Privacy and security in healthcare: A must-read for healthtech entrepreneurs

01 Dec 2024
Privacy and security in healthcare: A must-read for healthtech entrepreneurs

Over the last decade, the healthcare sector has been seeing a steady increase in hacking and data breaches. The HIPAA Journal reports that 2021 was a bad year of data breaches with nearly 46 million records breached. There’s been no letup since then. In 2022, around 52 million patient healthcare records were compromised in 720 data breaches. Health data breaches reached new highs in 2023, the number was already 133 million records.

Why is cyber security in healthcare so important? Patient data includes personally identifiable information (names, dates of birth, addresses, bank account numbers) and medical information (ailments, disabilities, abuse, mental conditions). A data leak can damage the reputation of both doctors and their patients.

Improving the security of IT systems for storing and processing medical records reduces the risk of cyber attacks. Laws place protections around patient data and healthcare facilities, establishing security standards to protect medical records.

This article covers laws and safety measures for mHealth software. After reading it, you’ll know how to meet the compliance standards in healthcare around the globe. Plus, you’ll be able to determine whether data protection laws apply to your product.

Laws affecting healthcare startups

Though health app technologies are being deployed fast, the laws catch up.

HIPAA (US)

The Health Insurance Portability and Accountability Act, abbreviated as HIPAA, is a US law passed in 1996 that sets national standards for protecting individuals’ health data and other identifying data. According to HIPAA, personal or protected health data (or simply PHI) is an individually identifiable health, treatment, and payment data transmitted by or maintained in electronic media, or any other form or medium. Examples of PHI include names, addresses, phone numbers, email addresses, Social Security number (SSN), medical record number (MRN), beneficiary numbers, biometrics, account numbers, certificate/license numbers, and any other unique identifying numbers, codes, or characteristics.

Since its adoption, HIPAA has undergone several major modifications. The latest update was rolled out in 2024 to strengthen reproductive health care privacy.

HIPAA protection applies to anyone wanting to create a health-related application for the US market. The whole point is to ensure the security of users’ medical records.

Not all apps must follow HIPAA regulations. However, large platforms like Google Fit and HealthKit must comply because they allow users to share personal data with their physicians. If you’re developing a calorie counter, though, HIPAA compliance isn’t a must. To find out if your app or business is subject to the HIPAA Administrative Simplification provisions, we suggest you check out HIPAA’s compliance checklist.

There are six steps to make your medical app HIPAA compliant:

  1. Use two-factor authentication to secure user accounts.
  2. Encrypt personal medical data at two points in time: when the data is collected on the device and when it’s transferred to the server.
  3. Add a feature to automatically log off users after a certain period of inactivity.
  4. Incorporate a wipe feature to erase personal data from a device before the data can be stolen and misused.
  5. Ensure regular app testing and updates.
  6. Offer automatic data restoration if a device is lost.

For more details on HIPAA, check out the explanatory video below.

To date, non-compliance penalties are up to $50,000 per violation. In the case of willful negligence, fines can be up to $2 million per violation.

GDPR (EU)

The General Data Protection Regulation (GDPR) was adopted in 2018 to coordinate the flow of data between EU Member States.

All health applications that collect the data of EU residents need to be GDPR compliant. Thus, entrepreneurs must ensure patient data security and privacy in their apps. 

In years past, an app’s features were the key factor motivating a user to choose it. Today, it’s healthcare privacy and security that matter to consumers. The GDPR understands this and makes entrepreneurs develop applications that respect user’s data.

The GDPR applies broadly and wasn’t tailored for mobile apps. That’s why its compliance regulations are more general than those of HIPAA. Under the GDPR, you must:

  1. Educate users about your data collection and handling processes.
  2. Notify users about the reasons for handling their data.
  3. Get prior consent to handle users’ data.
  4. Anonymize gathered records.
  5. Allow users to withdraw their consent to data processing.
  6. Notify users of any breaches.
  7. Give users access to records.
  8. Ensure safe data transfers across borders.
  9. Delete information upon request.

Details about the GDPR are explained in the video below.

Fines for GDPR non-compliance can reach €20 million, or 4% annual global turnover – whichever is higher.

Since the UK left the EU, the GDPR has harmonized with the Data Protection Act 2018. Thus, entrepreneurs in the post-Brexit UK are subject to similar regulations.

Most non-EU countries in Europe have laws for information security and privacy in healthcare that are close to the GDPR. For example, Norway and Iceland have both accepted GDPR regulations.

PIPEDA (Canada)

The Personal Information Protection and Electronic Documents Act (PIPEDA) came into effect in Canada in 2000. Under PIPEDA, entrepreneurs are responsible for gathering, processing, and disclosing personal records, including those collected via an app.

PIPEDA defines personal data to include factual or subjective information about an identifiable individual like names, identification numbers, income, ethnic origin, credit records, medical records, loan records, employee files, social status, comments, opinions, and disciplinary actions.

PIPEDA is similar to GDPR and is much broader than HIPAA. To adhere to this law, you must:

  1. Hire a person responsible for PIPEDA compliance.
  2. Specify the reasons for collecting and processing user data.
  3. Notify users about the type of data collected.
  4. Inform users about how this data is processed.
  5. Get user consent for data collection and processing.
  6. Store collected data for a reasonable period.
  7. Delete data when it’s no longer needed.
  8. Protect data.
  9. Provide users with access to their data upon request.

Generally speaking, PIPEDA applies to all businesses that collect, use, or disclose personal information of Canadians. PIPEDA doesn’t apply to all provinces. Some provinces like Alberta, British Columbia, and Quebec adopted their own privacy regulations which are deemed significantly similar to PIPEDA. Provinces including Ontario, Newfoundland, New Brunswick, Nova Scotia, and Labrador have also established their own laws concerning the use of personal information in healthcare.

PIPEDA compliance details are well outlined in the video below.

If entrepreneurs are found to be knowingly in breach of PIPEDA requirements, they can be fined CAD $100,000 per violation.

Healthcare IT security standards in the Asia-Pacific region

The health app market in the Asia-Pacific region is developing rapidly. In China alone, 58% of patients share medical information with doctors from internet-connected devices. By comparison, in the UK and Germany, the figures are 26% and 12% respectively.

Federal personal data protection laws in Asia-Pacific countries are reminiscent of GDPR:

  1. Australia – Privacy Act
  2. India – Digital Information Security in Healthcare Act
  3. South Korea – Personal Information Protection Act
  4. China – Cyber Security Law
  5. Taiwan – Personal Data Protection Act.

This data protection heat map represents the stringency of personal information protection regimes across Asia-Pacific countries.

privacy_and_security_in_healthcare_must_read_for_healthtech_entrepreneurs_image_4.png.930x0_q90

Source: hldataprotection.com

Four must-have measures for privacy and security in healthcare

It’s the responsibility of entrepreneurs and developers to work on securing mobile devices in healthcare from hackers. These four steps will help you create secure mobile apps.

Two-factor authentication

If your app has single-factor authentication (username/password), it’s easy to compromise accounts using a hacking script. Two-factor authentication (2FA) increases an app’s security asking a user for two factors of authentication when logging in.

Here are examples of 2FA:

  • Username/password + SMS code
  • Username/password + code sent via email
  • Username/password + biometric authentication (a fingerprint)

Getting around 2FA in your medical app requires time and resources on a hacker’s part.

SSL Technology

Encryption is a must for an mHealth app since it scrambles a user’s personal data. How does it work? A user’s personal medical information is vulnerable when being transmitted between an application and a server. Secure sockets layer (SSL) technology encrypts information transmitted between an app and a server. Even if this encrypted information is intercepted by a hacker, they won’t be able to use it.

Data wiping

Health apps store much health-related and other sensitive information. On the one hand, they offer convenience. But this convenience comes with vulnerability. A data wiping feature can make sure a user’s data is protected even if their phone is lost or stolen. To implement data wiping, an app can:

  • Log out a user after a certain period of inactivity
  • Keep information in an encrypted form
  • Perform an automatic data wipe after a certain number of unsuccessful login attempts

End users don’t want to find their medical information has been compromised. A data wiping feature gives them a sense of greater control over privacy, security, and confidentiality in the healthcare environment.

App testing and updates

At the stage of mHealth app testing, you can identify errors and bugs and determine if functionality works as expected, lowering the risk of intrusion. Among the best testing techniques you can rely on are network security testing, data security testing, and penetration testing.

Even with testing, security loopholes can be discovered after an app enters the market. Once loopholes are detected, updates need to be pushed to users. If exploited, unpatched vulnerabilities can lead to the theft of medical data, which can be used to commit identity theft and fraud.

Must your mHealth app comply with patient privacy laws?

mHealth apps can be divided into subjects and non-subjects to patient privacy regulations. To know if you need to strictly comply with the requirements of HIPAA, GDPR, PIPEDA, or other laws, check out the table below.

table-privacy_and_security_in_healthcare_must_read_for_healthtech_entrepreneurs_image_4.png.930x0_q90

Whether you’re building a health app for hospital use or for individuals looking to be proactive about their own care, you should entrust your app to an expert team with healthcare software development experience. If you have a general idea and need assistance, contact us. Our developers will gladly provide a rough time and cost estimate and guide you through the process of app development for your project.