HIPAA compliance for mobile is the responsibility of app development teams and their companies. While mobile technologies and platforms like Ionic provide UI and integration with Native SDKs, they do not handle user data or network security as it pertains to HIPAA compliance. Nor would any other mobile technology, it’s simply out of the purview of a mobile framework.
However, what a platform like Ionic will provide, is the building blocks and APIs needed for teams to correctly implement user data storage and network security to follow HIPAA compliance guidelines and secure Protected Health Information (PHI)
In this post we explore the APIs and techniques often used as part of a HIPAA compliant mobile experience, but discussion of broader HIPAA compliance concerns is out of scope for this blog.
When dealing with sensitive user information, the ideal scenario is to never persist it at all. However, that is not practical for a variety of performance and offline use cases.
Thus, apps must find a way to store user data or sensitive user information, such as authentication tokens encrypted at rest using the full security capabilities of the mobile device.
Consequently, this decision presents two more considerations: securing authentication while enabling biometric auth to enable auto login-in, and storing encrypted data at rest using managed encryption keys.
To enable biometric authentication and the protection and encryption of a user session token, iOS and Android keychain/keystore APIs must be utilized. These APIs enable apps to store sensitive values in secure regions on the device and use powerful encryption that is tangled with the biometric hardware, meaning decryption can only happen with a valid biometric scan. Ultimately, this means data is encrypted at rest and cannot be bypassed on jailbroken devices.
However, there are a number mistakes teams make implementing these complex APIs, and many are documented here.
Thankfully, teams do not have to implement these complex APIs and security flows themselves, as there are off-the-shelf solutions to storing sensitive user data, such as Ionic’s Identity Vault and Encrypted Storage solutions.
Apps will need to send data over the network, and this data may contain PHI.
As a start, all network requests must use SSL (aka HTTPS). Ensure every endpoint is protected by SSL. Ensure your app does not embed resources such as images using http://. Also use APIs such as App Transport Security (ATS) to ensure SSL usage across the app.
One other technique your app should strongly consider using is SSL pinning. SSL pinning essentially locks your app into one corresponding valid certificate for a network endpoint. This ensures no man-in-the-middle attack could occur which would result in the compromising of sensitive data.
When a user suspends an app, most mobile operating systems will show a snapshot of the last state of the app for app switchers and other OS experiences.
To ensure that no sensitive information is leaked in one of these snapshots, your app should listen for app lifecycle events and obscure screen contents. This is typical of most apps in high-security contexts, such as banking.
Many health apps need to access health data on a device. On iOS, this means HealthKit, on Android, this means Google Fit.
It’s important to make sure any data accessed using these, and other APIs, adheres to your app’s HIPAA requirements.
Additionally, Apple and Google have terms of service requirements for using their APIs. Your app must also follow those.
This point might seem obvious but it’s critical that any access of APIs or sensors is intentional and follows all app store and compliance requirements. Many apps access more data and APIs than they will ever need, creating added security and compliance issues.
Of course, mobile technologies like Ionic focus only on the frontend of an app, rather than the backend. Thus, HIPAA compliance for your app's backend is a separate concern and a massive part of the work in building a HIPAA compliant app.
Likely your backend or infrastructure teams will take this on themselves but it's critical the mobile team works closely with the backend team to ensure no compliance violations occur.
Ionic is a mobile development platform that many healthcare companies are using to build successful HIPAA compliant apps across iOS, Android, and the Web. Ionic offers a number of open source and commercial components focused on enabling developers with a web development background to be highly productive on mobile.
As it pertains to this list of HIPAA compliance needs, Ionic offers some key drop-in security features that make it easy to adopt best practices and meet HIPAA compliance goals.
Ionic Identity Vault brings biometric authentication, along with secure data storage and encryption, using security best practices on iOS and Android. Identity Vault manages using low-level security APIs such as Keychain on iOS and KeyStore on Android, ensuring that sensitive data such as authentication tokens, encryption keys, and sensitive user data are encrypted using the most secure hardware and software capabilities available on each operating system and device. With Identity Vault, apps can support user-expected features such as biometric login without fear of security issues.
Ionic’s Encrypted SQLlite solution provides a high-performance data store with powerful, military-grade encryption support. When used with Identity Vault, encryption keys can be safely managed on device and only available when the actual user is present.
Finally, Ionic’s Auth Connect solution provides a secure authentication flow for popular auth providers (Ping, Azure AD, and more).
Ionic works with hundreds of enterprise teams building mission-critical, highly secure mobile apps, including many in the healthcare space.
There’s a good chance we can help your team build a successful, highly secure, and compliant mobile health app.
Interested? Get in touch to schedule a demo with an Ionic Solutions Architect.