With as many as 142 million mobile healthcare apps expected to be downloaded by 2016, healthcare providers are facing an onslaught of mobile software solutions that may or may not comply with safety and security standards. And whether they're designing their own apps or looking to developers, they need to be on top of the game. The risk of a data breach is too great to ignore.
Taking a concerted approach to app development can mitigate the risk of compliance shortfalls. Here are 10 steps to follow to ensure a new healthcare app meets regulatory and data security standards.
1. Understand the target market
Not all healthcare apps are governed by the same set of rules. For example, an app used by physicians for viewing radiology images will have a different set of compliance considerations and regulations than an app designed to help patients remember to take their medications. Before creating an app, take a look at the legislative drivers governing the aspect of healthcare you hope to target and make sure you understand what is required from a compliance standpoint.
2. Check in with HIPAA
Probably the biggest regulation to review is the Health Insurance Portability and Accountability Act (HIPAA), which governs how to legitimately share data while preserving patient privacy. Different apps will require different levels of HIPAA compliance, depending on the kind of data they house and share. To fully appreciate how HIPAA applies to your particular app, consult a healthcare attorney who can guide you on things to watch out for and possible roadblocks to address.
3. Look at the footprint
More than anything else, your app’s footprint will dictate the level of difficulty involved in realizing compliance. For instance, if you are planning to store patient data on the app, there will be some pretty hefty privacy and security regulations you will need to follow. Conversely, if you aim to have zero footprint apps - meaning they access data from a secure server but nothing resides in the apps themselves - then they will carry lower risk as the apps and data only reside on devices during use.
4. Consult industry best practices
There are several entities that offer best practices to ensure apps are both useful and compliant. For instance, The Workgroup for Electronic Data Interchange (WEDI) is a well-respected authority on health data exchange. They have developed best practice guidelines and compliance standards that organizations should keep in mind when developing apps.
Similarly, Integrating the Healthcare Enterprise (IHE) is an initiative driven by healthcare professionals that promotes the coordinated use of established standards to help technology systems communicate with one another effectively and securely. The group hosts annual “connectathons” across the world in which developers come and test their solutions for compliant and secure interoperability.
Familiarizing yourself with these entities and the best practices they support is essential in guiding your application to meet industry standards and compliance regulations.
5. Talk to an expert
Once you have an idea for an app and have checked the target market specifications, HIPAA regulations and best practices, it may be helpful to run your approach by someone who has gone through the process before, as they may provide strategic insights, advice and lessons learned. For instance, industry experts may be able to talk about market saturation, appropriate budget expectations, compliance pitfalls and so on. Seeking their input can be valuable in heading off potential issues that could delay or possibly even derail app development.
6. Use standard terms and coding
One of the primary problems with the flood of apps hitting the market is that very few talk well with one other, making interoperability challenging and preserving security difficult. By using standards-based coding and terms in your app - such as DICOM, HL7, SNOMED and ICD-10 - you can increase the likelihood that an app will communicate with others and safely share information.
7. Employ encryption
To keep data private and secure, organizations need to understand when and what kind of encryption is necessary and reliably apply that encryption appropriately. Depending on your portable solution, encryption may be necessary when data enters the app, is stored in the app, and/or is sent from the app. Industry groups such as IHE and WEDI have specific recommendations on what constitutes suitable encryption. Make sure you review and comply with these when creating your solution.
8. Leverage user-centric design
While not essential for achieving compliance, embracing user-centric design can promote user understanding and spur adoption, ensuring users fully appreciate what an app does and does not do and preventing frustration and misuse. Going forward, what will set the great apps apart from the not-so-great is the ability to share meaningful information in a user-friendly way. As such, it can be beneficial to work with a designer who specializes in user-experience design to effectively meet patient and provider needs.
9. Test, test and test again
While this may seem obvious, some organizations rush the testing process in an effort to get apps to market faster. Taking the time to test an app in a controlled setting can prevent security and privacy headaches down the road. Make sure you take a robust approach to testing, considering all possible scenarios, to ensure the app is completely ready to release into the marketplace.
10. Seek independent validation
Since the individuals with primary responsibility for app development and testing may be working on a program for weeks or months, it is likely they will get “too close” to the process and may overlook key security risks or inadvertent holes. For this reason, it is critical to seek third party validation and verification for an app before going live. Once the app receives validation, share that information with users to communicate the app has been appropriately vetted and is safe for use.
Andrew Underhill is chief technologist at Systems Made Simple, a provider of IT systems and services to support critical architecture, data and application challenges in the healthcare industry.
