Telehealth has changed how we view healthcare and use technology to improve patient outcomes, especially during the COVID-19 pandemic. Providers and patients alike are using health apps and devices to collect data that can be used to inform diagnoses, create treatment plans, and manage an individual’s overall health. These apps and devices improve the efficiency and precision of health care, but they can also put patients’ sensitive information at risk of a data breach if they aren’t managed properly.
The role of apps in healthcare
For several years, health apps have had a significant positive impact on how healthcare organizations operate. Electronic health records (EHR) and electronic medical records (EMR) software, for example, has enabled health care providers to create digital ecosystems for their patients’ data. These tools give physicians and their patients streamlined access to diagnostic test results, health monitoring data, appointment scheduling, and 1:1 communications. The obvious use case and sensitive nature of this data has meant these apps have long been subject to Health Insurance Portability and Accountability Act (HIPPA) enforcement.
However, the same cannot be said for consumer-focused health apps that help individuals gain better insight into their own health metrics. Many users access these tools to track their vital metrics, medications, fertility, sleep, fitness, treatment progress, mental health, and other health markers. Developers and companies that create these apps have not historically been held to the same HIPAA standards, but a recent statement from the U.S. Federal Trade Commission (FTC) has shifted the regulatory spotlight.
Current laws and the growing concern for data breaches
In September 2021, the FTC issued a policy statement requiring health app companies to comply with the Health Breach Notification Rule in the event of a data breach. This rule—which was originally published more than a decade ago—states that vendors of personal health information and related sensitive data must notify the consumer, the FTC, and, in some cases, the media in the event of a breach.
The Health Breach Notification Rule also ensures that entities or sensitive information not directly addressed by HIPAA will be accounted for in consumer data breaches. Especially in light of the COVID-19 pandemic, more companies have begun developing apps and services that provide telehealth functions. However, these apps have largely been a jurisdictional gray area when it comes to user privacy and data breaches.
The FTC’s statement holds health app developers accountable for cybersecurity incidents as well as advertising tactics that use consumers’ sensitive data for financial gain. This means health apps can no longer share a user’s data with third parties unless the user provides express consent to do so. It also means these developers now have higher stakes to maintain a strong cybersecurity posture, or else face steep financial consequences in the event of a data breach.
Technical safeguards for health apps
Most healthcare organizations are likely familiar with the tools needed to maintain patient privacy while also leveraging the efficiency and convenience of modern technology like EHR software. However, cybersecurity tools will play a bigger role in healthcare technology as the pool of health apps continues to expand.
In general, health app developers should prioritize data encryption, sophisticated authentication measures, and a zero-trust security framework to ensure compliance with patient privacy laws. Additionally, security information and event management (SIEM) tools will help minimize fallout in the event of a cybersecurity incident. Investing in these technical safeguards will help prevent catastrophic data breaches in the long run.
Read next: Why Healthcare Risk Management Is Important