We're Hiring!

Protecting Personal Information & Sensitive Data in Mobile Health Apps

mHealth concept; stethoscope and mobile phone on a white background

Recent years have seen a move towards cloud platforms and mobile health apps for citizens -- applications and data processing systems that enable ordinary people to interact with their health providers, make appointments with medical professionals, order prescriptions, and gain on-demand access to their medical records. The ongoing COVID-19 pandemic is putting greater emphasis on this trend, as citizens clamour for the latest news, advice, and best practices, while government and health organisations look to digital technologies to help them develop treatment protocols, track the progress of the virus spread, and monitor the condition of all those affected.

Voices both within and without the health sector are urging governments to provide greater access to these citizen health applications, in order to make healthcare delivery easier, and to give ordinary people more options. But at the same time, there are also serious concerns being raised by players from all sectors, particularly about the increased exposure of personally identifiable information (PII) and other sensitive and valuable data that could fall into the hands of malicious actors.

In this article, we’ll be looking at some of the issues involved, and considering some strategies for data protection.

Some Existing Citizens Health App Initiatives

As far back as 2018, the UK National Health Service (NHS) rolled out a free app designed to give citizens quick access to services that might otherwise take hours or even days to acquire. These include booking appointments with general practitioners (GPs), accessing 111 emergency services online for urgent medical queries, ordering repeat subscriptions, and managing long-term health conditions.

The free app, developed by NHS Digital and NHS England, is now available for iOS and Android devices through the App Store or Google Play. Its development is part of a larger initiative in which the UK health service is also developing an NHS Apps Library, and offering free NHS Wi-Fi at GP surgeries and hospitals.

In 2019, the US Department of Health and Human Services proposed two new data-sharing rules to carry out provisions laid out in the 21st Century Cures Act, a 2016 law designed to speed medical innovation.

The federal Health Insurance Portability and Accountability Act or HIPAA has given American citizens the right to obtain copies of their medical records since the year 2000. But many health providers still use paper-based filing systems for distribution, requiring patients to accept DVD copies of their files, or receive them by fax.

Under the new data-sharing protocol, Dr. Don Rucker, the US federal health department’s national coordinator for health information technology, has developed a new rule allowing patients to send their electronic medical information and treatment pricing directly to apps from their health providers. Vendors of electronic health records must enable application programming interfaces (APIs) to enable citizens to gain access to their health data via these mobile apps.

Another new rule was developed by the Centres for Medicare and Medicaid Services, which oversee much of America’s health insurance ecosystem. This rule requires Medicare, Medicaid, and other plans participating in the federal health insurance marketplace to adopt APIs that allow people to use third-party apps to access their health insurance claims and benefit information.

Once the regulations are finalised, health providers and health record vendors will have two years to comply with the API requirements. Any organisation that refuses to share data and facilitates “information blocking” faces potential fines of up to $1 million per violation, with the prospect of federal investigation and possible prosecution for medical practitioners.

Dr. Rucker is of the view that enabling citizens to gain quick access to their health data is part of the greater movement to treat healthcare as a consumer commodity, just like any other transaction in the digital marketplace. And regulators have long argued that having a unified and online repository of medical information enables providers to get a clearer picture of patient health, while allowing people to make more informed health care choices.

Software developers and vendors are welcoming the new regime. Apple for instance, has launched a Health Records app, which lets people receive a subset of their medical information on their iPhones, from more than 300 health centres. And Microsoft has developed cloud services to assist health providers, insurers, and health record vendors make data available to their patients.

Citizens' Rights -- Or Hackers' Opportunities?

Not everyone shares this high opinion of the new health app ecosystem, however. Groups including the American Medical Association and the American College of Obstetricians and Gynaecologists warned US regulators in May 2019 that people who gave consumer health apps authority to retrieve their medical records could open themselves up to serious data abuse issues. In America, federal privacy protections limiting how health and insurance providers may use and share medical records don’t apply once patients transfer their data to consumer apps.

The New York Times reports that the American Medical Association, the American Hospital Association, and other groups have met with health regulators to push for changes to the new rules. In the legislation’s current state for example, citizens who authorise an app to collect their medication lists can’t stop it from retrieving specific data they might prefer to keep private.

Dr. Jesse M. Ehrenfeld, chair of the American Medical Association’s board points out that, “Patients simply may not realise that their genetic, reproductive health, substance abuse disorder, [or] mental health information can be used in ways that could ultimately limit their access to health insurance, life insurance or even be disclosed to their employers. Patient privacy can’t be retrieved once it’s lost.”

Perhaps even more worrying than this is the treasure trove of valuable information that vulnerable APIs potentially offer to hackers and cyber criminals. Data scraping of unprotected APIs is these days simply a matter of using the right script or bot. And with digital technology now fully deployed in the global campaign against COVID-19, the attack surface of the world’s health information networks is growing larger by the day.

In Europe for example, EU representatives are working on a plan to create a single mobile app for its 27 member states, which will enable governments to coordinate their efforts in reporting COVID-19 symptoms and tracking the movement of patients, and allow EU citizens to download information and provide vital feedback about conditions on the ground.

COVID-19 tracking and reporting apps are being deployed independently by a growing number of nations across the globe, with implementations that offer varying degrees of privacy intrusion, data governance, and security vulnerability. Moving forward, safeguards and privacy protections for these apps and their data handling ecosystems will become as vital as the monitoring process itself.

Safeguarding Mobile Health Apps And APIs

For the proposed EU health app project, Europe’s data protection authorities are proposing the use of temporary broadcast identifiers and Bluetooth technology for contact tracing, as a vehicle for assuring privacy and personal data protection.

Contact tracing apps are primarily based on the collection of time and location data from users, allowing historical interactions to be recognised and then communicated. Data may be extracted from existing app feeds, location data provided by telecommunications networks, or a purpose built app that specifically tracks location. For their practical implementation, a standard called iBeacon for Bluetooth communication can increase app usability, and help with the practical evaluation of social distancing measures.

Remote attestation is an authentication mechanism that allows one system (a government database, for example) to make reliable conclusions about the software running on another system (e.g., a citizens health information request, or a COVID-19 tracking app on a remote user’s phone). Significantly, attestation also allows participating systems to enforce security policies that limit connections only to parties that agree to abide by their rules.

Regarding the API security issue, the endpoints that citizens' health apps communicate with need to provide population-level scale, but also need to be protected against malicious attacks that could undermine the system and make a mockery of the entire information exchange exercise, as discussed here.

 

David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.