The rapid growth in telehealth has predictably spawned the development of a variety of new software solutions to serve the needs of both doctors and patients. While the field is wide open for application developers, the area of telemedicine also presents some unique data privacy and security challenges. Of course, the principles of privacy by design tell us that data privacy concerns should be integrated into the entire design process, but this imperative becomes all the more important and challenging when the app in development will be handling users’ personal information.

The U.S. Health Insurance Portability and Accountability Act imposes unique data security standards on telehealth app developers. In March, the Department of Health and Human Services temporarily suspended enforcement for noncompliance with HIPAA rules in connection with the good-faith use of telehealth services during the pandemic.

This temporary suspension should not lead telehealth app developers into a false sense of complacency regarding HIPAA’s strict security requirements. Any telehealth-specific app must comply with the HIPAA Security Rule if it is to have any meaningful market success.

Further, reduced risk of enforcement should not lead to lax security practices. The threat of bad actors exploiting weak or immature security controls to access or exfiltrate personal information, intellectual property, such as source code, or other sensitive information is ever-present. Telehealth app developers should implement best practices for security when designing and improving their apps, especially as the apps continue to iterate and new features are added.

Business associate agreements

As an initial matter, any telemedicine or telehealth app facilitating the transfer of protected health information between health care providers and patients will need to enter into a business associate agreement with the health care provider. HIPAA requires health care providers to enter into a BAA with any vendor that transmits or maintains electronically protected health information on its behalf to ensure the vendor is properly safeguarding the ePHI. Through the BAA, the vendor represents that its services will comply with HIPAA’s Privacy, Security, Breach Notification and Enforcement Rules as applicable to the services being provided.  

HIPAA’s Security Rule

HIPAA’s Security Rule sets standards for administrative, physical, technical and organizational safeguards to secure protected health information. The technical safeguards specifically identify policies and procedures for protecting ePHI and controlling access to it and fall into the following categories: access control, audit controls, data integrity, authentication and transmission security. 

Access control

HIPAA requires the implementation of policies and procedures to ensure that only authorized persons and software programs access the ePHI. The Security Rule does not specify any particular technical controls for meeting this standard; however, it does set forth two required implementation specifications that an app developer must meet and two more that should be implemented when reasonable and appropriate. In the context of app development, all four specifications should be implemented.

Unique user ID

Each user of the app should be assigned a globally unique identifier, which can be a username, number or random string of characters. Using this GUID, the system should be able to attribute and protect access to app-related data for end users (patients and health care providers), as well as employees or vendors. GUIDs as a method of identification, however, should not be conflated with authentication, which is detailed further below. Systems should require more than just a GUID to provide access, as they may be publicly available or easily ascertained.

Emergency access procedures

Generally speaking, the Security Rule requires that the system establish and implement as needed a procedure for obtaining necessary ePHI in an emergency situation.

Automatic logoff

The app must also implement electronic procedures that terminate authenticated sessions after a predetermined time of inactivity. An automatic logoff system reduces the risk that unauthorized users will gain access to the system and related ePHI. Although it can create a bit of a speed bump in the user experience, telehealth app developers should seek to shorten the inactivity period that triggers the automatic logoff, particularly for web apps.

Encryption and decryption

Where feasible, encryption should be used to protect ePHI from unauthorized access either by individuals or other software programs. Using standard protocols like HTTP with TLS protects data in transit, and modern encryption schemes, like advanced encryption standard and authenticated encryption, protect data at rest.

Audit controls

Technical means must be implemented for recording and examining activity on the system. Audit controls also typically include the ability to generate an audit report. Such capabilities are particularly important for gathering system information in the event of a security violation. The Security Rule does not specify what data must be gathered by the audit controls. Consequently, app developers should consider what data is collected, how the system is used and what kind of security breaches are more likely when designing the audit controls. Importantly, app developers should also be mindful of the ways in which audit controls can, if not well designed, introduce additional security risks.

In addition to audit controls, app developers should ensure they have implemented monitoring and alerting on the app’s underlying infrastructure to identify any anomalous behavior. The first step to understanding events that occur on application infrastructure is to collect them in a centralized location. Having a security incident and event management system allows companies to collect disparate log sources, potentially from multi-cloud environments, in a central location.

Once log collection has been configured, conducting research over time into baseline activities will help determine which events truly reflect something of concern. That being said, alerting and monitoring is only as helpful as those observing the data generated by these systems, as they are never fully autonomous.

Integrity

The app must have mechanisms in place to protect ePHI from improper alteration or destruction. Here too, a developer must consider how the ePHI is used on the platform and determine where the risk of alteration or destruction of ePHI might exist. Once those areas are identified, security measures must be implemented to reduce those risks.

Alerting and monitoring can also help preserve data integrity. At a minimum, the app should have some technical means for detecting changes to ePHI data. More sophisticated telehealth app developers will leverage privileged access management as an additional layer of security that protects ePHI integrity. PAM restricts access to administrator accounts or accounts that have broad rights to sensitive data to a select few individuals for a limited period of time.

Person or entity authentication

The Security Rule requires, where feasible, the system have a means of verifying the identity of the user, though the standard does not describe any implementation specifications. The use of passwords, PINs, tokens or biometrics are various technical means of meeting this requirement.

Due to the sensitive nature of ePHI that telehealth apps can store or exchange, any telehealth app should integrate a strong authentication workflow. Authentication is the process by which a user proves its identity to the app or its supporting infrastructure. Most apps rely on a combination of username and password, but those are often reused and/or simplistic. This leads to an increased risk of compromised authentication credentials.

Telehealth app developers should consider implementing multifactor authentication for both end users and employees or vendors. Other factors beyond username and password (something you know) could include app-based or text message codes (something you have) or biometric data, like fingerprints (something you are). This provides an extra layer of security protection that can mitigate the risk of a wide variety of types of attacks. MFA has experienced widespread use in other sectors, such as the financial sector, and telehealth apps should consider following suit.

Transmission security

The final standard is transmission security. App developers should consider the communication channels being used for transmitted ePHI and implement appropriate means of securing the transmission. In the current app ecosystem, both web and mobile apps that rely on server-based infrastructure require public-facing application programming interfaces to make the app’s data available.

APIs are what enable apps to leverage or share data with third parties, such as when a user connects a social media account to an app to access photos or other data from a social media profile. Misconfigured or improperly-secured APIs have been the source of many breaches and require rigorous testing and auditing.

There are two implementation specifications for this standard.

Integrity control

Similar to the integrity standard, safeguards must be put in place to ensure that electronically transmitted ePHI is not improperly modified without detection. Cryptographically signing messages can help to detect modification of data.

Encryption

Similar to the access control standard, encryption technology must be utilized as appropriate to protect transmitted ePHI from unauthorized access by individuals or software programs. The Security Rule does not specify the use of any particular encryption standard. Rather, a developer should choose an encryption solution that appropriately addresses the security threat level presented by the transmission system being utilized.

Designing telehealth apps poses a number of unique challenges to developers, and the requirements of HIPAA’s Security Rule is chief among them. Determining the best technical means for complying with HIPAA’s standards requires judgment and expertise, as each application will demand a different set of solutions tailored to the app’s uses and functionality. Inadequate or lax app design can result in poor app adoption and significant legal exposure. Consulting with the right legal and data security professionals as part of the development process ensures these critical issues are identified and addressed.

Photo by National Cancer Institute on Unsplash