FTCs 8 Best Practice Guidelines for Health App Developers

FTCs 8 Best Practice Guidelines for Health App Developers

 

The FTC recently settled two “First-of-Its-Kind” civil penalty cases. Both cases involved consumer health apps that disclosed and/or sold for advertising purposes consumer personal health information without the consumers’ written consent. Further, in both cases, the FTC found that the consumer health apps made false statements misrepresenting the privacy and security of personal health data. This prompted the FTC to bring cases regarding the enforcement of the FTC Health Breach Notification Rule and The Federal Trade Commission Act (FTC Act) Section 5 Unfair or Deceptive Acts or Practices (see April 17, 2023 blog “FTC’s “First-of-Its-Kind” $1.5 Million Civil Penalty for Breach of Unsecured Data by a Consumer Health App” https://blog.isharemedical.com/ftc_first-of-its-kind_proposed_settlement and April 20, 2023 “FTC’s Second-of-Its-Kind” $7.8 Million Civil Penalty for Breach of Unsecured Data by a Consumer App by a Covered Entity”  https://blog.isharemedical.com/ftc_second-of-its-kind_settlement). In both cases the defendant settled the claim and admitted no wrongdoing).

  

Following these settlements, Samuel Levine, Director of the FTC's Bureau of Consumer Protection stated that "Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information," and that "The FTC is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation."

 

The FTC recommends following eight best practices for consumer health app developers to provide sound privacy and security practices, here is a summary: 

I. Minimize the data that you collect. 

  1. If you don't collect it, you don't have to secure it.
  2. But if you do collect it, you need to secure it in flight when you transmit it and at rest when it is being stored.
  3. If you don't have a legitimate business purpose for keeping this data, the data has to be deleted.
  4. Note that it is fine to keep data if the data is de-identified and cannot be re-identified. This is in contrast to HIPAA which allows de-identified data to be re-identified.

II. Limit access permissions  

  1. What access does your app really need? If your app does not need access to system resources, then it should not need to access the operating system.
  2. Does the operating system provide a trusted UI? Craft permissions to limit access to the level that will allow for normal function but no higher.Set default settings to “private” instead of “public”.

III. Keep authentication in mind 

  1. Invest in resources that ensure that the person accessing the account is the legitimate owner of the account
  2. Consider multi-factor authentication requiring the use of a username and password and a code sent via another channel such as email or text
  3. Require complex passwords and develop password resets that are out of band
  4. Determine how you will revoke access or close an account
  5. Don’t store passwords as text, add hash or encryption

IV.  Consider the mobile ecosystem 

  1. Are you relying on the mobile platform to protect sensitive data? Conduct security testing to confirm that protections are provided by the platform.
  2. How are your third-party service providers protecting data? Spell out expectations and requirements. If you use a cloud services provider make sure you understand what they are doing and what you are responsible for in order to protect and monitor privacy and security.
  3. Are you using third-party or open-source code libraries? Make sure that the code does not have vulnerabilities.

 V.  Implement Security by design

  1. Designate a trusted staff member for data security.
  2. Hire engineers with secure coding practices or train them in secure coding.
  3. Monitor the app for security vulnerabilities.
  4. Incorporate security at every stage of the app's lifecycle: design, development, launch, and post-market.
  5. Use strong encryption at rest and in transit.
  6. Protect your app from well-known threats like injection, hard-coded credentials, APIs that leak or allow unauthorized access and broken or disabled cryptography.
  7. Stay current with automatic updates, security updates, and patches. Provide updates to customers and communicate changes and updates with customers.
  8. Think about how you will respond if a significant flaw is identified. Having an up-to-date inventory of the information in your possession can help you to allocate data security resources where they’re needed most and help mitigate damage in the case of a data breach.
  9. Know where data from your app goes and protect it accordingly. Don’t store sensitive data where it might be accessible to others unless you have appropriate security and practice controls in place.
  •  VI.  Don’t reinvent the wheel

  1. Take advantage of what security and privacy experts recommend.
  2. There are software development kits (SDK’s), software libraries, and cross-platform toolkits that provide low-cost tools to help safeguard data.
  3. Stay abreast of the latest security vulnerabilities.
  4. Consider Security audit and sign up for the National Vulnerability Database email or RSS feeds.
  5. Review and follow U.S. Department of Commerce National Institute of Standards and Technology (NIST) standards.

 VII.  Innovate how you communicate with users

  1. How do you inform users of your apps security and privacy features? Do you do affirm consent (this means you ask and they need to indicate “yes” before you collect their data)?
  2. How do you provide effective notice to tell users about sensitive or unexpected data your app will collect both when you install the app and when you collect data (for example, geolocation information to track distance)?
  3. Do you have a Patient Privacy statement that lays out the patient terms, conditions, privacy statement, and how data will be used? Is the policy accessible to the patient in your app?

 VIII.  Don’t forget about other applicable laws (partial list)

  1. FTC Act
  2. FTC Health Breach Notification Rule
  3. American Reinvestment and Recovery Act of 2009
  4. Health Insurance Portability and Accountability Act (HIPAA)
  5. 21st Century Cures Act
  6. ONC’s Information Blocking Regulations
  7. FDA’s Federal Food, Drug, and Cosmetic Act
  8. Children’s Online Privacy Protection Rule
  9. Gramm-Leach-Bliley Act’s Safeguard Rule and Privacy Rule
  10. State Laws including consumer protection and privacy.
  11. Truth-in-advertising and privacy principles

  

Sign up today and start securely sharing medical records now.  Call us today at 816.249.2555 or email us at info@isharemedical.com.

← FTCs "Second-of-Its-Kind" $7.8 Million for Breach by a Consumer App
Whats CRUD got to do with streamlining workflow? Everything →