Since January 2016, hospitals in three states and the District of Columbia have been maliciously attacked and patient health data has been put at risk. These cyberattacks are a result of “Ransomware”, a malware system designed to “kidnap” data, prevent victims from accessing their information, and extort them for the decryption key. These attacks have spread through email attachments, infected programs, and compromised websites. In order to mitigate the risks associated with ransomware, government agencies are actively harmonizing their privacy protection and data security guidelines for health technology vendors and Health Insurance Portability and Accountability Act (HIPAA) covered organizations. These guidelines will help ensure that privacy and security protections, as required by HIPAA, are built in when developers design new products and tools that provide access to individual health information.
In April, the Federal Trade Commission (FTC), ONC, the Office of Civil Rights (OCR), and the Food and Drug Administration (FDA), released the Mobile Health Apps Interactive Tool, a web tool targeting mobile app developers. The aim of the tool is to:
- Assist app developers’ understanding of working with HIPAA related material
- Help app developers determine if and when their app exceeds the FDA’s threshold for exercising enforcement discretion
- Help app developers determine how the FTC will regulate apps when HIPAA and FDA regulations do not apply
The Mobile Health Apps Interactive Tool provides the information the developers need to determine which safeguards are needed to ensure the users’ data is properly protected. By answering a series of ten questions, app developers can determine whether their product is covered under HIPAA; the Federal Food, Drug, and Cosmetic Act (FD&C Act); Federal Trade Commission Act (FTC Act); or the FTC’s Health Breach Notification Rule. These laws establish national standards for the protection of health information and security standards for protecting certain health information that is held or transferred in electronic form.
The laws protecting health information means all programs, apps, and tools that capture, create, or share health information must protect consumer privacy and provide for data security. For example, if an app collects personally identifying health information and intends for the information to be shared with a wellness program offered by an employer’s health plan, it is subject to HIPAA regulations. If the same app is offered through a wellness program offered directly by the employer, it is subject to HIPAA regulations and FTC jurisdiction.
To help developers implement data security and protect against potential cyberattacks on an individual’s information, the interactive tool also provides a glossary of terms commonly used in HIPAA Rules and a list of FTC best practices. These best practices include minimizing the amount of data collected, limiting access to customer information, applying strong user authentication, incorporating security at every stage of app’s development, and the need to obtain consent from users before sharing their information.
Although the Mobile Health Apps Interactive Tool does not directly address the ongoing threat of Ransomware and other cyberattacks, it reflects how, despite increasing numbers and sophistication of attacks, federal agencies are reducing data vulnerabilities while also making sensitive personal data more accessible over mobile and wireless devices. It is the hope that as the health technology industry continues to grow, new and innovative ways to protect vital information against cyberattacks will continue to evolve.
This article is a selected item from the FHA, The Pulse Bimonthly Newsletter for Federal Health IT Updates – June 2016.