How to build a secure medical mobile app in six steps

21 Aug 2017
How to build a secure medical mobile app in six steps

To engage with patients at a more convenient level, clinics, care providers, and other stakeholders have begun integrating mHealth solutions into their practice. These secure medical solutions take the form of mobile apps that go beyond a simple fitness or wellness tracking app.

The healthcare industry deals with sensitive, personal information, so it is crucial to develop a secure medical mobile app that protects patient data, while also minimizing the liable risk for healthcare organizations and providers. A number of factors need to be considered when creating an app that is both easily adoptable by users, as well as reliable and secure.

A number of medical app security factors need to be considered when building a health app that is both easily adoptable by users, as well as reliable and secure. This post highlights how to secure medical mobile app.

Step 1: Mobile security for healthcare: Conduct research for regulatory compliance

As information technology expands its reach, its impact on industries is constantly changing. Medicine in particular has been significantly influenced by this progress. Legislative bodies in countries around the world have needed to implement laws and policies that regulate how sensitive patient data should be handled. Depending on the functionality of the app, the region it’s used in, and the data being transmitted and/or stored, medical apps can fall under various regulations and compliance standards in healthcare.

When creating a medical mobile app, publishers (and developers) need to be aware of whether or not their app requires compliance with specific regulations. If the app is used by numerous medical personnel or facilities that store or transmit sensitive data, it is highly likely that it falls under a particular set of policies that must be adhered to in order for the app to be deemed safe to use for the public. These policies will differ from region to region and will also be affected by the type of protected data that is being handled. In most countries, protected health information includes:

  • insurance-related data;
  • actual medical information;
  • personal data about patients, such as social security numbers, contact info, demographic details, etc.;
  • appointment dates;
  • medical histories;
  • prescription history;
  • any other sensitive information which should not be publicly available.

If the app being developed deals with any of the information listed above, it’s important to conduct compliance research early on to identify any and all applicable regulations.

Let’s briefly go through healthcare data security standards depending on the region(s) that the published app will be used in.

  • Any medical application for the US market that stores and/or transmits protected personal and medical data, must comply with HIPAA. This Act not only helps to protect sensitive patient data but also regulates the way this data is transmitted. HIPAA also limits access to information to entities that aren’t authorized.
  • How to develop a health app for the European market? While developing, it is important to follow GDPR requirements. The Regulation is called upon to protect any processing and movement of personal data. The UK has its own implementation of GDPR — The Data Protection Act — that controls the way personal data is used by businesses, organizations, or governments.
  • In Canada, the security of healthcare information systems is governed by PIPEDA. It states the standards and regulates how private sector organizations follow these standards to collect personal data, use it and disclose it in the course of their businesses.

Information on legislative norms will help developers and publishers design, engineer, and distribute apps that meet all medical app security requirements, ensuring that the published app is authorized by governmental legislation as safe to use.

Step 2: Ensure medical mobile app security through encryption

Trust is an important part of the implied agreement made between app publishers and app users. When it comes to patient health information, it is also a potential deciding factor between a positive and negative outcome.

If patients are unsure of the confidentiality of their eHealth information, they will likely withhold pertinent details from their healthcare providers. In turn, providers won’t be able to trust that the information they’ve received is complete, making it impossible for them to provide effective care. As well, providers need to protect themselves from the legal ramifications of breaching patient privacy and will therefore not participate in a system that can’t guarantee regulatory compliance and security. Without ensuring that a developed app is safe and secure for both patients and providers, the whole system becomes useless.

In order to solve the problem of trust, developers and app publishers can make use of encryption. Healthcare encryption standards are widely considered the most effective way to protect sensitive data, whether is it at rest, in transit, or traversing multiple network connections. Encryption can be used to protect:

  • databases;
  • files on servers;
  • entire communication channels;
  • hard drives;
  • email messages;
  • and other potentially sensitive transmissions or storage of data.

By using algorithms to turn plain text into an unreadable, jumbled code, encryption can ensure the security of a medical mobile app. To decrypt the unreadable code, also known as ciphertext, and turn it back into plaintext, an encryption key is required. This key is something that only authorized parties (such as healthcare providers and patients, in this case) have in their possession.

The mobile app security standards used for establishing a private, secure connection between a client and a server is implemented in a specialized protocol which developers ought to adhere to. At present, Transport Layer Security (TLS) and its predecessor Secure Socket Layer (SSL), both frequently referred to as “SSL”, are cryptographic protocols that ensure privacy and data integrity between a server and an application.

When building a medical mobile app, developers might make use of open source components and libraries that could have vulnerabilities of their own, potentially leading to data breaches. To mitigate security risks, it’s vital to work with a skilled operations team that understands the possibilities and limitations of cloud platforms and other third-party components. Experienced medical app developers and project managers know that full compliance with applicable federal laws safeguarding protected health information is a must and will use their expertise to achieve this goal.

cf586091-579a-48ab-81ef-09bfdeb8753e

Step 3: How to make an app secure via user authentication

A simple way to protect any app from unauthorized use or entry is through applying multi-factor authentication (MFA). This method of access control grants entry to users only after they’ve successfully presented separate pieces of evidence that they are indeed authorized to access an app’s data. MFA is particularly useful in case a user’s device is lost or stolen, preventing unauthorized access to their information.

Two-factor authentication (2FA) is a versatile way of ensuring that only authorized users can gain access to data. Using 2FA, users are asked to confirm their identity through entering a password and another secondary component, such as their fingerprint, voice identification, retinal or iris scanning, or a text message with a verification code. Often, implementing 2FA in an app is enough to ensure that only the authorized person will be able to access the information.

When developing a medical mobile app, it’s important to analyze which form of MFA is required or best meets the app’s usability, functionality, and security goals. Different authentication methods will offer varying advantages and disadvantages and proper assessment of those will ultimately determine which method is most effective.

Step 4: Conduct comprehensive healthcare app testing

Launching an application that is not complete or filled with bugs is the fastest way to ruin the reputation of an app and the company behind it. The good news is that code is becoming more secure as testing standards get pushed earlier in the development cycle.

To verify the safety of medical mobile apps, in particular, security testing is required alongside regular quality assurance testing. Security tests are performed to exploit vulnerabilities which may exist in operating systems and services, as well as application flaws, improper configurations, or risky end-user behavior.

Medical app vulnerability: Top 10 cases to test for

According to the Open Web Application Security Project (OWASP), a worldwide not-for-profit charitable organization that aims to improve the security of software, there are 10 top mobile security vulnerabilities to look out for. They are:

#1: Weak server-side control The application communicates with a backend web endpoint which is not secure, possibly resulting in insecure API implementation or web application based vulnerabilities.

#2: Insecure data storage The app stores sensitive data with insecure file permissions or with insecure encoding, making it accessible to unauthorized parties.

#3: Insufficient transport layer protection The communication channel between the app and the server is not secure, which may allow eavesdropping by an attacker using the same WiFi connection.

#4: Unintended data leakage The app is leaking sensitive data which is accessible to other apps on the same device or to an attacker who has physical access to the device.

#5: Poor authorization and authentication The app has poorly implemented authorization which can be bypassed.

#6: Broken cryptography The app can use insecure encryption algorithms which are not enough to protect the sensitive data it stores.

#7: Client-side injection The app is not properly “sanitizing” user input before it is executed in the application, leaving the data vulnerable.

#8: Security decisions via untrusted input Apps may often trust the inputs coming through other sources without realizing that these could be modified by an attacker.

#9: Improper session handling Apps often store cookies and other authentication information on the device for a longer period of time, such as however long a session is open. Failing to do this securely results in an attacker taking over a user’s session.

#10: Lack of binary protections This vulnerability allows an attacker to reverse the mobile app binary which gives them access to the app’s source code or even to its encryption algorithms and hardcoded sensitive values. These are some of the fatal vulnerabilities that must be tested in order to ensure that an app is secure. While developers may build an app, they are not responsible for where and how the app might be hosted once it’s launched. At this stage of production, it is the responsibility of app publishers to check whether servers are safe to use through penetration testing.

Conducting proper, comprehensive testing will make sure that any of the aforementioned vulnerabilities don’t exist. It is also important to test the business logic, the real-world business rules that determine how data can be created, stored, and changed, at the server-side. To cover all of the security bases, also ensure that all the principles of secure data transition are implemented at both the server- and client-side.

Step 5: Protect a medical app from penetration

There are different types of attacks and attackers that can be a threat to sensitive data so it’s important to know how to secure an app from them. Understanding the differences and knowing how to best deal with varying types of attacks is critical when building a medical mobile app.

For example, hackers leverage their technical expertise to infiltrate protected systems and get hold of private information. Closing any gaps in security and ensuring that no vulnerabilities exist can deter most hackers from targeting an app.

A social engineer is another type of attacker that exploits the weaknesses of human psychology to trick people into offering them access to sensitive information. Phishing, a homophone of fishing, is a form of social engineering in which an attacker tries to learn information, such as login credentials or account information, by masquerading as a reputable entity or person in email or other communication channels, installing malware through a link or attachment.

Another type of threat is known as a man-in-the-middle (MITM) attack, consisting of a third party intercepting the communications between two parties, such as a mobile health app and a database full of protected health information. A malicious individual may execute an MITM attack to eavesdrop on or manipulate those communications to cause harm or bypass other security measures on either side of the connection. In order to protect sensitive data from an MITM attack, it’s necessary to implement secure transmission of sensitive data and use an up-to-date version of Transport Layer Security.

By knowing the types of attacks that exist and which attackers would most likely be interested in the data being transmitted through a medical mobile app, developers and publishers can focus on boosting security measures to prevent or deal with threats effectively.

Step 6: Request long-term support

All developed software requires maintenance to keep up with technological advancements and any future security vulnerabilities. This is particularly true for medical mobile apps because the industry is constantly changing and evolving. After its release, a support team should be tracking all important life-time metrics of a developed app, receiving alerts on resource usage and security threats, while also making sure that up-to-date libraries are used to enable a seamless user experience. When outsourcing an app’s development, it’s important to ensure that there is post-release support to take care of updates and maintain security.

7fa89a46-0741-401a-9882-5c422a9e3302 (1)

Building healthcare apps with safety and security in mind

The infusion of mobile technology into medicine is reshaping the ecosystem that doctors and patients operate in. Those willing to engage in medical mobile app development face challenges that can be overcome, as long as the necessary medical app security is implemented.

Medical mobile apps are built to address a unique healthcare need, allowing patients and healthcare providers to connect in a more convenient, yet still secure way. Building secure mobile apps for healthcare makes it necessary for app developers to understand what type of healthcare information falls under governmental regulatory protection to ensure secure mobile application development. This protection may differ based on the region where the developed app will be distributed so it’s critical to begin development by conducting proper research with regard to compliance.

Designing an easy-to-operate user experience in a security-friendly environment will foster trust among users and will facilitate immediate adoption of a new app. The ability to foresee and prevent cyberattacks, such as phishing or man-in-the-middle attacks, and the implementation of standardized encryption, accompanied by thorough security testing, will also work towards ensuring the safety of a medical mobile app.

If you’re ready to get started on your medical mobile app development for patients or doctors or want to know more about securing medical records, contact us. We'll help you design and build a secure medical app that looks good, works well, and addresses user needs.