Morioh
Login
Brain Crist

Brain Crist

3 years ago

HIPAA compliance for mobile is the responsibility of app development teams and their companies. While mobile technologies and platforms like Ionic provide UI and integration with Native SDKs, they do not handle user data or network security as it pertains to HIPAA compliance. Nor would any other mobile technology, it’s simply out of the purview of a mobile framework.

However, what a platform like Ionic will provide, is the building blocks and APIs needed for teams to correctly implement user data storage and network security to follow HIPAA compliance guidelines and secure Protected Health Information (PHI)

In this post we explore the APIs and techniques often used as part of a HIPAA compliant mobile experience, but discussion of broader HIPAA compliance concerns is out of scope for this blog.

Storing Sensitive User Information

When dealing with sensitive user information, the ideal scenario is to never persist it at all. However, that is not practical for a variety of performance and offline use cases.

Thus, apps must find a way to store user data or sensitive user information, such as authentication tokens encrypted at rest using the full security capabilities of the mobile device.

Consequently, this decision presents two more considerations: securing authentication while enabling biometric auth to enable auto login-in, and storing encrypted data at rest using managed encryption keys.

To enable biometric authentication and the protection and encryption of a user session token, iOS and Android keychain/keystore APIs must be utilized. These APIs enable apps to store sensitive values in secure regions on the device and use powerful encryption that is tangled with the biometric hardware, meaning decryption can only happen with a valid biometric scan. Ultimately, this means data is encrypted at rest and cannot be bypassed on jailbroken devices.

However, there are a number mistakes teams make implementing these complex APIs, and many are documented here.

Thankfully, teams do not have to implement these complex APIs and security flows themselves, as there are off-the-shelf solutions to storing sensitive user data, such as Ionic’s Identity Vault and Encrypted Storage solutions.

Network Transport Security

Apps will need to send data over the network, and this data may contain PHI.

As a start, all network requests must use SSL (aka HTTPS). Ensure every endpoint is protected by SSL. Ensure your app does not embed resources such as images using http://. Also use APIs such as App Transport Security (ATS) to ensure SSL usage across the app.

One other technique your app should strongly consider using is SSL pinning. SSL pinning essentially locks your app into one corresponding valid certificate for a network endpoint. This ensures no man-in-the-middle attack could occur which would result in the compromising of sensitive data.

Protecting Screen Data

When a user suspends an app, most mobile operating systems will show a snapshot of the last state of the app for app switchers and other OS experiences.

To ensure that no sensitive information is leaked in one of these snapshots, your app should listen for app lifecycle events and obscure screen contents. This is typical of most apps in high-security contexts, such as banking.

#all #perspectives #biometrics #hipaa #ionic #security

HIPAA Compliant Mobile Apps With Ionic

ionicframework.com

HIPAA Compliant Mobile Apps With Ionic

HIPAA compliance for mobile is the responsibility of app development teams and their companies. While mobile technologies and platforms like Ionic provide UI and integration with Native SDKs, they do not handle user data or network security as it pertains to HIPAA compliance. Nor would any other mob

1.65 GEEK