Mobile App Risks in Highly Regulated Industries
Mobile apps deployed by organizations in highly regulated industries must conform with multiple regulations, including record retention, patient privacy and data breach notifications.
By Madeline Weiss
Since the introduction of the iPhone in 2007, mobile apps have enabled owners of smartphones to use their devices as personal computers. A 2013 Pew Research Center study determined that 63 percent of adult cell phone owners access the Internet from their mobile phones. By 2017, it is estimated that 87 percent of connected device sales will involve smartphones and tablets. Ericsson and Cisco estimate there will be 50 billion connected devices, including sensors, by 2020.
Companies continue to benefit financially from developing mobile apps for customer and employee use. Sales through eBay mobile apps doubled from $5 billion in 2011 to $10 billion in 2012. In fact, mobile transactions now represent 16 percent of eBay's total sales. Mobile-generated revenue from the iTunes store is $4 billion per quarter. Early results indicate that Walgreens' mobile app that allows customers to print photos and coupons, transfer and refill prescription medications, and chat with pharmacy personnel leads to six times higher in-store sales when compared with customers who only shop in store. According to recent research, mobile workers work up to 1.75 more hours per day than non-mobile workers. And mobile insurance adjusters handle approximately 7.4 more claims a week than their counterparts in an office.
The risks associated with mobile app deployment come from multiple sources, including networks, carriers, operating systems and apps. In June 2010, hackers exploited a vulnerability through AT&T that exposed e-mail and contact information of 114,000 iPad users. And in January 2014, it was reported that users' personal data in the Starbucks mobile app was stored in unencrypted plain text. Fortunately, a whole industry has developed to mitigate these myriad risks, thereby clearing the way for greater use of mobile apps across industries.
But companies in highly regulated industries, such as financial services, pharmaceutical, health-care and insurance, face additional risks that must be carefully navigated. Steep fines can be levied to these organizations if personal data are compromised.
Conforming With Regulations
Mobile apps deployed by financial and insurance companies in the U.S. must conform with regulations that mandate keeping records of all oral communications leading to the execution of swaps (Dodd-Frank), storing records in electronically readable format for five years (Commodities Futures Trading Commission Rule 1.31), adhering to securities industry guidelines on social media postings (FINRA), protecting privacy of information collected on customers (Gramm-Leach-Bliley), following ACH and EFT payment regulations (FDIC), and complying with individual state regulations.
Despite monitoring and controlling security vulnerabilities in their systems, many firms have not been able to keep up with cybercriminals. In 2013, the Citadel Trojan, one of the fiercest malicious attacks on online applications, was morphed into the Citadel-in-the-Mobile to attack Android devices by installing itself onto devices and intercepting one-time passwords and authentication messages sent by a bank to a mobile device. Today, developers attempt to mitigate these risks by implementing such practices as offering back-end, risk-based authentication, detecting unusual activity or requests, and increasing security features on the app beyond a platform's security. Ultimately, however, companies have no control over the mobile device itself. Although mobile app developers identify and patch security vulnerabilities, mobile owners may not update their apps or operating systems, thereby putting their devices and the information contained on them at risk.
Mobile medical apps deployed by health-care companies must conform with regulations that set standards for use and disclosure of individuals' health information in order to ensure both patient privacy and quality of care (HIPAA), that require data breach notifications (HITECH), and that require adherence to guidelines set for medical devices (FDA).
Since many mobile devices and apps have substandard security protocols and safeguards, more U.S. federal agencies are stepping in to monitor and regulate them. Companies seeking to innovate through mobile health technology may need approvals from the FDA, as well as the FCC and the FTC. In May 2013, for instance, the FDA admonished Biosense Technologies Ltd of India for its urinalysis app uCheck, which prompts customers to buy commercially available urinalysis pads that soak urine and change colors depending on the enzymes detected in the urine. Once the customer has completed the urine test, he or she sends a photo of the pad to uChek and is notified of the result based on the concentration of substances. According to the FDA, uChek needs its approval.