While these third-party apps facilitate health information sharing, once the health data is transmitted from the EHR platform to the third-party app, the data is no longer subjected to HIPAA health data security standards. The Federal Trade Commission (FTC) recently noted that the apps are required to notify users about breaches affecting their data, but there are no HIPAA privacy or security requirements imposed on them.
According to John Moehrke, an interoperability expert and member of the FHIR management group, “She didn’t need to use advanced cybersecurity hacking. She just used basic stuff that your freshman year of cybersecurity would have stressed.”
The report recommended that regulators:
- Ensure the Information Blocking Rules allow service-providers and EHR vendors to assess the security of the apps and APIs of the aggregators and application developers who connect to their APIs through regular penetration testing and a review of their security controls.
- Clarify that the Security Exception to the Information Blocking Rule allows EHR vendors to require specific controls be implemented by any system that connects to their APIs.
- Reinforce the security guidelines, specifically with requirements around tokens and scopes (which are currently recommendations) to ensure that all organizations who transmit, process, and store EHR data are properly securing their implementation of FHIR.
- Mandate that certificate pinning should be implemented on all SMART on FHIR mobile apps.
- Mandate that shielding solutions must be deployed to ensure that only legitimate applications and users can communicate with APIs to prevent EHR data leakage via synthetic traffic generated by tools, scripts and bots.
Using Secure Health Data Apps
While health data apps used by patients are not required to be HIPAA compliant, there are many apps that provide adequate security protections to prevent breaches. HIPAA compliant health data apps implement encryption, multifactor authentication, access controls, and audit controls to facilitate health data security. To ensure he