Apple's Health Record API released to third-party developers; is it safe?

Credit to Author: Lucas Mearian| Date: Thu, 07 Jun 2018 03:11:00 -0700

Apple at its Worldwide Developers Conference this week released an API that allows  developers and researchers to create applications that connect to Health Records, a feature released with iOS 11.3 that allows patients to port their electronic health info to mobile devices and share data between care providers.

While the move promises to streamline the sharing of healthcare data, it also could open the door to that highly sensitive data falling into the wrong hands.

Many healthcare facilities today offer a proprietary web portal for patients to view their government-mandated electronic health records (EHRs). But those portals often don’t allow users to share their information with other caregivers. Because healthcare providers also use EHR platforms from different technology vendors, data-sharing can sometimes be stymied by incompatibilities.

The first apps expected to use Health Records – including those for medication tracking, nutrition planning, disease management and medical research – will be certified to go live this fall, Apple said.

For example, medication management platform Medisafe will be among the first to connect with the Health Records so consumers can import their prescription list without manual entry, enabling pill reminders and allowing the user to get relevant medication information. Family members can also receive alerts in case a patient is not responding to prompts.

The Medisafe app as seen through Apple’s Health Record platform.

Medisafe will be able to warn patients of problematic drug interactions because it will  have a comprehensive view of a patient’s exact medication list from multiple hospitals and clinics, according to Omri Shor, founder and CEO of Medisafe.

Shor said the idea for Medisafe, a six-year-old company with 4.5 million registered users, came after his diabetic father overdosed on insulin after he’d forgotten he’d already taken a first dose and injected a second.

“We started thinking about how people manage meds,” Shor said. “We looked at how providers, payers, and pharmaceutical companies support patients in managing their medications. They simply don’t. Your physician prescribes certain medication and a regime to take them. If we can download that onto an app on your phone, it can be much more accurate.”

Medication alerts can be tailored using a patient’s demographics and daily habits. For example, the Medisafe app detects when a phone is disconnected from a power cord in the morning, indicating a user is awake. And voice alerts can be set up to use the voice of a comforting nurse, or, at the other extreme, a drill instructor, Shor said.

Medisafe’s ditial pill box for monitoring which meds to take at what time.

Apple’s API enables Medisafe to have immediate access a patient’s prescription medication list once they’ve downloaded the app and opted in. Currently, it takes from 12 to 18 months for Medsafe’s platform to integrate with existing hospital EMR systems, where much of that time is spent dealing with legal and security issues and HIPAA compliance, Shor said.

The Health Records feature relies on the existing Health app (released in 2014 in iOS 8) to allow medical facilities to use an API to connect their EMR systems to share data with patients in a standard format.

EMR vendors such as EPIC, Cerner, Athenahealth, Meditech and AllScripts worked with Apple to enable integration with the mobile app. When a patient downloads the Apple Health app and chooses to allow their health data to be transferred from a healthcare provider to Apple’s Health Record, it is encrypted and does not traverse Apple’s network.

Applle’s Health Record enables a view of high-level patient care data from disparate healthcare providers through standard industry interfaces.

Apple’s Health Record platform uses the Fast Healthcare Interoperability Resources (FHIR) interface, a set of API standards that will soon be available in every major EHR to consolidate lifetime clinical records from different providers on mobile devices.

When a user’s iPhone is locked with a passcode, Touch ID or Face ID, their health data in the Health app is encrypted on-device. If a user chooses to sync their health data with iCloud, it is also encrypted while in transit and while stored.

Apple initially piloted the Health Record platform with 12 hospitals; that number grew to at least 39 this year, and could now be even higher. Apple did not respond to a request for comment.

Officials at two of those institutions, Johns Hopkins and Penn Medicine, see promise in how the field is evolving, but have reservations about the amount of data being generated by consumer apps and made available to healthcare providers and others.

The push to easily and securely share health data is likely to continue growing over the next few years. By 2020, one in four patients is expected to be participating in a “BYOD” – bring your own data – healthcare scenario, according to IDC research.

“It’s good to know all the relevant data on a patient – their meds, their allergies, their problem lists, lab results, radiology reports. On the flipside [for clinicians], it’s just more data in my face…, it’s just more data I need to sift through,” said Mike Restuccia, CIO at Penn Medicine, the medical school at the University of Pennsylvania. (Penn Medicine is one of the 12 original beta testers of the Apple application.)

Apple Health Record

“I think that’s going to be one of the next challenges for Apple,” Restuccia said. “Now that this raw data is available, how do you translate it into something that’s more user friendly, more intuitive for a clinician? It doesn’t include physician notes at this point, which is probably a good thing.”

Others are concerned that something as sensitive as healthcare data is being ported to a mobile device.

“Even if you allow your health records to be sent to your device, can Apple really assure you that they can’t be hacked? There is no such thing as a hack-proof iPhone, or any other device for that matter,” said Jack Gold, principal analyst with J. Gold Associates.

Gold pointed to the ability of law enforcement  agencies to bypass a passcode on an iPhone used by San Bernardino gunman Syed Rizwan Farook. Recent reports revealed the Department of Justice likely used technology from a third-party firm to break into the iPhone.

In February, reports surfaced that an Israel-based technology vendor, Cellebrite, had discovered a way to unlock encrypted iPhones running iOS 11 and were marketing the product to law enforcement and private forensics firms around the world. According to a police warrant obtained by Forbes, the U.S. Department of Homeland Security had been testing the technology.

Shortly thereafter, Grayshift emerged as another company that had developed an inexpensive black box to unlock any iPhoneMotherboard reported that local and regional U.S. police departments and the federal government have been purchasing the technology.

Unlike financial data, which can be re-secured by banks or credit card companies if it’s exposed, a breach of healthcare data can last a patient’s lifetime and be used over and over again, making it the most sensitive data there is.

“Users are taking a risk, especially if they let third-party apps access the heath data. Imagine a rogue app downloaded to thousands or millions of devices able to access heath info (yes, Apple says they vet everything, but that’s not a 100% guarantee),” Gold said via email. “If it’s just displaying my vital signs, no big deal. If its controlling my disease and telling me to take specific actions, that’s another thing.”

Medisafe, Shor said, is HIPAA and GDPR compliant, and the company uses 256-bit encryption backed by ISO/IEC 20071 certification. Access to the medical data on Medisafe’s servers is also restricted to only one of 50 employees – company co-founder and CTO Rotem Shor.

Even so, Gold said, if Apple wants to make health data available to third-party apps, how do users know it’s going to be fully secure and also not violate a user’s privacy?

“How do I know the data won’t make its way to some cloud somewhere to be shared/sold, etc. And if I rely on an app to tell me what to do – say, take my meds –  and it somehow gets hacked, can it make me sick, or worse?” Gold said. “If I lose my life due to someone telling me to do something not to my benefit, that’s something else all together different and much scarier [than losing money].

“This is an area that people have treaded lightly upon for some time with very good reason,” Gold added.

http://www.computerworld.com/category/security/index.rss