2

I'm developing a cross-platform, offline first mHealth application using Ionic 3 and Cordova which may need to be HIPAA compliant in the near future. It uses PouchDB as a client-side DB, HTTPS, at-rest encryption server-side when server-side functions are necessary. The client runs locally unless data needs to be synchronized with users in a group. Synchro services use the backend web services. We use JWT tokens for sessions. Auth0 services for authentication. But, HIPAA being what it is, ... The thought of having to keep my local DB encrypted makes me cringe. Performance would be hosed. What are the best practices for security in mHealth applications?

juliet
  • 23
  • 3

1 Answers1

1

It's going to depend on the details your specific situation, but I believe encryption on the client may be required in your instance. The following sample questions are posed by the HSS Technical Safegaurds document:

  • Which EPHI should be encrypted and decrypted to prevent access by persons or software programs that have not been granted access rights?
  • What encryption and decryption mechanisms are reasonable and appropriate to implement to prevent access to EPHI by persons or software programs that have not been granted access rights?

The second question in particular is the sticky point. If you have no way of locking down the access to the folder where the device stores the ePHI, you will need to encrypt the data. I'm not the must familiar with some of the legal nuance as to what constitutes sufficient access control for software in this situation (i.e. maybe program B can't access the folder under regular conditions, but what if the device gets rooted.), so you're better erring on the side of caution.

Dan Landberg
  • 3,312
  • 12
  • 17