Even before the COVID-19 pandemic began, third-party apps that collect health data were gaining popularity and concerns surrounding privacy were debated in the healthcare industry. The Health Insurance Portability and Accountability Act (HIPAA) only protects a specific subset of protected health information (PHI) and the law applies only to traditional healthcare covered entities (CEs) and their business associates. What’s happening now, experts agree poses a major problem for U.S. healthcare.
According to a 2019 study published in the National Library of Medicine (NLM), 79 percent of healthcare apps resell or share data, and there is no regulation requiring patient approval of this downstream use. According to an October 2021 article from The Verge on a report that was sponsored by Approov, an app security company, cybersecurity analyst Alissa Knight investigated vulnerabilities in apps built using the Fast Healthcare Interoperability Resources (FHIR) standard. “She started by checking apps built within the electronic health records themselves and didn’t find weaknesses,” the article says. “But when she tested third-party programs that link up with health records to pull out data, she found major problems. Knight was able to access over 4 million patient and clinician records from over 25,000 providers through those holes.”
A blog on the whitepaper from HL7, the standards body in charge of FHIR development, gives an explanation that the issue is not the HL7 FHIR standard itself. The blog states that “The white paper’s eye-catching title, ‘Playing with FHIR: Hacking and Securing FHIR APIs,’ has led some casual readers to infer that FHIR and FHIR APIs are being faulted. With considerable diligence, the author painstakingly makes clear in the opening paragraphs and throughout that no vulnerabilities were found in the HL7 FHIR standard itself nor were any found in FHIR-based APIs from the EHRs that she tested.”
Further, “Instead, the author explains that the vulnerabilities lie with the implementation of apps and by third-party FHIR aggregators. Recognizing that the title of the paper was being misinterpreted, she has since changed it to ‘Playing with FHIR: Hacking and Securing FHIR API Implementations.’”
More apps, more problems
Mac McMillan, CEO of the Austin, Texas-based CynergisTek cybersecurity consulting firm, gave a 40,000-foot view of the reality healthcare organizations are facing today regarding the complex situation these third-party apps and healthcare data have introduced.
“When you think about a third-party app or something that's external that is collecting data on an individual and communicating to the back end, you have the security of the app itself and how well that's coded and what security features the app has, or doesn't have; in fact, oftentimes many are not built with security at all,” McMillan says. “You have the communication path between this app and whatever it's touching on the back end, meaning that data doesn't just magically go from here to here. It has to go through some pathway. Whether that's wirelessly or Bluetooth, it connects to a network and passes data back and forth. And then you have the data itself and the risk to the back end.”
McMillan adds that “A lot of times the people that are architecting, or designing, these third-party apps are not thinking about all of that. The reason they are not is because that's not their focus. Their focus is on the operation of the app itself. In other words, what they're building it to do for you, whether it's to monitor your heart or check your blood pressure, they're focusing on that, and not so much on the protocol between the app and the network or the protocol for transferring or transmitting the data.”
Angela Rivera, associate principal and market lead and cybersecurity advisor at The Chartis Group, Chicago-based consulting firm, says that third-party apps are being heavily targeted by bad actors. “It’s more effective for these bad actors to go after the third parties, such as software vendors or billing vendors, because they have access to many clients and their impact is much broader,” she says. “They [the bad actors] can target those entities, versus going after one hospital at a time. That's why healthcare organizations should really focus on their third-party security because they may be watching ‘their house’ very effectively but now these sophisticated attacks are attacking third parties directly to have that broader impact and hit a lot more entities at once.”
Pleas for regulation
It's clear that there needs to be regulation for third-party apps and the security of patient health information. On March 24, 2022, the Confidentiality Coalition and the Workgroup for Electronic Data Interchange (WEDI), sent a letter to the Secretary of the Department of Commerce and the Secretary of the Department of Health and Human Services discussing the challenges with apps not covered under HIPAA. The letter also suggests recommendations for improving the current environment. Suggestions include releasing additional guidance on the types of third-party app security and privacy verification that will be permitted and allow CEs to review a third-party app on an appropriate level before permitting it to connect to their APIs, require entities that are not HIPAA CEs or business associate to clearly layout their purposes for collecting identifiable health information, and working with the private sector in the development of a privacy and security accreditation or certification framework for third-party apps pursuing connections to APIs of certified health IT.
Washington, D.C.-based Executives for Health Innovation (EHI)—a group that conducts, research, education, and advocacy activities to support the transformation of healthcare—on March 24, 2022, announced that BBB National Programs was selected to run a new program focused on a self-regulatory program to govern compliance with new consumer health data-use standards. For two years, EHI and the Center for Democracy & Technology (CDT) worked together to develop a Consumer Privacy Framework for Health Data that more than 60 organizations from the healthcare industry participated in. The final Framework privacy standards were released in February of last year. The work was funded by the Robert Wood Johnson Foundation.
Rivera says that she’s pleased to see that the government is starting to pay more attention to cybersecurity. “But there’s a lot of other healthcare applications that are coming out every single day on the innovation track,” she adds. “And there's nothing forcing them to build security into their application yet. I would definitely say [that] needs to start happening. I don't know if it's realistic that that will happen, but what organizations can do and should be doing now is really making sure that they're focused on assessing all of these organizations.”
As for what an assessment should entail, Rivera comments that “It could be anywhere from their own policies and procedures to their awareness within their organization. Do they even take cybersecurity seriously within their own organization? How do they manage access control in their own network security and their own endpoint protection? Email protection? How often are they doing vulnerability testing and patching? What's their incident response plan? And are they exercising and practicing it? Just like we do within our healthcare environment, we should be holding our service providers or third-party vendors accountable to be doing that as well. And that if they are mature in those areas, then we know it brings less risk into the organization. It doesn't mean they're not going to be attacked but at least it will minimize the risks—if we know that their backups are appropriate and their incident response processes are sufficient, we can recover more quickly.”
McMillan’s advice is that organizations really must understand where the data is going. “Put protection around the data as opposed to the device,” he asserts. “The device has to have the functionality. The app has to have the functionality. But I need to put the protection wherever the data lives. Typically, it's not with the consumer, as that’s just where it's coming in then it's going somewhere.”
