Internet privacy and security are on everyone’s mind again with the recently disclosed Yahoo breach, thought to be the largest online security breach of all time with over 1 billion accounts affected back in 2013. But even smaller breaches warrants the tech industry’s attention and concerted effort to curtail because the issue is hindering progress.
Just recently, Wandera released a new report on data security showing that “more than 200 mobile apps and websites were leaking personally identifiable information over the course of the last year,” and that of ten apps in the “top downloads” of both Google and Apple’s app stores, nearly all of them had significant security issues, weaknesses, and vulnerabilities.
Securing our most sensitive data: health information
As more users turn to mobile healthcare apps, we are quickly headed toward a future where our most sensitive information is at risk of being exposed. One such nightmare scenario happened just a few days before the Yahoo breach: a mobile health app by Quest Diagnostics was hacked, leaking the personal information of 34,000 patients including names, birthday, and even lab results.
Fortunately, there doesn’t seem to be any sign that the information was misused and Quest said they will be working with a cybersecurity business to prevent similar hacks in the future. But that raises a question: why weren’t cybersecurity experts involved in the beginning while the app was being designed?
Hindsight is 20/20, but this breach shows what app developers and the companies commissioning healthcare apps need to do to ensure the security of their user information. Here are three steps to take to improve security.
1. Bring up-to-date security experts in at the start.
Healthcare apps need to be secure to protect the patient, but also to gain the trust of doctors and physicians who might recommend them and participate in their usage. According to Karthik Ranjan, Director of Healthcare Technology at ARM, “[Doctors] get very nervous when you say that they have the same level of liability to treat a remote patient. It means you have to be able to trust the data in front of you.”
As healthcare apps get more sophisticated, the consumer at both ends (patient and doctor) need to have confidence in the app’s data accuracy and data security. If there’s no trusting an app, it’ll never be used. Bringing in security experts from the get-go who are versed in current encryption technology and best practices is key to building that confidence.
2. Stay abreast of recommended security guidelines from trusted sources.
The American Medical Association (AMA) recently approved a list of guidelines for the use of mHealth apps and devices. While they made some great decisions in terms of making sure healthcare apps protect the user physically and mentally, it seemed a bit lacking when it came to protecting user information. Basically, it recommends that mHealth apps adhere to state and federal privacy and security laws.
This sounds good in theory, but state laws concerning online and mobile devices are all over the map. The technology is still so relatively new, and governments move so (unrelatively) slow, that these laws might not provide the level of security healthcare apps truly need.
Perhaps that’s why the AMA has come together with the American Heart Association, Healthcare Information and Management Systems Society, and digital health nonprofit DHX Group to form Xcertia, a guideline-writing organization to provide the best recommendations when developing mobile healthcare apps.
This is great news for the healthcare industry. A trusted group of tech experts and physicians coming together to put forth best app practices is exactly what we need to codify app security and hold developers to a higher standard. As you develop your healthcare app, keep watch of Xertia’s guidelines to make sure your app abides by their rigorous recommendations.
3. Invest heavily in security.
Yahoo’s mobile breach will cost them dearly. Even for smaller breaches in the US, it’s estimated to cost between $250,000 to $400,000 to remedy issues after they occur. Just like in medicine, prevention is the cheapest treatment. But unfortunately, data shows that the spending isn’t on par with what it should be.
A recent survey from Jamf of healthcare IT leaders showed that security and data privacy are the top concerns pulling in 83% and 77% of the votes respectively. However, spend on security only ranked 3rd. Of course, securing an app doesn’t have to be the most expensive investment, but the survey also showed that 27% of responders said they weren’t fully confident in their mobile solution and nearly half didn’t feel confident in their organization’s ability to adapt to changing HIPAA (Health Insurance Portability and Accountability Act) policies.
Again, confidence in the security of the app is key. And seeing how expensive privacy breaches can be, app developers need to invest heavily into security at the very beginning to ensure the sanctity of patient information.
At the end of the day, you want a doctor you trust and doctors want technology they trust. Only then does medicine advance. We are on the cusp of a healthcare revolution based in mobile technology. Security and privacy are huge issues the industry needs to address head on before better care can reach the masses who need it.
What do you think about mobile healthcare privacy and security?