With the expanding use of mHealth applications, researcher and ethical hacker Elisa Knight decided to investigate how secure they keep PHI. According to an article posted on HIPAA Journal on Feb 16th, of 30 mHealth apps she chose for examination, every single one tested was found vulnerable. These 30 apps (chosen out of over 300,000 mHealth apps available in the major app stores) are used by an estimated 23 Million people.

These apps contain information ranging from pure scheduling info to lab results, medical images, even full medical records. This information is of great value on the dark web, and so is highly targeted. Half of the records she accessed contained social security numbers, addresses, dates of birth and other sensitive information. The biggest surprise was how basic the vulnerabilities were – it did not take a sophisticated attack to access PHI in many of the apps. A proviso of the study was that none of the apps would be identified.

Here is a link to the full HIPAA Journal Article 100% of Tested mHealth Apps Vulnerable to API Attacks

COVID-19 Vaccination assistance apps:

On a somewhat related note, there are a lot of new COVID-19 Vaccination assistance apps specifically developed to facilitate the scheduling of vaccination. The Office of Civil RIghts (OCR) has recently issued a ruling stating they “will not impose penalties for violations of the HIPAA Rules on covered health care providers or their business associates in connection with the good faith use of online or web-based scheduling applications”.

This non-enforcement is retroactive to Dec 11th, 2020 (the approximate beginning of vaccine availability). This ruling specifically applies to the apps being run by healthcare organizations to facilitate vaccination appointments and does not apply to mobile apps. Apps which access patient records are also still subject to enforcement.

The HHS article/announcement may be found here: OCR Announces Notification of Enforcement Discretion for Use of Online or Web-Based Scheduling Applications for the Scheduling of COVID-19 Vaccination Appointments