Code Blue on Healthcare Applications

Healthcare apps are under increased scrutiny by Federal Agencies for privacy and security violations.

Healthcare apps are under increased scrutiny by federal agencies. Most recently, a policy statement approved by the Federal Trade Commission (FTC) in September affirmed that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule requiring the application vendors to notify consumers and others when their health data is breached through those applications.

According to the FTC’s formal policy statement, this covers those applications that are not already under the umbrella of the Health Insurance Portability and Accountability Act (HIPAA), including in particular, health-based consumer applications.

In this new policy statement, which strengthens the FTC’s ability to enforce the Health Breach Notification Rule, the FTC writes the following:

“Under the definitions cross-referenced by the Rule, the developer of a health app or connected device is a “health care provider” because it “furnish[es] health care services or supplies.” … The Commission considers apps covered by the Rule if they are capable of drawing information from multiple sources, such as through a combination of consumer inputs and application programming interfaces (“APIs”).

In January, the FTC brought one case against a health app that shared healthcare information outside of its 100 million user base, but that company was not charged under violation of the Health Breach Notification law. For years, however, the FTC has been enforcing cases against health-related applications for shoddy development practices. These cases cited questionable design decisions, including the introduction of vulnerabilities into the software.

For example, according to a FTC complaint against HTC America, the company failed to implement readily-available secure communications mechanisms in the logging applications that it pre-installed on its mobile devices. As a result, malicious third-party apps could communicate with the logging applications, placing consumers’ text messages, location data, and other sensitive information at risk. From the FTC press release:

“Among other things, the complaint alleged that HTC America failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties.”

In response to an email inquiry on behalf of Shift Left Academy, a FTC spokesperson recently answered questions about how their enforcement of this rule will affect developers.

Q: Can you tell us a little bit about the Health Breach Notification Rule?

A: Third-party healthcare apps not subject to HIPAA must comply with the FTC’s Health Breach Notification Rule. The Rule requires companies that experience a breach of consumers’ identifying health information to notify affected consumers, the FTC, and, in some cases, the media. On September 15, 2021, the Commission issued a statement clarifying that the Rule applies to most health apps and similar technologies.

Q: What are the consequences for application providers that don’t follow the Health Breach Notification rule?

A: Failure to notify the FTC, consumers, or the media, as required by the Rule, could result in an enforcement action seeking significant civil penalties. Companies that fail to comply with the Rule could be subject to penalties of up to $46,517 per violation per day.

Q: What advice do you have for developers and software vendors to get in line with this rule and secure their code better?

A: The FTC expects app developers to adopt and maintain reasonable data security practices and doesn’t prescribe a one-size-fits-all approach. The FTC has issued guidance documents for developers outlining best practices they can adopt to help protect users of their apps and the reputation of their apps. (See resources section below.)

FTC Resources:

For easy reference points to security in health-related applications, read the FTC’s Start with Security: A Guide for Business (ftc.gov), which outlines 10 common-sense lessons that apply to app developers of all sizes and in all sectors. Some key points include:

• Don’t collect personal information in apps when you don’t need to.
• Control access and build secure authentication mechanisms.
• Develop sound security practices when developing new products. 

Also check out the FTC’s extensive guidance for complying with the Health Breach Notification Rule when a breach occurs.

Other Resources:

GrammaTech whitepaper on the role of static analysis in healthcare apps (registration required).

 

*** This is a Security Bloggers Network syndicated blog from Shift Left authored by Deb Radcliff. Read the original post at: https://shiftleft.grammatech.com/code-blue-on-healthcare-applications