5

How do we make a iPhone app HIPAA compliant. Our website is HIPAA compliant since we use encryption at rest, we use SSL, and other security provisions.

Will using a SSL connection give us the advantage? Also, i believe that the iPhone provides encryption regardless if a phone is protected or not?

Andrei Botalov
  • 5,267
  • 10
  • 45
  • 73
ariel
  • 153
  • 1
  • 3

2 Answers2

3

I can't give you the full answer, but the short version that the lawyer at my previous hospital gave me was:

SSL will protect the data that is being transferred, however, anything that is cached to the SD card/Hard Drive is not encrypted...

So, when looking at this application, you will also have to encrypt what is stored on the phone by the app. If you have ever plugged an iPhone into your computer (or a friends), you have access to the full set of storage (including the OS), which means anything cached is available if the phone is lost.

I would look carefully at encrypting at least any PKI, PHI or PII that your program provides to the device.

The problem is that even if the program doesn't store data, the web interface can cache data going to and from the device. This is the part that could cause you problems.

powelljf3
  • 66
  • 3
  • Hey, thats the thing. We are not storing any info on the app. the app will pull data from website but will never store anything. after authentication it will display data from database. For our servers, we do use encryption at rest so even if the data is not being shown it is encrypted with 256 bit security. – ariel May 03 '12 at 22:38
  • 1
    The problem is that even if the program doesn't store data, the web interface can cache data going to and from the device. This is the part that could cause you problems. – powelljf3 May 04 '12 at 00:01
  • Hmmm. But if we use SSL connection for data going to and from the device, then its encrypted, thus making it a secure app? – ariel May 04 '12 at 00:03
  • SSL is only the transfer, what the app uses on the device is not encrypted just because what is transferred is. If the app uses no cache and you use SSL, you could be safe, the simple fact is that almost all apps cache data prior to transmitting it. Therefore, you would have unencrypted data on your device. – powelljf3 May 04 '12 at 01:15
  • OK, that makes sense. I will need to engage a security consultant to see how this can work. Thanks man. – ariel May 04 '12 at 03:22
  • If he writes an app that is pulling from say... an HTTP based API, that should not end up in the webpage cache. – StrangeWill May 04 '12 at 15:46
  • Have you ever turned the cache off on your browser, went to an SSL (HTTPS) site and watched your disc access? There is the need for temp files to decrypt the data. I'm not saying it would be impossible, but I would not want the fine if a phone vanished and was found to have data on it. My suggestion would be to do what I did, talk to the lawyer, verify the card after running the app, repeat until everyone feels safe. – powelljf3 May 04 '12 at 16:25
  • @powelljf3 What if the data is only text-data by patients, but not actual medical documents for example: note-taking app kind of a thing. Please let me know. Thanks! – ariel May 06 '12 at 21:07
  • And also what if we don't retrieve info but simply post info to servers using the app? – ariel May 07 '12 at 01:45
  • 1
    Ah, if the patient begins the use, it can be looked at as consent, however, even text data is queued up to be sent, so there is the chance of data on the card. Even posting data would require that the data be encrypted, which could lead to caching, which is back to data on the device. Once again, something you should take up with a lawyer and the person writing the app... There is always a grey area, and a black and white, it is up to those who deal with it on a daily basis to figure out where your program falls. – powelljf3 May 07 '12 at 03:19
2

The only answer is be fully compliant with HIPAA law and only let individuals who should have permitted use to protected patient data to have access to it in a secure and audited manner. At the very least read, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

Listing a couple technologies (SSL ; disk-encryption) in use does not make you HIPAA compliant. Make sure you are not unintentionally sharing data with any third parties (e.g., hosting on a cloud platform) that you do not have signed business associate's agreements (BAAs) with. Do not store protected data on unencrypted phones. Make sure your app isn't subject to basic SQL injection/privilege escalation type attacks, monitor user activity for strange behavior, report disclosures, etc.

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
  • Hey, sorry for the mistake on my part in not clarifying but when i mentioned "other security provisions"; we are doing all above the above like preventing SQL injecitons, networking monitoring, etc. The website is not the problem, its the mobile iphone app that is the issue here. – ariel May 03 '12 at 21:10