Ken Blackwell / December 9, 2021

Mobile Health Apps Need a Security Check-Up

Personal health data is extremely attractive to hackers because of the value of a real, full medical record to bad actors.

The age of mask and vaccine mandates has sparked important conversations about what employers, businesses and our government can ask about our personal health decisions. These discussions often reveal widespread misconceptions about who is responsible for keeping that information confidential and secure. Clarity on this issue is of utmost importance for consumers, especially with the rise of smartphone apps hungry for health data.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 created national standards for protecting individuals’ health information. Many people assume the law applies to any entity that might request or handle health information. In fact, the law only requires “covered entities” to protect patient privacy and security while they share information to provide high-quality care. Covered entities include health care providers, insurers, healthcare clearinghouses and “business associates” such as electronic health record developers and other organizations that serve covered entities.

Health data that would be HIPAA-protected in the hands of healthcare companies can be used for any purpose, without federal privacy and security protections, when it is collected by big tech companies. Understanding this distinction is critical for privacy-conscious consumers amid the growing trend of health-related apps.

The risk to consumers is real. On two separate occasions this year alone, the cybersecurity company Approov has reported on major security vulnerabilities affecting dozens of apps with millions of users. In February, Approov tested 30 mobile health apps covering 23 million users and found all of them to be vulnerable to hacking. In October, Approov was able to access more than 4 million patient and clinician records through the vulnerabilities.

Personal health data is extremely attractive to hackers because of the value of a real, full medical record to bad actors. Health records can fetch prices 1,000 times higher than a Social Security number and 200 times higher than a credit card number, according to Experian. A hacked medical record can be worth as much as a stolen passport on the dark web.

Even if it’s not stolen by hackers, health data that is not protected by HIPAA can be used and sold in ways patients never intended. We may be comfortable giving fitness trackers and other apps access to our personal data to alert us to health risks, remind us to take our medication, or even share important information with loved ones. But do we want Big Tech companies using that data to sell us advertising based on our private medical conditions or decisions or profile us for potential future employers, life insurers, or lenders?

It’s past time to close the “covered entity” loophole, especially since new regulations issued by the U.S. Department of Health and Human Services mandates health care organizations to share health data with app companies and big tech if they say they’re acting on a patient’s behalf. When health information moves from their electronic health record to a Big Tech firm, patients should be informed that their data is transferring from an entity that is required to protect their data and use it for certain purposes to a company that is not. Burying a disclaimer and broad data use rights in dense terms and conditions shouldn’t count.

Better yet, the legislative and regulatory landscape needs to catch up with the technological advances in the 25 years since HIPAA became law. The Federal Trade Commission already views apps that handle health data as healthcare companies. In November the FTC told app makers to comply with the Health Breach Notifications Rules governing how and when healthcare companies must alert consumers to a data breach.

The rest of the regulatory landscape should follow the FTC’s lead and Congress should update HIPAA for the mobile app age. Health apps that access and function as digital health records should be treated as such, and they should be required to protect users’ privacy and secure their data to the same standard as providers, insurers, and other healthcare companies.

Start a conversation using these share links:

Who We Are

The Patriot Post is a highly acclaimed weekday digest of news analysis, policy and opinion written from the heartland — as opposed to the MSM’s ubiquitous Beltway echo chambers — for grassroots leaders nationwide. More

What We Offer

On the Web

We provide solid conservative perspective on the most important issues, including analysis, opinion columns, headline summaries, memes, cartoons and much more.

Via Email

Choose our full-length Digest or our quick-reading Snapshot for a summary of important news. We also offer Cartoons & Memes on Monday and Alexander’s column on Wednesday.

Our Mission

The Patriot Post is steadfast in our mission to extend the endowment of Liberty to the next generation by advocating for individual rights and responsibilities, supporting the restoration of constitutional limits on government and the judiciary, and promoting free enterprise, national defense and traditional American values. We are a rock-solid conservative touchstone for the expanding ranks of grassroots Americans Patriots from all walks of life. Our mission and operation budgets are not financed by any political or special interest groups, and to protect our editorial integrity, we accept no advertising. We are sustained solely by you. Please support The Patriot Fund today!

★ PUBLIUS ★

“Our cause is noble; it is the cause of mankind!” —George Washington

The Patriot Post is protected speech, as enumerated in the First Amendment and enforced by the Second Amendment of the Constitution of the United States of America, in accordance with the endowed and unalienable Rights of All Mankind.

Copyright © 2022 The Patriot Post. All Rights Reserved.

The Patriot Post does not support Internet Explorer. We recommend installing the latest version of Microsoft Edge, Mozilla Firefox, or Google Chrome.