On September 15, 2021, the Federal Trade Commission (FTC) issued a policy statement confirming that health apps and connected devices that collect or use consumer health data must comply with the health violation notification rule. The rule requires the manufacturers of these apps to notify consumers and others if their health data is breached.
Health apps, which can track everything from glucose levels and heart health to fertility and sleep, collect sensitive and personally identifiable information from individuals. These apps must meet the requirements to ensure that the information they collect is safe.
Still, hackers have successfully targeted health apps. “Modern healthcare apps, like other apps in general, rely not only on the client component but also on a cloud backend,” said Drew Bagley, vice president and counsel for privacy and cyber policy at CrowdStrike, a company for cybersecurity technology based in Sunnyvale. California. “We have seen many cases of adversaries taking full advantage of software supply chains. Attackers attack vulnerabilities with legitimate software packages. So when an attack occurs, it is difficult to identify and counter covert propagation techniques that are infecting other systems across the network. “
Congress included specific provisions to strengthen privacy and security for web-based businesses under the American Recovery and Reinvestment Act of 2009. The act instructed the FTC to ensure that businesses contact customers in the event of a security breach. The FTC subsequently issued the Health Injury Notification Rule, which requires personal health record providers and related facilities to notify consumers, the FTC and, in some cases, the media. The rule ensures that companies not covered by HIPAA are held accountable when sensitive health information is breached by consumers. Organizations that do not follow the rule can face fines of up to $ 43,792 per violation per day.
To make it more difficult for hackers to break into a network used by an app, sectors like healthcare should incorporate behavior-based intrusion detection solutions into their security systems, improve controls over privileged credentials management, and leverage real-time vulnerability management. “Ultimately, consumers should carefully examine the safety and privacy practices of healthcare applications,” said Bagley.
The Department of Health’s Health Sector Cybersecurity Coordinating Council (HC3) has a number of suggestions to deter hackers. These include implementing whitelisting technology to ensure that only authorized software is used and providing least privilege access control.
According to Seth Robinson, senior director for technology analysis at CompTIA, a nonprofit trade association that issues professional certifications in information technology, the latest surveys suggest that app security spending this year is up 12.2% from 3.3 Billion US dollars will rise to 3.7 billion US dollars. Industry. “The amount of money being spent on application security is growing tremendously, but it’s probably still too short. This is mainly because so many companies have had a secure perimeter mindset for so long and the concepts of securing individual applications or developing applications with built-in security are still not widely adopted in the business landscape, “said Robinson.
Keatron Evans, principal security researcher at Madison, Wisconsin-based Infosec Institute, which provides role-based security awareness and training solutions for businesses, said application program interfaces (APIs) used by the apps are more of a problem than the apps themselves APIs allow the apps to share information with other apps, e.g. B. the location of a person. “In some cases, they also accept or inherit information from other apps, locations, or entities,” said Evans. “They are generally unsafe and need to be locked out of the box. However, this blocking process rarely takes place. “
With doctors needing instant access to information, performance, speed, accessibility, and ease of use take precedence over safety in most healthcare settings, Evans said. “In some cases, doctors create uncertainty because they expect faster and easier access,” said Evans.
For example, this could be the case with a doctor who wants 3 gigabytes of X-ray or computed tomography images for the greater visual detail they provide compared to the 200 megabyte resolution. “However, if the 3-gigabyte image is displayed over the network on a doctor’s WiFi-connected iPad in the expected fast rendering time, some security controls need to be removed or at least relaxed,” said Evans.
In some cases, clinicians have to compromise between adhering to HIPAA or early detection of life-threatening diseases. Evans suggests that doctors advise patients on cybersecurity concerns and inform them of the potential risks associated with adding apps. “However, a doctor who points this out to a patient could lead to the fact that he or she hesitates to use the apps or does not use the apps at all. There’s always a constant battle for functionality, usability, and security, ”said Evans.
There have been HIPAA violations with health apps, but these were usually associated with health care providers, not the apps. When choosing an app, clinicians should ensure that it meets HIPAA requirements and has the correct affiliate agreement under HIPAA, Evans said. He also suggests asking the app provider if they have their app security tested on a regular basis. “I would strongly recommend asking about the results of these tests and involving a security professional in the discussion about the security of a selected or potential app before bringing it to the company as a service or offering,” said Evans.
This article originally appeared on the Kidney and Urology News