HIPAA: A 20th-Century Law in a 21st-Century World

When healthcare-interested attendees gathered in Chicago this month for HIMSS 2015, few issues loomed larger than security and privacy concerns. In many ways, mobile healthcare apps have advanced far more rapidly than had been expected, enjoying an aggressive healthcare push by multiple hardware and software makers.

The problem is that those medical scanning capabilities have morphed a lot faster than security/privacy capabilities and interpretations of federal healthcare privacy laws such as HIPAA (the Health Insurance Portability and Accountability Act of 1996).

The HIPAA issues are complicated, but at its essence, the problem is how much data the mobile device stores locally, even for a brief period. In a perfect world, all such data would be transmitted in a highly encrypted fashion to a secure server; unfortunately, these apps will function in environments that are far from perfect. Many areas don’t have consistent Internet connections, forcing the app to either save data locally or refuse to function until it has such a connection.

This conundrum gets worse. The nature of many of these mobile healthcare apps means they realize much of their benefits from the ability to constantly function. For example, parents traveling with a sick child can attach a tiny sensor to their forehead to repeatedly take and record temperature. That is a huge improvement — in terms of making an accurate medical diagnosis — over what is typically done today, where a parent will take a few readings at random points. A temperature of a patient at any given time is of little value, but plotting many such readings over a period of time shows whether the fever is increasing or decreasing and at what frequency. If the data is blocked every time the patient moves out of the range of an Internet connection, however, its value is much less.

Do people even understand what HIPAA is really asking for and what they need to do to be compliant?

Many healthcare mobile app developers have questioned whether HIPAA is relevant today and whether its restrictions need serious updating. But others — including some planning to participate in the HIMSS show — think the problems lie in the interpretations of HIPAA, rather than the law itself.

“There’s a plethora of misinformation about HIPAA [such as] what actually requires encryption and how it is to implement proper encryption,” said Michael McAlpen, the executive director of security, compliance and data privacy for mobile vendor 8×8. “Do people even understand what HIPAA is really asking for and what they need to do to be compliant?”

McAlpen, who is a board member for President Obama’s strategic infrastructure cyber defense group as well as a member of the U.S. Secret Service’s Cyber Crime Task Force, argues that aggressive encryption on a mobile device should satisfy HIPAA. Mostly, he’d like healthcare companies to actually read the full text of HIPAA and to better screen third-party vendors who are helping them with security.

“I want to see them signing attestations. They should have to sign that they understand HIPAA regulations,” he said, adding that, with vendor selection, “Did you do your due diligence? Did you check with your vendors — before signed them up — about their HIPAA understanding?”

HIPAA rules are ‘designed to be timeless. They are very vague on purpose.’

HIPAA rules are “designed to be timeless. They are very vague on purpose. It leaves a lot to interpretation,” said Michelle Longmire, the CEO of mobile healthcare app vendor Medable.com. “For what (HIPAA) set out to do, they’ve done a pretty good job. But I don’t think it is generally well understood. It’s still seen as a barrier by many in the industry.”

Sandeep Pulim is the chief medical information officer for a mobile healthcare app vendor called @Point Of Care. For the moment, Pulim said, their app takes the most conservative route: if there’s no active Internet connection (and, hence, no way to store data on a secure server), all data fields are blocked. In short, the app won’t work.

“If it can’t authenticate, we don’t allow you to put anything in. Admittedly, that’s a limitation,” Pulim said, adding that his firm plans on changing that with the next software update, when the software “will allow us to encrypt the date on the device itself.” For now, though, Pulim said that he doesn’t see the restriction as being a big problem. “For 95 percent of our users, this has not been an issue,” he said.

If it can’t authenticate, we don’t allow you to put anything in.

One big problem with any kind of mobile app that retains sensitive data is that it’s almost impossible to fully isolate that data. The data can be accessed by the mobile operating system, various third-party maintenance apps, and other apps on smartphones and tablets.

Consider some mobile privacy problems that hit two major retailers last year. Walmart thought it had taken strong steps to secure its data, only to find that its iOS version was leaking data to iTunes. How? Whenever iTunes did a full device backup, it was grabbing everything, which included temp files of Walmart pharmacy and sensitive purchase history, along with shopper geolocation records. Some of Starbucks’ sensitive data —including unencrypted passwords — was intercepted by a crash analytics program it used. How? Every time the phone crashed, the program captured everything so that it could later be analyzed to determine the cause of the crash. Among the things it grabbed: sensitive customer information.

What if patients voluntarily share sensitive data about themselves? “There are patients who share data about themselves on social media. They believe that, with my data, I should control what I do with it,” Pulim said. “How do you protect people from themselves? Just because we’re securing the data, we can’t prevent patients from sharing. We can’t secure it from other people. If someone is backing up the entire image of the phone, there’s not much we can do. It makes things a lot harder to do. These make it definitely more challenging.”

Like every other element of mobile security, healthcare apps will eventually be right up there with secure banking apps. Until then, though, references to “privacy” on the floors of HIMMS are more likely to coincide with a grimace than a smile.