Lawmakers on Wednesday pressed leaders from the Veterans Affairs Department on how the agency reviews apps for inclusion in the VA App Store, its marketplace of nearly 50 smartphone apps designed to help veterans manage their healthcare.
While VA leaders said it inspects apps and developers promoted on its store, lawmakers questioned whether the agency has gone far enough to protect patient data.
"We expect the VA to assess the value of that technology or the benefit of that app, and determine that the benefit to veterans outweighs the data security and privacy risk," Rep. Susie Lee (D-Nev.) said during a House Veterans' Affairs Committee's Technology Modernization Subcommittee hearing.
Paul Cunningham, chief information security officer and chief privacy officer at the VA's office of information and technology, said the agency review includes assessing the "intent" of the developer.
"If they're selling that information, obviously, we would not endorse that," he said. "We do want veterans to look at those applications and know that VA is supporting those applications."
He added that the level of privacy protection that the VA looks for in apps might vary based on the type of data they use, with the department reviewing apps that use VA protected health information particularly closely. Before an app links up to an application programming interface from the VA—the technology that connects the agency's IT systems with the app—the agency will require that the developer agree to "meet the same standards that we have."
That includes signing the agency's acceptable use agreement, which outlines details like committing not to sell patient data.
Lawmakers also raised concerns over what data the apps request from patients directly—not just the information ingested from the VA.
Subcommittee members reviewed the VA App Store and found "many (apps) require significant elevated permissions and access to a user's data or device," such as requesting access to contacts, calendars, photos and other files held on a patient's smartphone, according to Lee.
Rep. Phil Roe (R-Tenn.) called out an app called PTSD Coach, a program designed to provide information and support for veterans with post-traumatic stress disorder, which he said requests permission to access multiple areas of a user's phone, including their contacts and microphone.
"I find that very disturbing," Roe said. "You might inadvertently hit that."
Health systems nationwide are embroiled in a similar conversation about patient privacy, as the HHS' Office of the National Coordinator for Health Information Technology moves toward finalizing a rule that would allow patients to download their own health data from providers using third-party apps.
Provider groups have repeatedly expressed concern over the proposed rule, noting that app developers aren't held to the same privacy standards—such as HIPAA—as providers and insurers. They say that could put patients' data at greater risk of being breached, or even open the door for apps to use data in ways patients aren't aware of, such as using it to target advertisements.
Cunningham said the VA has to make "risk-based" decisions, balancing the value that services included in the VA App Store can offer veterans with concerns over security and privacy. He said developers that offer apps on the store are trusted third-parties, but there's always some degree of risk.
"If zero tolerance is what we're going for, we're going to miss out on a lot of opportunity that technology brings," he said.
The VA's technology projects have been in the hot seat in recent weeks. Earlier this week the VA delayed plans to begin end-user training for its new electronic health record system, which could push back the agency's overall schedule for beginning the EHR implementation. The agency was slated to bring its first site live on a new Cerner Corp. EHR in March.
