The Story Behind Your Mobile Apps and Your Security
Recently Peter Adams, Chief Technology Officer and owner of Ping! Development * emailed me a question in regards to whether health information that would be transmitted from a mobile application with a Bluetooth device connection would need to be secured. Peter explained to me that the data being transmitted would have a user name and password transmitted to a secured server in plain text.
I confirmed that health information by itself without the 18 identifiers is not considered to be PHI. Where the health information becomes PHI, is when the transmitted vital datasets contains medical record numbers, password, user names and any other identifier. Once that occurs, the entire dataset must be protected.
In this scenario, the company was planning on transmitting two identifiers, the user name and the password.
With the widespread adoption and use of mobile technologies, I asked Peter if he would answer a few questions regarding this exploding technology within healthcare and mobile applications (apps) market.
Judi: Peter, as we both know, the healthcare industry is the last to the party in regards to technology. Experts estimate that there are over 500 million smartphone users worldwide using some health care application. How does the end user know that the mobile application that they are using is secure?
Peter: They don’t. With an internet browser, a secured sight is identified with a padlock. Currently there is no visual identification for mobile applications unless the developer includes one in their design.
Judi: So, the end user is assuming it is secured?
Peter: Yes. Most mobile apps that are transmitting data, do not secure the transmission channel, the data is sent on a central intermediary web service. The information is transmitted in plain text. But, once it reaches its destination, the server is typically secured.
Judi: Why is that? How does this take place?
Peter: From my experience, the end users or employees that are working with a developer are non-technical people, so they rely on the developers. Previously, I have developed secured transmission channels, which added an enormous number of hours to do so. There could be the issue of added hours and development cost or the developer decides to simply not to take the time.
There has been plenty of published guidance for developers. Last year the Food and Drug Administration (FDA) came out with written guidance for Mobile Medical Applications** as well as the U.S. Department Health and Human Services/ Office for Civil Rights (HHS/OCR) have dedicated an entire section of their website for Health App Developers to ask questions and engage with the OCR on such topics relating to both The Privacy and Security Rules. ***
From a personal perspective, I discovered that my Fitbit qualifies under the mobile apps that the FDA intends to exercise enforcement discretion. Sure hope that Fitbit has done its due diligence and created a secured transmission of my health information!
Judith is an accredited Certified HIPAA Professional (CHP). As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies, procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.