Data privacy is a fraught subject in any industry. But in healthcare, the stakes are especially high. Many consumers have made (at least some degree of) peace with trading personal data for the convenience of entertainment offered by their favorite apps. But people aren’t necessarily willing to make the same tradeoff with their healthcare data.
Patients have a higher standard for privacy in a healthcare context. HIPAA (the Health Insurance Portability and Accountability Act) has given them every reason to expect that standard will be met.
But healthcare organizations aren’t meeting those standards. According to an analysis from Black Kite, the healthcare industry was the most common target of third-party attacks in 2021, accounting for 33% of all them. A report from Securelink revealed that 44% of healthcare and pharmaceutical organizations experienced a data breach caused by a third party in 2021.
What HIPAA Misses and The Problem with Healthcare APIs and Apps
You may work hard to make sure your healthcare organization is keeping patient data safe and following HIPAA, but if the third parties you work with don’t do the same, you’re putting that data at risk all the same. Right now, the third-party APIs and apps healthcare organizations work with present some problems.
1. They don’t have to be HIPAA compliant (but patients don’t know that).
While HIPAA covers healthcare organizations, it doesn’t currently extend to cover all third-party vendors that work with healthcare providers. APIs (application programming interfaces) and apps that aid in making healthcare data more accessible to patients may also be putting it more at risk. And many patients will assume HIPAA protections cover any tools they associate with their healthcare provider, meaning they don’t understand the risk they take in agreeing to use them.
2. They don’t all treat patient privacy as a priority.
The developers of those apps and APIs have their own goals, and data privacy isn’t always one of them.
“HIPAA is being tested as new and varied organizations develop tools and services to take and monitor what seem to be ‘benign’ (i.e., data outside HIPAA data classification) health data bits without fully identifying and/or understanding any downstream implications,” explains Tom Garrubba, Vice President, Shared Assessments.
If a third party you work with is trying to get around the spirit of HIPAA in order to wring more profit out of the data you provide, it puts you and your patients at greater risk.
3. Many have concerning vulnerabilities.
None of these concerns are hypothetical. Testing by Aproov found thirty mHealth (mobile health) apps and healthcare APIs had authentication and authorization vulnerabilities that allowed unauthorized access to patient data. In the same tests, 53% of the apps had hardcoded API keys and tokens that could be exploited by hackers.
Your organization’s security is only as strong as your weakest third-party connection. And many of the third-party healthcare apps and APIs available right now have glaring weaknesses.
4. Their flaws are your responsibility.
“It’s important for covered entities to understand that the HIPAA Omnibus rule is pretty clear that any mishandling of data by downstream vendors—including Nth party application developers—will come back to bite the covered entity,” says Garrubba. If a vendor you work with is the victim of a data breach that exposes patient information you shared with them, no one will care that you’re not directly at fault. That data is still your responsibility.
5. But they also have an important role to play.
“Data exchanges and application programming interfaces (APIs) are a fact of life,” points out Ron Bradley, Vice President of Shared Assessments. “The Internet could not function without them.”
Those apps and APIs can be important in helping your patients and their providers stay connected to their healthcare information. Avoiding them completely isn’t a workable solution for most healthcare organizations.
How Healthcare Organizations Can Improve TPRM
So you’re stuck. You probably can’t forgo third-party APIs and apps entirely, but you also don’t want to introduce the level of risk they bring with them. To find the right balance, you need to adopt some TPRM (third-party risk management) best practices.
1. Aim to only work with vendors who comply with HIPAA.
Your patients expect their data to be protected at HIPAA levels, so do your best to meet that need by seeking out only HIPAA-compliant vendors. Just because third parties don’t officially have to follow HIPAA, doesn’t mean they shouldn’t. You may not be able to find HIPAA-compliant vendors for 100% of your third-party needs, but aim to do so for as many as possible.
2. Create an inventory of your current third-party relationships.
You don’t just want to consider the security standards of new vendors you seek out, you also want to regularly check in on how secure your long-standing third-party relationships are. The first step to doing so is creating an inventory of all the third parties you work with, and the level of access they each have to your data. According to SecureLink, only 41% of healthcare and pharmaceutical organizations have a comprehensive third-party inventory.
That’s a problem. If you don’t know who has your data, how can you make sure they’re keeping it safe?
3. Insist on transparency.
What patients don’t know can hurt them. They deserve information on who has access to their private information and why.
“Further bolstering consumer awareness is always good, particularly more awareness as to what the app is collecting and what it is doing with such sensitive data,” says Nasser Fattah, Senior Advisor at Shared Assessments. “Often consumers are willing to provide data in return for ‘value,’ but do not know what is really happening ‘behind the scenes’ regarding a third-party app.”
By being upfront with consumers, you give them the chance to opt-in to any data sharing you do.
4. Stay on top of healthcare data legislation and industry updates.
You should take these steps because keeping patient data safe is the right thing to do. But there may soon come a day where taking greater precautions is no longer optional. Right now, third parties are a notable gap in healthcare regulations, but legislation could rise to cover that gap. And industry trends could change to create better standards and tools for improving healthcare TPRM.
On March 24 of this year, The Confidentiality Coalition and WEDI (Workgroup for Electronic Data Interchange) wrote a letter to the Department of Health and Human Services warning of current security risks caused by third-party apps that aren’t covered by HIPAA and urging regulatory leaders to take action. Amongst their recommendations was the creation of certifications or accreditations for apps and APIs used by healthcare organizations, to create better standards and accountability for protecting patient data within them.
Whether or not their urging will lead to new regulations remains to be seen. But it’s worth being prepared and paying close attention so you’re ahead of the game if those changes do occur.
If you don’t think about TPRM now, you face the real risk of having to deal with it in the aftermath of a cyber attack or data breach. Being proactive can save you a lot of time and trouble, can save your patients from unwanted exposure, and can keep you from having to scramble to meet future regulatory requirements.