• The Story Behind Your Mobile Apps and Your Security

  • Recently Peter Adams, Chief Technology Officer and owner of Ping! Development * emailed me a question in regards to whether health information that would be transmitted from a mobile application with a Bluetooth device connection would need to be secured. Peter explained to me that the data being transmitted would have a user name and password transmitted to a secured server in plain text.

    I confirmed that health information by itself without the 18 identifiers is not considered to be PHI. Where the health information becomes PHI, is when the transmitted vital datasets contains medical record numbers, password, user names and any other identifier. Once that occurs, the entire dataset must be protected.

    In this scenario, the company was planning on transmitting two identifiers, the user name and the password.

    With the widespread adoption and use of mobile technologies, I asked Peter if he would answer a few questions regarding this exploding technology within healthcare and mobile applications (apps) market.

    Judi: Peter, as we both know, the healthcare industry is the last to the party in regards to technology. Experts estimate that there are over 500 million smartphone users worldwide using some health care application. How does the end user know that the mobile application that they are using is secure?

    Peter: They don’t. With an internet browser, a secured sight is identified with a padlock. Currently there is no visual identification for mobile applications unless the developer includes one in their design.

    Judi: So, the end user is assuming it is secured?

    Peter: Yes. Most mobile apps that are transmitting data, do not secure the transmission channel, the data is sent on a central intermediary web service. The information is transmitted in plain text. But, once it reaches its destination, the server is typically secured.

    Judi: Why is that? How does this take place?

    Peter:  From my experience, the end users or employees that are working with a developer are non-technical people, so they rely on the developers. Previously, I have developed secured transmission channels, which added an enormous number of hours to do so. There could be the issue of added hours and development cost or the developer decides to simply not to take the time.

    There has been plenty of published guidance for developers. Last year the Food and Drug Administration (FDA) came out with written guidance for Mobile Medical Applications** as well as the U.S. Department Health and Human Services/ Office for Civil Rights (HHS/OCR) have dedicated an entire section of their website for Health App Developers to ask questions and engage with the OCR on such topics relating to both The Privacy and Security Rules. ***

    From a personal perspective, I discovered that my Fitbit qualifies under the mobile apps that the FDA intends to exercise enforcement discretion. Sure hope that Fitbit has done its due diligence and created a secured transmission of my health information!



    *** hipaaqsportal.hhs.gov/

     Just released- Judith's 2016 Edition of “A Practical Guide to Understanding and Implementing HIPAA”.  Click links below for more information-

    E-Book Version-   bit.ly/2aowcqQ 

    Print Version- bit.ly/2aj6hWV

    Judith is an accredited Certified HIPAA Professional (CHP). As the owner of JAL, Judith is your subject matter expert providing guidance to organizations within HIPAA, GLBA, False Claim and other regulatory agencies. Judith provides reasonable and appropriate compliance policies, procedures within your Compliance Program. As a guru in compliance, Judith delivers compliance employee training programs, and participates in educational speaking engagements for the industries who handle Protected Health Information. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult

    “Copyright” © JAL Consulting 2016