Protecting telemedicine mobile apps

The COVID-19 global pandemic changed the dynamics for the telemedicine market overnight. A significant increase in demand for such services, along with the rise of cyberthreats, demonstrate two key facts:  

  1. There is a vast untapped opportunity for remote care models that continues to grow and re-shape the future; and 
  2. Cyber threats can become the Achilles’ heel of this expansion. 

All telemedicine platforms, including telemedicine mobile apps, are subject to the Health Insurance Portability and Accountability Act (HIPAA). The act enforces confidentiality, integrity and availability of all electronic Protected Health Information (ePHI) records and protection against reasonably anticipated threats. HIPAA tries to explain the relatively vague concept of reasonably anticipated threats” in other documents. Still, it is hard to propose a fixed definition for that since the nature, objective and severity of threats can change over time, and the hackers’ incentives and hacking technologies continue to rise and improve. 

Here, we propose few tips for developers and vendors to implement a holistic cybersecurity strategy for telemedicine mobile apps:

Recognize what data you need to protect

  • PHIs contain profile or health identifiers associated with an individual. Unauthorized access to them could potentially lead to person’s identity disclosure. 
  • PHI identifiers include demographic information (name, date of birth, address, etc.), biometric information (fingerprint, face, etc.), medical information (insurance/record number, etc.), internet identifiers (URLs, IP), and any other unique identifying number, code or name. 
  • Any other piece of data that is not a PHI can potentially become a PHI iit is geo-tagged. Ian app incorporates GPS information more specific than State-level in the US, that data turns into a PHI. 

Treat PHIs with utmost care

  • The less PHIs you gather, the better! Be minimalistic in data collection, and make sure you have SMART rationale for collecting every piece of data. 
  • Avoid storing PHIon thdevice. If you save PHIsdo it securely with encryption using modern algorithms and widely accepted cryptographic protocols. 
  • Ensure secure transmission using in-transit data communication security such as Transport Layer Security (TLS1.2). 
  • Implement App Transport Security (ATS) in iOS and Network Security Configuration file in Android to enforce HTTPS connection. 
  • Pin all essential certificates in iOS and Android to help prevent maninthemiddle attacks.

Protect the app from within to protect data

  • Use anti-hacking techniques such as obfuscation to make the code super complex and hard to understand.
  • Verify the integrity of the code and data to prevent tampering. 
  • Detect jailbroken or rooted devices to ensure the app is running in a trusted environment. 
  • Use anti-debugging solutions to protect against data siphoning and app behavioral changes. 

Telehealth providers need to understand that PHIs are the most valuable records to protect. A minimalistic and good-enough approach to address health data security is simply a recipe for disaster. Instead of “good-enough”, telemedicine vendors need to adopt a “strong-enough” philosophy for healthcare cybersecurity. Especially for the fast-growing mobile apps segment, to not only provide a secure environment for both patients and caregivers to interact but to ensure the remote care business will continue to thrive sustainably.  

This blog is part 3 of a series on Telehealth and Telemedicine Security.  In the next blog, we will explain what HIPAA rule encapsulates and means in action for Telemedicine providers and vendors. 

Follow us here to stay up to date!