- During the COVID-19 pandemic, security breaches have increased by nearly 50 percent.
- Less than one-third of apps designed to slow disease transmission encrypt user data.
Senators have proposed a bill to safeguard app users’ health information.
- Report: COVID-19-Related Apps May Not Protect Patient Data
Report: COVID-19-Related Apps May Not Protect Patient Data
App makers and tech giants alike are working to develop digital tools to combat COVID-19. Google and Apple even announced a “joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design.” Their plan involves “application programming interfaces (APIs) and operating system-level technology to assist in enabling contact tracing.”
However, a recent analysis published in Nature Medicine raised significant concerns about the privacy of apps related to COVID-19. “A troubling discovery is that only 16 of the 50 apps indicate that the user’s data will be made anonymous, encrypted, and secured and will be transmitted online and reported only in an aggregated format.” Furthermore, “What is not clear is whether any of the data collected are protected by any laws or regulations,” such as HIPAA. It is worth noting that there are many HIPAA-compliant apps and programs, such as the Patient Monitoring System, which uses Oracle’s “therapeutic learning” to “gather comprehensive, real-time data from doctors and clinicians about how patients are responding to various Coronavirus treatment options.” Secure programs such as this can function as large-scale clinical trials, giving healthcare providers “additional ‘ammunition’ in the war against the pandemic’s impact on people around the world,” according to Keith Fernandez, MD, Chief Clinical Officer at Privia Health.
Data Breaches on the Rise
In addition to privacy concerns, data breaches have increased dramatically during the pandemic. According to data from the U.S. Department of Health and Human Services’ (HHS), HIPAA-covered entities reported 132 data breaches from February through May — a nearly 50 percent increase over last year, Healthcare Finance reports. Entities have 60 days from the time of discovery to report a breach of over 500 patients’ PHI to HHS. Therefore, the actual number of data breaches during this period is possibly higher.
Experts speculate that the rapid implementation of telehealth may exacerbate security concerns. “There’s nothing inherently riskier about telehealth technology,” Andy Riley, Executive Director of Security Strategy at Nuspire, told Healthcare IT News. “But when you mix this rapid, enhanced adoption [of telehealth] with this enhanced threat … that’s where the trouble lies.”
While accelerating the adoption of telehealth is critical to combat COVID-19, HHS’ “recent temporary waiver of HIPAA violation penalties for using a non-secure platform such as FaceTime or Skype” has created confusion, according to Graham Galka, Senior Vice President of Strategy and Innovation at Privia Health. His recommendation to providers looking to add telehealth to their “toolkit” is straightforward: “Don’t put your patients’ information at risk. Get a HIPAA-compliant platform.”
Bipartisan Bill to Protect Health Information
A bipartisan group of senators has authored a bill, the Exposure Notification Privacy Act. “The legislation makes participation in commercial online exposure notification systems voluntary and gives consumers strong controls over their personal data, limits the types of data that can be collected and how it can be used, and contains strong enforcement provisions,” read a press release. “The bill will give Americans confidence that the apps they are using are from legitimate sources, will protect their privacy, and that public health officials will be the ones determining what tools are necessary to give the public the information they need to make smart decisions regarding their health.”
While the collection and analysis of digital data can help limit or slow the pandemic’s spread, we must ensure data is secure to protect patient privacy. Public officials and app developers must align on best practices to benefit public health without putting patient information at risk.