Healthcare Data on Your Mobile Device

What could go wrong?

January 26, 2018 • Published by

This morning I read that Apple is letting you keep your medical records on your iPhone or Apple Watch and it got me thinking:  How secure will this data be?  How well will people work to protect their personal healthcare data?

I am a cybersecurity guy and I am a skeptic, so let me give you some facts and then some things to think about.

Fact:  Apple doesn’t “see” the healthcare data unless the customer chooses to share it. 

iPhone health app holds your personal healthcare dataI own an iPhone, so I went into the Health App under Health Records/Data Sources & Access. Here you can specify the apps and sources allowed to update your health records data, but there is nothing that tells me how or if this data is tracked or protected.

Apple may not keep the data, but what about the apps that are connected to the records?

Fact:  Apple is working with medical-records vendors to make it easier for people to view their information on their iPhone.  

That’s awesome! I’m all for that, but again, how is the data being protected and should I trust a company because they are big and say I am protected?

I have had the privilege of being an included pawn in some of the largest health record breaches in history, and now my records are going to be sent to my phone via “protected” apps? LMAO… really??

We are putting a lot of faith in a lot of programmers who are not regulated to transmit, encrypt and store electronic protected health information (ePHI).

Fact:  Most people don’t typically protect their phones with passwords, unless their company forces them to. 

And, the passwords people tend to use are easy to remember or a PIN that is probably a birthday or some other important number to them. SplashData compiles a list every year for the 100 worst passwords. Many passwords on the list are unchanged from the year before or have simply moved up or down the list.

People still don’t take passwords seriously because it is just too much trouble. How often have you changed the password on your iPhone or Apple Watch?

Final thought: There is a lot of your ePHI out there already with insurance companies, doctors, hospitals, dentists, etc.—and let’s not forget the government!

I have been doing healthcare security assessments for over a decade and I can tell you that in general, healthcare data is not well protected. The primary reason is that it costs a lot of money to encrypt data in storage and protect the data moving in and out of healthcare environments. Now you are going to put it on my phone, use unprotected apps and tell me everything is okay.

I just don’t believe the security is in place.

I am all for making access to medical records easier for the patient, but I want my data protected everywhere it exists and I know we aren’t there yet. And even though I’ve focused on the Apple app here, the premise on data security is the same for all healthcare apps on any mobile devices.