How hospitals can avoid security pitfalls in health apps
The pace of innovation in healthcare today is a “gold rush” for apps. Innovators large and small are speeding apps through development and bringing them to market as quickly as possible which all-too-frequently means security is among the last considerations. That means healthcare organizations must be extra diligent when considering new apps.
“There are a million different apps out there – the problem is the low barrier to entry into the healthcare market,” said Kurt Hagerman, CISO at cybersecurity firm Armor Defense. “When you look at the EHR vendors, they cannot be everything, they have to focus on a core set of services and then allow others to supplement those large, monolithic EHR systems with other apps.”
Combine these sorts of apps with the advent of the internet of things devices and there is a mad dash to capitalize on providing more current or real-time health data, Hagerman said.
So how can hospitals tap into the innovation gold rush without compromising protected health information and personally-identifiable information?
A big part of the solution is educating upstart developers about the healthcare industry and its unique requirements. HIPAA, for starters.
The law simply states that an entity will protect the confidentiality, integrity and availability of PHI and protect the data against reasonable threats, Hagerman said. HIPAA is vague enough to be hard for many developers to comprehend on their own.
Hospitals working with app developers need to state up-front and clearly what HIPAA requires in a specific app.
“To protect confidentiality, integrity and availability, you have to build strong authentication credentials, you have to encrypt,” he said. “But these smaller companies just don’t understand it.”
Beyond education, it’s up to hospitals to enforce better cybersecurity, ask app developers the right questions and demand the kinds of protections that will defend PHI from all sorts of attacks, Hagerman said.
“Part of the education and what can be communicated by health systems is there is a cost to play when it comes to apps,” he explained. “One example I use is going to Vegas to play Blackjack. You can play at the $10 and $20 minimum tables, which are always full, or you can play at the $1,000 minimum table in the high rollers room, which has room, but maybe you don’t have that kind of money. You can’t play there. They have a minimum commitment to play in that room. That is what we are seeing in healthcare apps and security. People do not understand there is a cost of being in the business of processing people’s health information.”
Hagerman also recommended requiring vendors to go through a self-assessment before integrating with any of your IT systems and added that a few savvy organizations are even taking a leadership role to ensure partners are on the same page
“A sense of urgency is building – you cannot just build an app, there are security requirements. The industry is starting to correct this a little bit,” he added. But healthcare providers still need a stronger message for developers. “When you start seeing Microsoft, Amazon and Google provide guidance on how to use their platforms to build apps that store healthcare data, that will be a big step.”