Healthcare Apps: Are They a Data Breach Risk?

Telehealth has changed how we view healthcare and use technology to improve patient outcomes, especially during the COVID-19 pandemic. Providers and patients alike are using health apps and devices to collect data that can be used to inform diagnoses, create treatment plans, and manage an individual’s overall health. These apps and devices improve the efficiency and precision of health care, but they can also put patients’ sensitive information at risk of a data breach if they aren’t managed properly.

The role of apps in healthcare

For several years, health apps have had a significant positive impact on how healthcare organizations operate. Electronic health records (EHR) and electronic medical records (EMR) software, for example, has enabled health care providers to create digital ecosystems for their patients’ data. These tools give physicians and their patients streamlined access to diagnostic test results, health monitoring data, appointment scheduling, and 1:1 communications. The obvious use case and sensitive nature of this data has meant these apps have long been subject to Health Insurance Portability and Accountability Act (HIPPA) enforcement.

However, the same cannot be said for consumer-focused health apps that help individuals gain better insight into their own health metrics. Many users access these tools to track their vital metrics, medications, fertility, sleep, fitness, treatment progress, mental health, and other health markers. Developers and companies that create these apps have not historically been held to the same HIPAA standards, but a recent statement from the U.S. Federal Trade Commission (FTC) has shifted the regulatory spotlight.

Current laws and the growing concern for data breaches

In September 2021, the FTC issued a policy statement requiring health app companies to comply with the Health Breach Notification Rule in the event of a data breach. This rule—which was originally published more than a decade ago—states that vendors of personal health information and related sensitive data must notify the consumer, the FTC, and, in some cases, the media in the event of a breach. 

The Health Breach Notification Rule also ensures that entities or sensitive information not directly addressed by HIPAA will be accounted for in consumer data breaches. Especially in light of the COVID-19 pandemic, more companies have begun developing apps and services that provide telehealth functions. However, these apps have largely been a jurisdictional gray area when it comes to user privacy and data breaches.

The FTC’s statement holds health app developers accountable for cybersecurity incidents as well as advertising tactics that use consumers’ sensitive data for financial gain. This means health apps can no longer share a user’s data with third parties unless the user provides express consent to do so. It also means these developers now have higher stakes to maintain a strong cybersecurity posture, or else face steep financial consequences in the event of a data breach.

Technical safeguards for health apps

Most healthcare organizations are likely familiar with the tools needed to maintain patient privacy while also leveraging the efficiency and convenience of modern technology like EHR software. However, cybersecurity tools will play a bigger role in healthcare technology as the pool of health apps continues to expand. 

In general, health app developers should prioritize data encryption, sophisticated authentication measures, and a zero-trust security framework to ensure compliance with patient privacy laws. Additionally, security information and event management (SIEM) tools will help minimize fallout in the event of a cybersecurity incident. Investing in these technical safeguards will help prevent catastrophic data breaches in the long run.

Read next: Why Healthcare Risk Management Is Important

Caitlin Cooley
Caitlin Cooley
Caitlin Cooley is up and coming healthcare writer who gained her experience working with urban clinical trials in Chicago. Her writing skillset is based in clinical asthma research, child psychology research and Neuroscience research and expands across areas of grant writing, systematic/ scoping review writing, and article writing. Cooley found a passion for writing through her work at The University of Illinois at Chicago Hospital and Health System which continued to DePaul University. Through her position at UIC she had the opportunity to lead a systematic review, diversify her medical and research writing skillset and became a published first author at age 21. At DePaul University, her alma mater, she had the opportunity to work on an open-access textbook, conduct research under a prestigious research fellowship and enhance her manuscript writing skillset. Though she is new to the writing industry she has her “foot in the door” and published in four areas of healthcare and looks forward to adding much more.

Latest Articles