On September 15, 2021, the Federal Trade Commission (FTC) issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule. The rule requires the makers of these apps to notify consumers and others when their health data is breached.
Health apps, which can track everything from glucose levels and heart health to fertility and sleep, collect sensitive and personal data from individuals. These apps must meet requirements to ensure that the information they collect are secure.
Still, hackers have been successfully targeting health apps. “Modern health care apps, like other apps, generally rely upon not only the client component, but also a cloud backend,” said Drew Bagley, Vice President and Counsel for Privacy and Cyber Policy for CrowdStrike, a cybersecurity technology company based in Sunnyvale, California. “We’ve observed many instances of adversaries taking full advantage of software supply chains. Adversaries target vulnerabilities using legitimate software packages. So, when an attack occurs, it is difficult to detect and mitigate stealthy propagation techniques that infect other systems across the network.”
Congress included specific provisions to strengthen privacy and security protections for web-based businesses under the American Recovery and Reinvestment Act of 2009. The law directed the FTC to ensure that companies contact customers in the event of a security breach. The FTC subsequently issued the Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers, the FTC, and in some cases the media. The rule ensures that entities not covered by HIPAA face accountability when consumers’ sensitive health information is breached. Companies that fail to comply with the rule could be subject to monetary penalties of up to $43,792 per violation per day.
To make it harder for hackers to breach a network used by an app, Bagley said sectors such as health care should integrate behavioral-based attack detection solutions into their security systems, improve controls for managing privileged credentials, and embrace real-time vulnerability management. “Ultimately, consumers should scrutinize the security and privacy practices of health applications,” Bagley said.
The Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Council (HC3) provides a number of suggestions for defending against hackers. These include implementing whitelisting technology to ensure that only authorized software is used and providing access control based on the principle of least privilege.
The latest surveys suggest that spending on app security is expected to increase 12.2% this year, from $3.3 billion to $3.7 billion, according to Seth Robinson, Senior Director for Technology Analysis at CompTIA, a nonprofit trade association that issues professional certifications for the information technology industry. “The amount being spent on application security, while growing tremendously, still probably falls short. This is largely because so many companies have been operating for such a long time in a secure perimeter mindset, and the concepts of securing individual applications or developing applications with security built-in are still not widely adopted across the business landscape,” Robinson said.
Keatron Evans, Principal Security Researcher for Madison, Wisconsin-based Infosec Institute, which provides role-based security awareness and training solutions for businesses, said application program interfaces (APIs) being used by the apps are a bigger problem than the apps themselves. These APIs enable the apps to share information with other apps, such as a person’s location. “In some cases, they’re also accepting or ingesting information from other apps, locations or entities,” Evans said. “They are generally insecure and must be locked down out of the box. However, this locking down process rarely happens.”
Since physicians need access to information right away, Evans said performance, speed, accessibility, and ease of use take precedence over security in most health care environments. “In some cases, the physicians drive insecurity because of the expectations to have faster and easier access,” Evans said.
This might be the case, for example, of a physician who wants 3 gigabyte X-ray or computed tomography images for the greater visual detail they provide compared with the resolution of 200 megabyte resolution. “However, getting the 3 gigabyte image to show up on a physician’s WiFi-connected iPad across the network, in the quick rendering time they’re expecting, means some security controls have to be removed or at least relaxed,” Evans said.
In some cases, physicians have to make a tradeoff between complying with HIPAA or detecting life-threatening diseases sooner. Evans suggests physicians advise patients on cybersecurity concerns and inform them about the potential risks associated with adding apps. “However, a physician advising a patient of this could cause that patient to be hesitant to use the apps or not use them at all. There is always a constant battle of functionality, ease of use and security,” Evans said.
There have been HIPAA violations with health care apps, but these usually were associated with health care providers, not the apps. When choosing an app, physicians should ensure it meets HIPAA requirements and has the proper business associate agreement in place per HIPAA, Evans said. He also suggests asking the app vendor if they have their app security tested regularly. “I would strongly recommend they ask for the results of those tests and have a security expert involved in the conversation around the security of any selected or potential app before bringing it into the organization as a service or offering,” Evans said.