Simplifying Mobile Health App Security
Choosing the right mobile health app to use is important, but how do you validate that your data will be secure? The best way is to ask, but talking to an IT team can be intimidating. They seem to talk in a different language and use so many acronyms it will make your head spin! I’ve outlined and explained some important security topics surrounding HIPAA. My hope is by the end of this, you will be comfortable asking your vendors about their security.
Below are some of the most important security topics you should cover with a vendor.
If you're in Healthcare you've heard about HIPAA but did you know health vendors are just as responsible for HIPAA as providers are. They must have a full set of policies and procedures in regards to HIPAA and follow both the Privacy Rule and Security Rule. It’s important to know that your vendors are keeping up with HIPAA and the ever changing security landscape.
There has been a lot of buzz around HITRUST lately but what is it really? It technically is a company led by an executive council comprised of people from industry leading organizations, but that's not what people are talking about when they say HITRUST. When someone is HITRUST certified they have successfully passed an additional audit process for the common security framework (CSF). The framework is setup to have tangible security benchmarks, whereas HIPAA guidelines can be interpreted and implemented in a broad range of ways. HITRUST is taking HIPAA one step further, and is one of the highest standards of security.
Business Associate Agreement
Under HIPAA Covered Entities must sign a BAA with their Business Associates. Business Associates are anyone who will create, transmit, or maintain Personal Health Information. There can be many aspects of a BAA but I’ll explain a few of the bigger topics so you can better understand its purpose. Your business associate will lay out how the data will be used, this will generally be for service offerings, and internal management processes. It will also contain an agreement that both parties will use appropriate safeguards to protect data flowing through the application. Another key element to a BAA is that data will not be disclosed unless required by law or other extenuating circumstances.
Encryption is a topic that gets complicated really quickly. There are two main ideas for encryption under HIPAA. The first is that all PHI needs to be encrypted in transit (when it's moving from the server to your device). The industry standard for encryption in transit is to add a Secure Socket Layer(SSL) to the site or app, this is what turns http into https. Secondly all PHI needs to be encrypted at rest (when its on the server). Encryption at rest has many options that are commonly used so your vendors should be able to answer how they handle this area.
Mobile Health Apps
There can be a lot of benefits of using mobile devices in a clinical setting. It can improve efficiency of appointments, decrease internal IT costs, plus these devices are so ingrained in our daily lives that it's almost natural. But with the upsides of mobile health there does come some risk. When choosing a mobile health app it’s important to choose one that mitigates all of these risks leaving nothing but benefits.
As long as you know what to ask for, it should be easy to tell if a mobile health vendor has the correct measures in place. Download our free checklist to assist you in covering these topics with vendors. It will also include a list of common documents a vendor may have on their security details.