With vaccinations underway, it’s becoming possible to envision the light at the end of the pandemic tunnel; however, the post-COVID world will have some notable differences. One such example is the likely requirement of “immunity passports” to do any number of things: have elective surgery, attend college, or travel internationally.
The European Union, China, Israel and Japan are among the nations that have launched or plan to unveil such programs. In the U.S., states will be in charge of developing their programs with federal support as required. Given the partisan differences surrounding the pandemic response and economic recovery, this is likely to introduce numerous challenges in and of itself. But political concerns aside, the emergence of more coronavirus tracing apps and programs also brings some serious security challenges.
As PBS’ Laura Santhanam recently put it, “Unlike the physical [vaccination card used to track Yellow Fever], there are growing concerns about data privacy as documents verifying COVID-19 vaccination would exist and generally be accessed digitally.” In fact, these concerns are so pressing that a new Forrester report includes the vulnerability of COVID-19 apps as one of the five major problems which could impede post-pandemic progress in 2021.
With that in mind, let’s take a look at some of the chief vulnerabilities and what governments and businesses alike should be cognizant of as these apps become more mainstream.
Improper Access Controls. Hospital administrators. Physicians. Insurance adjusters. Claims specialists. Pharmacy techs. The list of potential roles that could access vaccination data is massive, and that’s just within the healthcare setting. When you expand to other industries, the list is virtually endless. In order to protect sensitive data, it’s important that all COVID-19 apps and programs are designed with strong role and event-based access controls.
For example, a doctor may require “Write” access in order to edit or add information pertinent to a patient’s immunity or reaction to the vaccine. However, this permission should be the exception rather than the norm as hackers could wreak havoc should they be able to manipulate data within these apps and programs.
The Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in the United States in 1996. The legislation creates data security and privacy requirements for safeguarding medical information. In recent years, HIPAA compliance has become a hot button issue for software developers in the healthcare space, as a number of high profile data breaches compromised millions of patient records across the country.
If you’re developing an eHealth or mobile health app, it is vital that you determine whether your software could be subject to the requirements of HIPAA for medical software applications. Failure to do so could subject you to thousands or even millions of dollars of liability if the use of your application results in an unauthorized disclosure of health information that is protected under HIPAA. Here’s how to tell whether HIPAA applies to you, and how to know if your software is HIPAA compliant.
Does HIPAA apply to me?
Before you start worrying about compliance with the security and privacy requirements of HIPAA, you should determine whether they can be applied to you and your organization. Both the HIPAA privacy rule and the HIPAA security rule apply to all covered entities under HIPAA, such as health plans, healthcare clearinghouses and healthcare providers. The website for Centers Medicade & Medicaid Service offers a Covered Entity Guidance Tool that can help you determine whether your organization is a covered entity.
HIPAA was expanded in 2009 with the introduction of the HITECH Act and again in 2013 with the HIPAA omnibus rule which clarified the responsibilities of business associates of covered entities when it comes to managing privacy and security of patient records. Further guidance was issued in 2016 indicating that cloud service providers would also be covered by the HIPAA privacy, security and breach notification rules.
Software developers in the healthcare space need to tread carefully here – the original regulations of HIPAA that deal with covered entities probably won’t apply to most organizations creating eHealth or mobile health products, but if your app will manage protected health information and share it with any covered entities, such as health plans or doctors, then HIPAA applies to you and you must comply.
If your software collects protected health information from patients but does not share it with a doctor or another covered entity at any point, the HIPAA rules won’t apply to you and you don’t need to worry about compliance.
Required safeguards for software HIPAA compliance
The available data indicates that while theft of computing hardware was the primary cause of healthcare data breaches in 2017, the greatest vulnerability that was exploited was health IT networks. For software developers, the HIPAA security rule is the most likely potential source of compliance issues. The rule mandates three types of safeguards that protect patient data – administrative, physical, and technical. In creating these safeguards, software developers must establish a secure application where authorized personnel have access to the required patient information while unauthorized persons do not. Patient information must also be protected from alteration or destruction.
Administrative safeguards ensure that software administrators who make have access to the data are acting responsibly. If your software stores medical data, anyone with access to that data must be authorized and trained on the ethical and legal requirements of that access. Administrative safeguards include:
Security management process
Security personnel
Information access management
Workforce training and management
Evaluation
Physical safeguards help to mitigate data breaches by ensuring that only authorized users can access the facilities and machines where protected health information is stored. Physical safeguards include managed policies for:
Facility access and control
Workstation and device security
Technical safeguards present the greatest challenge for software developers building HIPAA-compliant products, as software bugs represent the best opportunity for data attacks against your organization. HIPAA does not detail exactly what firewalls, anti-malware devices or encryption tools should be used to secure your software against a data breach, but it does indicate the need for several types of controls: