Jan 12 2022

How Secure Is Your mHealth App?

It’s time to check up on mHealth app strategies to ensure patient safety and privacy are front of mind.

Smartphone users have access to their bank accounts, favorite stores and nearby restaurants, all at their fingertips. Increasingly, they’re also gaining access to their healthcare data, whether it’s through a consumer application or their provider’s patient portal.  

Mobile health (mHealth) apps can empower patients, streamline communication, and provide real-time monitoring and self-management of medical conditions. However, because these apps collect and transmit personally identifiable information and protected health information, often sharing such data with multiple entities, they are particularly vulnerable to cyberthreats.

For healthcare organizations evaluating their mHealth app strategies, here are a few key security and deployment considerations. 

Click the banner below for access to exclusive HealthTech content and a customized experience.

Risks Abound for mHealth Apps

The three major risk categories for mHealth apps are poor design, device vulnerabilities and user habits. 

When it comes to an app’s design, developers may not take the appropriate steps to ensure data security at all levels, including the device, the network and the data center. A HealthGlobal study found that more than 80 percent of apps tracking COVID-19 infections leak data, and more than 70 percent of medical apps tested have at least one high-level security vulnerability.

Second, the device itself can pose a risk. Smartphones may be stolen or subject to unauthorized use.

Users represent a third type of risk: If they share passwords, or mix personal and work use, users increase security risks. Many smartphone users say they are worried about privacy, but their careless behavior often belies such concerns, resulting in a “privacy paradox.” Unfortunately, people often make poor privacy and security decisions.

LEARN MORE: What challenges still lie ahead for healthcare’s digital transformation?

Breaking Down the Anatomy of a Secure mHealth App

How can healthcare organizations build a secure mHealth app that puts security, privacy and compliance first? Start with the key factors that all mHealth apps should consider: authentication, privilege management, secure data storage and communication, compliance, and testing and installation:

  • Authentication: Strong user password and authentication is among the most crucial security factors. Never store passwords in plaintext. Instead, salt and hash them for better encryption, and force users to reset forgotten passwords. Load login forms over HTTPS, and post to HTTPS. Implement multifactor authentication.
  • Privilege Management: Implement the principle of least privilege, strictly assessing what permissions need to be granted to a program. If hackers eventually compromise an app, they will not be able to do anything beyond what the app normally does, such as elevate privileges to gain access to sensitive databases.
  • Secure Data Storage and Communication: Whenever possible, avoid storing sensitive data on the device or in backups. Protect sensitive information stored in files by using strong encryption, and evaluate whether something stronger than native encryption on iOS or Android is needed. Implement secure network transmission of sensitive data.
  • Compliance: HIPAA is the most pertinent regulation, with clear guidelines regarding the use of confidential credentials, mandatory encryption, authentication and other factors. However, other regulations — such as the European Union’s General Data Protection Regulation, the California Consumer Privacy Act and the Children’s Online Privacy Protection Act — often come into play and may bring additional requirements. Keep in mind that if the app facilitates the diagnosis, treatment, cure or mitigation of a health problem, it may need clearance from the U.S. Food and Drug Administration as well.
  • Testing and Publication: Thorough testing involves a variety of steps, but with mHealth apps, it is critical to ensure the code is free from malware and any recognized vulnerability such as those publicly disclosed as Common Vulnerabilities and Exposures. Once the app is tested, it should be available only in sanctioned app stores. The Apple App Store and Google Play Store can monitor and vet apps for security features before and after they are made available for download. This reduces the risk of a user installing a potentially harmful app.

Look to freely available sources for guidelines to ensure apps are built with security, privacy and compliance in mind. There are recommendations for general coding practices (such as code complexity and obfuscation), the use of anti-tamper mechanisms and robust transfer protocols, testing third-party libraries, and much more.

Click the banner below to discover the top health tech trends for 2022.

Outsourcing Considerations for mHealth Apps

If organizations choose to outsource the development of their mHealth app, or use an existing app from a third party, vendors need to be evaluated for security and privacy.

Ask for proof of the vendor’s secure data processing, including the confidentiality, integrity and availability of personal data while stored, processed and transmitted.

Evaluate the degree to which the vendor identifies threats to data, and what controls are in place to respond to known and newly discovered threats.

Require proof that the vendor understands liability and has a process for detecting and managing potential security breaches. Insist on documentation to show that HIPAA and other regulatory compliance standards are being followed.

Examine the level of support available during and after implementation. Include an assessment of technical support for users.

RELATED: Find out how virtual physical therapy platforms are going beyond the app.

Stay on Top of mHealth Apps

Whether an mHealth app is created in-house or outsourced, organizations should assign one team member to be responsible for security, privacy and compliance. Without a single point of contact, it’s too easy to assume that someone else is monitoring these.

Finally, if an mHealth app does not provide a comfortable user experience and engagement, or doesn’t fit neatly into existing workflows, it will not be used. Just as important, take the time to ensure users are aware of the steps needed to use mHealth apps safely.

AzmanJaka/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT