Skip to main content
Subscribe
  • Login
  • My Account
  • Logout
  • Register For Free
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Digital Health
    • Transformation
    • ESG
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Blogs
    • AI
    • Deals
    • Layoff Tracker
    • HLTH 2024
    • Sponsored Content: Vital Signs Blog
  • Opinion
    • Letters
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • 40 Under 40
    • Best Places to Work in Healthcare
    • Healthcare Marketing Impact Awards
    • Innovators Awards
    • Diversity Leaders
    • Leading Women
    • Best in Business Awards
    • The 2030 Playbook Conference
    • Innovations in Patient Experience
    • Leading Women Conference & Awards Luncheon
    • Leadership Summit
    • Workforce Summit
    • Best Places to Work Awards Gala
    • Diversity Leaders Gala
    • - Looking Ahead to 2025
    • - Financial Growth
    • - Hospital of the Future
    • - Value Based Care
    • - Looking Ahead to 2026
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Sponsored Video Series - One on One
    • Sponsored Video Series - Checking In with Dan Peres
  • Data & Insights
    • Data & Insights Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Skilled Nursing Facilities
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • Newsletters
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Jobs
    • People on the Move
    • Reprints & Licensing
    • Sponsored Content
MENU
Breadcrumb
  1. Home
  2. Technology
March 31, 2018 12:00 AM

Putting patient data on phones introduces new privacy and security concerns

Rachel Z. Arndt
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Getty Images/Topic Images

    The recent push from both Apple and the CMS to give patients more control of their own health data stands to boost patient engagement, which most in the industry consider a good thing. But moving data outside of the relatively safe confines of an electronic health record adds another layer of risk and vulnerability.

    As more parties gain access to the data, more avenues for breaches open up, potentially jeopardizing not just information security but also patient privacy. Bad actors can now target not only EHR systems but also patients' phones, where health data reside.

    Those pools of data will only grow larger. Last week, Apple officially launched the next iteration of its Health app, which allows people to pull their electronic health record data onto their iPhones. Thirty-nine health systems have partnered with the tech giant to make their patients' data available. "When you have this data on your phone, you have risks that would traditionally not have existed," said Daniel Farris, chair of the technology practice at Fox Rothschild.

    Even Facebook's Mark Zuckerberg can attest that no organization is immune from public—and potentially political—backlash when sensitive consumer data is compromised. Many argue that Facebook's problems with Cambridge Analytica and access to user data should serve as a wake-up call to technology executives who have been entrusted to protect consumer information.

    Allowing patients to put data on their phones isn't just a matter of flipping a switch and then walking away. It's first and foremost the patient's responsibility to keep the data secure and private. Health systems and vendors alike are encouraging patients to understand the risks and take precautions. "The patient who downloads this information absolutely must secure their device to protect their own records," said John Kravitz, chief information officer at Danville, Pa.-based Geisinger, one of the first health systems to link its records with Apple's Health app.

    But getting the data onto those phones requires security safeguards on the part of the health system and EHR vendor too. Because of those safeguards, the actual movement of the data shouldn't pose too great a security risk, argued Steve Dunkel, chief information security officer at Geisinger.

    Just as a patient has to go through authentication to access a patient portal on their phone, they do the same when granting the Health app access to their records. The app then makes a secure connection and receives the data via the FHIR standard.

    While security can be built directly into the app, some encouraged using security controls already available on phones. "Patients have requirements for strong passwords, and we can make them more secure by using newer features like Touch ID on the patient's mobile phone," said Janet Campbell, vice president of patient engagement for Epic Systems Corp.

    This drive to get patient data into patients' hands comes not only from companies and health systems but also from the federal government. Jared Kushner, senior adviser to President Donald Trump, and CMS Administrator Seema Verma want to increase interoperability and give patients more control of their own data, they announced at the Healthcare Information and Management Systems Society's annual meeting in March.

    But the federal government's new zeal for data mobility should be accompanied by a push for security standards, said John Riggi, an FBI veteran who's now senior adviser for cybersecurity and risk at the American Hospital Association. "The issue surrounding apps in particular is that (the Office of the National Coordinator for Health Information Technology) has not promulgated specific security standards," he said.

    While some apps, like those made by EHR vendors, abide by HIPAA security and privacy rules by law, once data are on a patient's phone, the patient might unwittingly share them with an app that doesn't have such stringent security and privacy controls. "There should be a measured approach in collaboration with HHS and the ONC and the providers to ensure whatever platform a patient uses to access the EHR has been fully vetted and complies with all HIPAA privacy and security rules," Riggi said.

    There's also the threat of malicious apps, which might be able to extract patient health information. Malware of this sort already exists to steal financial and other data, and benevolent apps already share information with advertisers.

    "This is not as much a concern when you're dealing with a large, trusted organization such as Apple," Riggi said. Apple requires patients to authenticate the data transfer by logging into their health systems' EHR patient portals. Data then travel straight from the portal into the app, never passing through Apple servers.

    Patients can bear some of the responsibility, primarily by ensuring the app is from a trusted vendor. Indeed, information technologists stress the need for education.

    "We enthusiastically support the consumer's right to access a copy of their data and to decide how it should be used," said Don Bisbee, senior vice president of clinical and business strategy for Cerner. "But continued education is needed around the potential risks associated with choosing to expose sensitive health data to broader groups than the covered entities where HIPAA protections apply."

    Riggi compared the need for security in healthcare apps to the need for security in financial apps. But financial apps, he pointed out, are entirely controlled by the financial institutions they're related to, whereas health apps aren't necessarily controlled by health systems. "There should be a measured approach with collaboration between HHS and ONC and the providers to ensure whatever platform a patient uses to access the EHR has been fully vetted and complies with all HIPAA privacy and security rules," Riggi said.

    The type of data contained in the Health app (and others) complicates how HIPAA would apply, though. The Health app won't just hold protected health information from EHRs. It'll also hold patient-generated data from wearables and other sources—data that aren't considered protected health information but could, in theory, be turned into it.

    "The same set of data may be subject to HIPAA or not depending on where it is or who accessed it, and that could create drastically different privacy and security requirements," Farris said.

    For example, if a person has data from a wearable on their phone and only that person has accessed the data, then the data aren't considered protected health information. But as soon as that person shares the data with a provider, intending it to be used for healthcare purposes, the data become protected. If that data were breached somehow, it would be considered a HIPAA violation. That, in turn, raises the question of who would be responsible for such a breach. "If there's a failure of security at the phone level, maybe Apple is liable," Farris said. "If there's a failure at the app level, it might be the app maker, and if there's insecure transmission, it might be the EHR vendor."

    For instance, if a patient downloads their information to the Health app and then posts it on Twitter, that's not a violation of HIPAA. But if that patient inadvertently lets a third-party app access their information, who's responsible? Even though the data may still be secure, they're no longer private—and that's concerning, Farris said.

    "You can't have privacy without security, but you can have security without privacy," he added.

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    IU Health Methodist
    IU Health patient data compromised in cyberattack
    U.S. Food and Drug Administration (FDA)
    Upcoming FDA draft on pulse oximetry's racial bias draws questions
    Most Popular
    1
    UnitedHealth Group to cut Medicare drug plan commissions
    2
    Best Places to Work in Healthcare - 2025 (alphabetical list)
    3
    GE HealthCare debuts new MRI for cardiac and oncology imaging
    4
    Here are new state healthcare laws taking effect in 2025
    5
    Investors welcome a maturing digital health market
    Sponsored Content
    Digital Health Intelligence Newsletter: Sign up to receive a twice-weekly (T, F) morning newsletter featuring the latest reporting on technologies, trends, players and money fueling the rapid changes in how healthcare is developed, paid for and delivered.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Help Center
    • Advertise with Us
    • Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2025. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Digital Health
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • ESG
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Blogs
      • AI
      • Deals
      • Layoff Tracker
      • HLTH 2024
      • Sponsored Content: Vital Signs Blog
    • Opinion
      • Letters
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • 40 Under 40
        • Best Places to Work in Healthcare
        • Healthcare Marketing Impact Awards
        • Innovators Awards
        • Diversity Leaders
        • Leading Women
        • Best in Business Awards
      • Conferences
        • The 2030 Playbook Conference
        • Innovations in Patient Experience
        • Leading Women Conference & Awards Luncheon
        • Leadership Summit
        • Workforce Summit
      • Galas
        • Best Places to Work Awards Gala
        • Diversity Leaders Gala
      • Virtual Briefings
        • - Looking Ahead to 2025
        • - Financial Growth
        • - Hospital of the Future
        • - Value Based Care
        • - Looking Ahead to 2026
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Sponsored Video Series - One on One
      • Sponsored Video Series - Checking In with Dan Peres
    • Data & Insights
      • Data & Insights Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Skilled Nursing Facilities
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • Newsletters
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Jobs
      • People on the Move
      • Reprints & Licensing
      • Sponsored Content