• Healthcare
  • Personal Data

Preserving Security and Privacy of Healthcare Data in App Development 

Vahan Zakaryan
3 Jun 2022
5 min
Preserving Security and Privacy of Healthcare Data in App Development 

There is a term in cybersecurity called a “zero-day exploit”: it’s a cyberattack that happens before an organization detects a flaw in their software; when the vulnerability is discovered after the hackers have already exploited it. Zero-day exploits reached an all-time high last year, especially within solutions developed by Apple, Microsoft, and Google. With health data being very valuable among hackers and healthcare institutions adopting digital solutions, that fact becomes a large issue. 

One of the ways health organizations and digital health vendors can solve this challenge is by buying (or building) secure health software and implementing cybersecurity training throughout their organizations. Everyone who builds apps that deal with medical info is required to do so, in fact. In America, a regulation that controls healthcare data protection is Health Insurance Portability and Accountability Act (HIPAA). 

Preserving Security and Privacy of Healthcare Data in App Development  - photo 1

In this article, we’ll talk about regulations that protect sensitive information in other countries, HIPAA, and review a few Postindustria’s cases of building HIPAA-compliant products. 

The Importance of Meeting Sensitive Data Protection Standards

First, let’s talk about different laws existing to protect patient data globally. 

In the European Union, patient data are protected by the General Data Protection Regulation (GDPR) and its requirements of protection for data concerning health. 26 European countries comply with GDPR, — and if businesses want to work with customers from Europe (and ask for their data), they should, too. European countries also often have their individual legislation for medical data, specifically, — Germany has its Patient Data Protection Act (PDPA) and Spain has the Spanish Data Protection Act (SDPA). 

Asia-Pacific region has the Cross-Border Privacy Rules (CBPR) — Japan, People’s Republic of Korea, and Singapore, along with Canada and the United States, and another 16 countries agreed to comply with them to make international trading simple and more secure.  

In the USA, the Health Insurance Portability and Accountability Act (HIPAA) protects patients’ data’s — or protected health information (PHI)’s — security, integrity, and privacy. Now CBPR and GDPR are broad regulations that protect, apart from health data, consumer’s and user’s data in other industries. HIPAA, on the other hand, is more like SDPA: targeted legislation that’s focused on the medical field. 

Enforcement and consequences of non-compliance are also different for these laws. Compliance with CBPR is enforced by existing domestic laws for privacy protection. Failure to comply with GDPR may result in up to €20 million or 4% of a business’ global annual revenue penalty. HIPAA violations may result in fines from $100,000 to $1,500,000 and even up to a 10-year prison sentence. Apart from that, if GDPR, for instance, regulates solely online matters, HIPAA violations can (and are) take place offline. If a doctor spills cool stories about their patients over tea while, for instance, not changing patients’ names, it is a HIPAA violation. 

Preserving Security and Privacy of Healthcare Data in App Development  - photo 2

So, why is HIPAA compliance important for software developers? 

HIPAA is the first piece of legislation that helped the healthcare industry to safely transit information from paper records to digital format. Since its enforcement in 1996 by the US Congress, it has gone through many improvements and is still active today. HIPAA compliance technical requirements say that every organization that stores, transmits, or processes medical data has to follow HIPAA standards to operate in the US market legally. Those who build software that interacts — in any capacity — with PHI also should comply with the rules.  

For developers in digital healthcare, HIPAA Rules provide a framework for creating secure software architecture and safeguards to detect and eliminate cyber threats quickly. Developers should implement these from the beginning of the project to strengthen data security in healthcare institutions the software will be used in, and to protect its patients.

Got a healthcare project on your mind and want it to be HIPAA compliant? 

Want to know more about tech trends?
Sign up to be the first who receive our expert articles

    Success!
    Thank you

    How Healthcare Projects Meet Security Requirements in Practice

    One of Postindustria’s main domains is digital healthcare, and protecting sensitive data is one of the first requirements we met within every project for the industry. Let’s talk about two projects from the industry that show how we work to make sure the delivered product is HIPAA compliant. 

    Mahmee Case

    Mahmee is a professional healthcare platform for mothers and their children. It’s designed to provide new and expecting parents with continuous medical care. 

    Maternity coaches monitor data about parents’ and their kids’ health and connect them to doctors if the intervention is needed. Through constant communication, the Mahmee team helps parents to detect symptoms of health issues they might have missed otherwise: sepsis, postnatal hemorrhaging, postpartum psychosis, and so on. More than 1,000 providers and organizations are in Mahmee’s network.

    Preserving Security and Privacy of Healthcare Data in App Development  - photo 3

    How We Contributed

    We built Mahmee to process a lot of protected health information reported by parents. Its dashboard contains info about the baby’s feeding, symptoms, vitals, plus data about their caregiver’s wellbeing. Mahmee is HIPAA-compliant, so, when building a platform, we didn’t have access to protected health information in electronic health records (EMRs), so deployment-related tasks that required working with real patients’ data have been handled by the company’s CTO. 

    Such a divide is a commonly accepted practice for working with digital health products. Through continuous communication, we’ve managed to design user-friendly dashboards, and helpful questionnaires for parents, and integrate Stripe, a payment gateway, and a chat platform. We also covered pre-deployment troubleshooting and bug fixing despite not having a dedicated QA specialist for the project. 

    Mindbloom mental health company intends to deliver effective treatment for anxiety and depression via psychedelic-assisted therapy. Sherpa is a minimal valuable product (MVP) developed by Postindustria to help Mindbloom’s professionals guide their clients through treatment and recovery. 

    Mindbloom Case

    Mindbloom mental health company intends to deliver effective treatment for anxiety and depression via psychedelic-assisted therapy. Sherpa is a minimal valuable product (MVP) developed by Postindustria to help Mindbloom’s professionals guide their clients through treatment and recovery.

    Preserving Security and Privacy of Healthcare Data in App Development  - photo 4

    How We Contributed

    We designed Sherpa to comprise the fragmented elements of Mindbloom’s care process: guides, treatment plans, nurturing recommendations, etc. The platform became a patient’s assistant in achieving better mental health. 

    We’ve integrated third-party APIs, including Pucher.com for front-end notifications, ViralLoops for friend campaigns, Acuity for booking features, and JotForms for multi-conditional forms and surveys. These components were pre-built and HIPAA compliant, which helped us cut about 43% of development costs for the client. 

    Apart from that, to comply with HIPAA regulation, we’ve signed a Business Associate Agreement (BAA) with Mindbloom, built the application to store a minimum of PHI on client’s databases, installed a rigorous access policy, introduced backups, and made sure only team members with permission could see patient’s data. 

    The platform we created, as a result, allowed for multiple customizations depending on specifics of the end-users conditions, which allowed Mindbloom to craft individual, precise plans for treatments — and it was secure.   

    What Risks Data Security Help to Eliminate

    Security measures for data protection are necessary for all organizations that work with health data and all apps that help them do so. HIPAA rules define critical areas to focus on, which helps to avoid data theft and leaks, prevent damaging data integrity, and protect people’s privacy. Non-compliance, on other hand, doesn’t just lead to fines. 

    With PHI being one of the most popular assets among hackers — because it includes social security numbers and bank details — healthcare breaches can affect multiple people’s well-being. This April, a clinic in Kansas found a data breach nobody noticed for a year — the personal info of more than 52k patients, including their personal, medical, and financial data has been exposed. If one of the components of the HIPAA compliance checklist — proper intrusion monitoring and threat detection mechanisms — have been implemented, these people wouldn’t be at risk.

    Our development and quality assurance teams work with sanitized data to improve the security of sensitive information. All information is encrypted, anonymized, and can be easily removed if needed.

    Learn how AI transforms healthcare
    Where to send your copy?

      By opting in you agree with your information being stored by us in relation to dealing with your inquiry and to get an email with News, Blog Posts and Offers from Postindustria. You can unsubscribe anytime. Please have a look at our Privacy Policy.
      Hooray!
      We just sent you a copy. Please, check your email or download it here.