Aug 12th 2013

mHealth App Security – Looking beyond the Device!

Radhika Iyengar, Solution Head – Healthcare Practice

Mobile devices are consistently gaining significance in the current healthcare paradigm as they support healthcare providers with increased productivity due to fewer return office visits and the convenience of communicating with patients. With its rapid adoption, mHealth application security comes in as the most dominant area among healthcare enterprise decision makers. In the current healthcare environment which is highly regulated, provider systems are forced to ensure sensitive patient information is persistently protected.

The key entities in a mHealth solution that need to be taken care of include – The Device, The Data and The Compliance. Healthcare organizations need to determine the best way to protect ePHI available to mobile device users following the CMS guidelines.

Device Security:  While the mHealth application shall fundamentally implement authentication through a set of unique credentials (username and password) to access the application, there could be possible breaches due to – Login credentials getting lost/stolen, which could potentially result in unauthorized access to view/modify ePHI. To prevent this unauthorized access, the below action items can prove as safeguards:

  • Implementing a two-factor authentication for granting remote access to systems that contain ePHI, other than username and password
  • Access to application using a VPN client connection
  • Password protection rules such as 6 character pin, expirations, failure thresholds, data wipe after failure
  • Setup a technical process for unique user name creation and performing authentication when granting access
  • Device to automatically lock after a fixed inactivity period
  • Whenever a device is stolen, the Health care ISV’s ‘IT help desk’ can be notified about the same and a user interface could be provided on the backend system for the representative to de-register the username

Data Security: It is equally critical to ensure that the data sent to the mobile application is secure on the device as well as during transmission. The following practices can help prevent ePHI data loss from mobile:

  • Storing and downloading of ePHI needs to be prevented, a mechanism that makes sure that the download is justifiable can be implemented
  • Minimized caching of data on browsers for web-based applications
  • Robust encryption (AES256 & Triple DES), for transmission of ePHI using SSL (Secure Socket Layer) can be made a mandate for mHealth solutions
  • Policies to prevent use of and/or encrypt SD cards and other removable media on mobile devices.
  • Implementation of emerging best practices in mobile data security management through:
    • Centralized mobile device management set-ups
    • TPMs
    • Sandbox implementation for the mobile solution
    • Back-up media security

Maintaining Compliance

i.            Compliance Management

Once the development team has implemented the application with the compliances discussed above, the next step is to assess how to deploy the application and manage it over subsequent releases and upgrades.  This can be done by recommending solutions that incorporate Compliance Management Facilities. For eg. Use of smartphone-aware Network Access Control (NAC) capabilities can eliminate potential security holes.

ii.            Security Management and Reporting

It is also important to have Security management solutions and reporting facilities that not only ensure user compliance, but also provide audit evidence through quick reports.

Application downloads from Apple app store and Google Play still pose vulnerability, integrity and user privacy issues. Hence mHealth security maintenance models need to factor certain security measures that will strengthen the compliance policies significantly:

  • Develop processes that ensure backup of all ePHI data sent/received to the mobile and ensure that these are performed on server side regularly.
  • Scan for suspicious activities and malware on server network platform regularly.
  • Ensure workforce is appropriately trained on the application usage which may require accessing any ePHI data.
  • Suggest to users to search for and delete any files intentionally or unintentionally saved to external devices.
  • Perform regular internal HIPAA compliance validations when an application is planned for an upgrade to include new enhancements/bug fixes.

At Diaspark Healthcare, our mHealth teams possess the ability to intricately identify mobile app security needs and areas vulnerable to risks (Malware, Untrusted user devices, Untrusted networks etc), thus helping us recommend solution approaches that provide robust support across a diverse set of use cases, technologies and ownership scenarios.

Diaspark is a premier IT services and solutions company with two decades of global business experience. We have deployed numerous mHealth and enterprise solutions in the Healthcare industry for leading Healthcare ISVs and Healthcare providers in the United States. We have a dedicated Healthcare practice team that holds a rich knowledge base of best practices and processes in the US health care environment encompassing Prescription Management, Clinical Management, Home Healthcare, Hospital Management and Health Analytics. We ensure that our client’s products are compliant with regulations like HIPAA, HL7, ADA 508, HIE, ICD -9 / ICD 10.

Tags: , , ,

Leave a Reply