a patient about this could cause that patient to be reluctant to use the apps or not to use them at all. There is always a constant battle of functionality, ease of use and safety,” he said. Evans said.
There have been HIPAA violations with healthcare apps, but these were generally associated with healthcare providers, not apps. When choosing an app, doctors should make sure it meets HIPAA requirements and has the appropriate business associate agreement under HIPAA, Evans said. He also suggests asking the application vendor if they regularly have their applications tested for security. “I would strongly recommend that they ask for the results of these tests and involve a security expert in the security conversation of any selected or potential application before integrating it into the organization as a service or offering,” said Evans said.