Breach reporting required for health apps and devices, FTC says

The Federal Trade Commission (FTC) commissioners, in a split-vote (3-2), issued a policy statement on September 15, requiring both health applications and connected devices to comply with the “Health Breach Notification Rule (August 2009).” The commissioners recognized how the applications and devices did not fall within the scope of the Health Insurance Portability and Accountability Act (HIPAA), but the entities should “face accountability when consumers sensitive health information is compromised.”

What this means, according to the statement is, “Entities covered by the Rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information.”

Developers of healthcare applications or connected devices are required to initiate notification protocol when they experience a “breach of security.” Taking no chances of misunderstanding the statement provides an unambiguous example: “When a health app … discloses sensitive health information without users’ authorization, this is a ‘breach of security’ under the Rule.”

Of particular note, especially to those responsible for caretaking of aggregated data on individuals’ health and fitness from consumers, application programming interfaces (API) fall within this Rule. Therefore, the device that has been monitoring your sleep, heart, calorie consumption, medication, fertility, diet, and your physical activities falls within the Rule.

Health data insecurity isn’t hypothetical

According to the IQVIA Institute for Human Data Sciences 2021 trends report, the number of digital health applications has grown to over 350,000 with 90,000 being released in the past year. In addition, the report highlights growth in digital therapeutics and care within the mental health, diabetes, and cardio apps which account for approximately 47% of available apps.

The vulnerability via apps is not hypothetical. In February 2021, Approov published its report “All that we let in,” which tested 30 mobile healthcare apps and found “every one displayed API vulnerabilities that exposed personal healthcare data”

In 2020, Intertrust released a study on the security of mobile health apps and found that 91% of the apps failed cryptographically, and 71% had at least one major security vulnerability.

Think of your average hospital room and the number of devices that are active within the room at a given time—15 to 20? Then the ICU room will have 20-plus devices, 20 beds to a ward, and it becomes clear that the laws of large numbers will prevail and before you know it an average hospital might have as many as 80,000 to 85,000 connected devices. Would a vulnerability in any of these devices be of interest to a criminal or mal-intended individual? Absolutely. We only have to review the recent case of the malevolent cybersecurity provider who compromised devices within his client’s hospitals to harvest “patient information, including test results, device output, and billing and accounting data.”

Thoughts of the five FTC commissioners

The chair, commissioner Lina M. Khan, voted in support of the creation of the policy statement, noting that the pandemic has “hastened the adoption of virtual health assistants, with Americans placing their trust in various technologies to track and manage their personal health.” She continued on how the creators of these applications often fail to address privacy and security concerns, which she characterized as “playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches.”

Commissioner Rebecca Kelly Slaughter in her statement in support of the policy, highlighted how mental health applications have been an area of particular growth during the COVID pandemic: “While digital mental health tools can be promising if they connect users with evidence-based resources, they also present high risks, because users seeking mental health resources are often sharing information that is particularly sensitive and personal.” Slaughter made clear, “If you are offering digital health services, the FTC will hold you accountable for accurate, evidence-based claims and fully compliant data privacy practices.”

While commissioner Rohit Chopra, notes how historically the FTC has not been energetic in enforcing the existing rule concerning breach notification and how he looks forward to working with “the Department of Health and Human Services to safeguard our most sensitive health data.”

Dissenting were commissioners Noah Joshua Phillips and Christine S. Wilson, who believed the policy statement was an overreach. Phillips, characterized the policy statement as “the definitions in our regulations and those of HHS [Heath and Human Services] and SSA [Social Security Administration] that the majority is today reimagining—has never been a model of clarity.” He also noted the difference between a breach of security and that of acquisition of information without the authorization of the individual, as two different acts, which are now comingled. Wilson notes while she is supportive of the need to protect consumers, she opines how the policy statement would have substantive impact on other agencies (SSA and HHS).

CISOs’ road ahead

It is worthy to note that the policy statement is not “rule-making” per commissioner Slaughter and is “designed to clearly communicate compliance obligations in the market under the existing laws.” Nothing has changed; the purpose of the policy statement was to provide clarity.

With 90,000 applications introduced over the course of the past year, commissioner Khan’s observation is both highly possible and probable: Security and privacy may not be at the forefront of many of those apps. This is especially relevant given the industry studies indicating widespread issues with app developers being challenged in the implementation of crypto and APIs.

The FTC bar for handling inadvertent disclosure or access be it in-house or through a breach/misconfiguration of data stores may require apps to be overhauled. Therefore, CISOs within the health application and device sectors who may have had difficulty getting funding to secure their entity’s network, data, and applications, have been provided, courtesy of the FTC with the bullet point to take to the C-suite: The sting for non-compliance will add up quickly, as the civil penalty is $43,792 per violation, per day.