HIPAA Compliance for Mobile Apps
With lots of mobile apps handling or processing PHI (Personal Health Information), the HIPAA (Health Insurance Portability and Accountability Act) compliance is becoming a mandate for such apps. This article brings clarity informing what all points should be considered to make the android or ios mobile application compatible to HIPAA standards.
Making the mobile app HIPAA compliant is a highly misconstrued matter.
HIPAA has 3 different safeguard principals. The technical safeguard principal applies to the mobile applications’ security aspects. Following parameters are to be taken into consideration.
1. Data At Rest security – When a mobile app is handling or processing PHI, it is important to check whether or not the information is being stored on the mobile device. If that’s the case, then it is important to ensure that the information is stored securely. This boils down to encrypting the data, and using the adequate level of encryption. Data at rest security is very important in HIPAA compliance because most of the attacks tend to emerge from it. There are different ways to store and encrypt the information being stored on the device, especially for Android and iOS platforms. Furthermore using mobile software development frameworks complicates the matter to secure the data at rest.
2. Data In Transit Security – In almost all cases the mobile app makes calls to the backend server, in order to fetch or store data. This backend can either be a hosted server , or a cloud based service. While being connected to the backend services, the mobile app is supposed to ensure data channel security. Typically HTTP is used for this, but new generation of apps are encouraged to consider additional encryption on top of the existing SSL/TLS channel. Similar to Data at rest encryption, even in this case the level of encryption is very important to be checked.
3. Data At Still Security – Its very important to understand that the data is always stored and available on the mobile device, even if the application is not running. Checking security of the data in such state is also important for android and ios applications .
4. Secure coding practices – While a vulnerability assessment and penetration testing of mobile app is imperative for ensuring security, it is recommended to perform a detailed security review of the code. Bugs and vulnerabilities in a code are the starting point most attackers use to break into an application. They will try to reverse engineer your code and tamper with it, and all they need is a public copy of your app for it.
5. Permissions Checking – Unlike browser based applications, the mobile apps ask for and use certain permissions. These permissions boil down to what personal information is fetched and processed and stored. This includes but not limited to the camera, GPS location, sound, files residing on the device etc.
6. Tamper detection – Many mobile apps (especially Android platform) are found to be susceptible to devices which are not in a secure state, even prior to installing and running of your application. In technical world, its called as rooting a phone or jailbreaking a phone. Thus the responsibility lies on mobile app developer to ensure that their app detects such a malicious stage of the phone device before the app gets installed and runs.
There are multiple technical tests that need to be performed to achieve each of the items mentioned above. A VAPT test of the mobile app is recommended along with the above items, to get it HIPAA compliant. Since there are multiple vulnerabilities, attack patterns and platform changes (android and iOS) happening every day, it is recommended to make such a compliance check a periodic activity.
More Relevant Links Below