Hippogriffs and HIPAA: Securing Data in Healthcare Applications
By Stephen Trout, , HIPAA Blog, Resources

One of the best parts of science fiction and fantasy stories is the travel.

When you climb into the Millenium Falcon, a retrofitted Delorean, or even on a flying “hippogriff” in Harry Potter, you can’t help but wonder, What will travel be like in the future? (Ok, the hippogriff might be a stretch).

Yet for some aspects of healthcare, what once seemed like science fiction is fast becoming reality.

A half-century ago, what doctor ever anticipated a transporter device that would “beam” his x-rays to another physician or patient? But that’s essentially what a file-sharing app will do.

Indeed, the ability to send your sensitive files traveling through cyberspace at warp speed with a click of an app (on a device you carry in your pocket, no less!) is nothing short of amazing.

As a result, today’s patients can receive treatments much faster, with the benefit of instantaneous collaboration from other specialists. Pretty cool, Jim.

Rise of the Apps

Ever since their first appearance in Apple’s App Store in 2008, mobile healthcare (mhealth) apps have made the jump to hyperspace – and they haven’t looked back.

Valued at $45 billion globally in 2020, the mhealth market is now projected to reach $639.4 billion by 2028.

Beyond a lucrative market, the practical gains from these mHealth apps are tremendous. Every day:

  • doctors and emergency workers receive timely medical data via mobile apps
  • patients schedule their healthcare appointments on their phones through an app
  • specialists carry an essential library of large textbooks on their devices through apps
  • physicians use a mobile PDR for point of care prescribing of drugs
  • clinics use apps to improve patient experiences and build their brand
  • patients track personal health – from blood pressure to diabetes – through smart wearables

Compliant Apps

But just like fantasy travel can be fraught with peril (the Millenium Falcon caught in the Death Star’s cross-hairs) healthcare apps that handle PHI are especially vulnerable to attack.

Which means, if you’re a developer with a great idea for a new healthcare app, you need to know that priority one is to make it secure and compliant. Steep fines have been levied due to data breaches from unprotected applications.

So how can you make your app HIPAA compliant, safe for sending protected data through cyberspace – and keep costs in check while doing it?

1. Your app needs a secure, compliant infrastructure; consider a container.

Medical data needs a secure foundation – one that preserves data integrity, availability, and privacy for HIPAA, in both transit and storage. Providing this compliant foundation minimizes risks and liability to data.

If you have the expertise, you’ll derive excellent security benefits from packaging your app in a container.

Containers are an amazing technology, allowing you to increase the speed at which you can deploy applications, with greater flexibility and agility, and reduced cost.

Each container possesses all the self-contained applications (code and system tools) needed to run, so you need fewer resources.

A container orchestration tool like Kubernetes, for example, also provides integrated security benefits by virtue of how container clusters are destroyed and new nodes and clusters created whenever a new version of an application is deployed, reducing security patching and updates.

That said, ensuring security and compliance for containerized apps that process protected health information can be complex, however.

For instance, applying automated scanning of containers at all stages of deployment is necessary to keep images and registries safe from vulnerabilities.

Encrypting all data moving in and out of your containers is also critical.

Many developers have taken up the challenge of containers, however, only to discover that meeting all the complex requirements for HIPAA-compliant hosting can be daunting.

Thousands of hours later, mounting development costs, ongoing server security concerns, and looming audit requirements take their toll – and they’ve only just begun.

Here’s where inheriting a proven, fully managed infrastructure that allows you to focus on developing apps can save the day.

You’ll increase your profitability without the expensive server equipment and maintenance costs, and leave the day-to-day security, patching, and updates in the hands of proven security specialists who know HIPAA.

The ability to offer a fully comprehensive, end-to-end supported infrastructure solution that customers will trust can help you get up and running with your app fast.

2. Your organization must maintain HIPAA-compliant practices on a daily basis.

You need to know: when a HIPAA auditor comes knocking at your door, know that they’ll be looking at more than just your new app.

They will examine your company as a whole, concerned to find any existing or potential holes in your procedures, practices, and overall security.

Which means, you’ll benefit from performing a thorough risk assessment of PHI in your organization – how data will flow and be stored, and all potential vulnerabilities.

The risks of not doing so can be absolutely staggering.

An annual study by the Ponemon Institute saw the average total cost for healthcare breaches increase to $9.23 million in 2021.

You might know that compliance isn’t achieved by running out and purchasing a certification, or completing a course.

That’s because compliance is like a ‘snapshot in time;’ you might have compliant procedures being closely followed by all one moment, and sacrificed by a lapse in practice the next.

No mistakes might be made today, but tomorrow a document may be left in an insecure place, or an employee will fall prey to a social engineering “phishing” scheme, allowing hackers to discover their password and enter your network. Before you know it, you’re unable to access your data.

While it will be certainly helpful to have a compliance checklist, consider teaching your employees about HIPAA at a fundamental level, and imparting a sense of what true security is – both in digital and physical uses of the word.

The goal here is to try to anticipate breaches before they happen. Being cognizant of your information life cycle helps you to be sure that all steps in the process are fundamentally sound from a security perspective.

Out of this World Benefits

With a good sense of security awareness, a well-informed employee pool, and fundamental attention to the core concepts in security, you’re well on your way to having a strong, compliant foundation to go with your app.

Adding HIPAA Vault to your team to help manage your app in a secure, compliant environment can make it possible to keep your data safe and secure, and keep costs low.

You’ll receive a full range of our managed security services at no extra charge, including our 24/7 dedicated live tech support.

HIPAA Vault’s technical specialists are dedicated to providing the best support possible as you build your apps, and enhance your customer’s satisfaction.

We ensure less than 15-minute response times for critical alerts and over 90% first-call resolution.

So, ready for your app to go where no one has gone before? Find out HIPAA Vault can help!

About HIPAA Vault
HIPAA Vault specializes in providing managed, secure, HIPAA compliant solutions, including secure Linux hosting and HIPAA WordPress. Our mission is to provide uncompromising data security combined with world-class customer service and 24/7 technical support.

Stephen is an award-winning writer with a depth of experience in healthcare security and HIPAA compliance. In addition to writing for HIPAA Vault, his work has been published in Security Magazine, New England Society for Healthcare Communications, and others. Stephen has a degree in Engineering from Temple University, and can be reached at strout@hipaavault.com.