The Risks Posed by Mobile Health AppsSizing Up the Security, Privacy Risks of Accessing Health Data via APIs
What privacy and security issues are raised by patients using smartphone apps to access health records? Attorney Helen Oscislawski and security expert Jarrett Kolthoff offer an analysis in an in-depth joint interview with Information Security Media Group.
Federal regulators earlier this year issued requirements for certified health IT developers to embrace standards-based application programming interfaces to support patients using smartphones for health data access.
The two rules, issued by the Department of Health and Human Services' Office of the National Coordinator for Health IT and the Centers for Medicare and Medicaid Services, implement interoperability, patient access and information blocking provisions as called for by the 21st Century Cures Act signed into law in 2016.
The 1,244-page ONC rule sets requirements for certified health IT developers to establish a secure, standards-based API for use by providers and to support a patient's access to core data in their electronic health record.
The 474-page CMS rule requires payers and others to share claims and other health information with patients in a safe, secure, electronic format through APIs.
"As patients use their apps and connect, those IT developers and payers are going to be forced to use those APIs, and the forced interoperability will allow the information to flow upon the patient's request," Oscislawski explains.
While the HHS information blocking regulations lay out several exceptions - including certain privacy and security situations - for when providers and others are not required to fulfill patients' requests to access or exchange electronic health information, those exceptions are not clear cut, Oscislawski warns.
"When a patient requests access to his or her own data, the security exception may or may not apply," she notes.
"HIPAA requires [covered entities] to provide patients access to their core information - so even if the information blocking security exception is there, that is not a reason why a provider, for example, would be able to decline giving patient access ... So it will be interesting to see how that plays out."
Kolthoff, CEO of SpearTip, a cyber counterintelligence firm, notes: "The push to openly provide access via these applications to healthcare records is a bit concerning from a security perspective."
For instance, adversaries can potentially target the software developers' systems and gain access to applications' APIs, he says.
One of the main concerns is "securing the APIs so that a rogue entity can't obtain the keys from the applications and then download and access the datasets on the backend, not utilizing the application it was built for," Kolthoff says.
In the joint interview (see audio link below photo), Oscislawski and Kolthoff also discuss:
- Potential security risks and related considerations posed by certain "information blocking" exceptions that are part of the HHS regulations;
- Measures app developers need to take to ensure they are properly addressing security concerns;
- Critical steps healthcare organizations need to take to prevent breaches of third-party applications used by patients to access their electronic health data.
Oscislawski is founding member of law firm Attorneys at Oscislawski LLC based in Princeton, New Jersey. The corporate and regulatory attorney's practice focuses almost exclusively on advising and representing clients in the healthcare industry.
Kolthoff, a former counterintelligence special agent, is founder and CEO of SpearTip, a cyber counterintelligence firm. Kolthoff's civil casework includes investigations of Chinese cyber espionage, Russian extortion, hostile corporate takeovers, rogue IT personnel, hacktivists, international wire fraud and ransomware cases.