0

Should HIPAA complinace not allow offline storage in Mobile Native Applications??I dont know if already there is this sort of regulation in HIPAA. I assume there is no such thing.

If you feel this question need not be asked in this forum, I request you to completely read this and suggest a programmatic solution for this problem.

Main reason why this came up was that all of the security considerations regarding the Mobile development may be specifically in iOS seems to have been hacked in to once a device is jailbroken or rooted.

I came to know that hardware encryption is hacked.

http://anthonyvance.com/blog/forensics/iphone_encryption/

Then there are questions on iOS 4's encryption techniques.

People claim, Key chain access in iOS can be compromised if the phone is rooted.

Only thing I think which has not met with any skepticism is the sqlCipher.

If you could find any flaws with SqlCipher , please share it.

And I think that, until people find a theft-proof way to manage offline data in Mobile Phones, people can refrain from making offline features for EMR apps where HIPAA compliance is mandatory.

It can be argued that, any system can be hacked when people are desperate to hack it. But I feel Mobile devices can be an easy target. You can lose it as you lose your Handkerchief.

Please share your views.

RK-
  • 12,099
  • 23
  • 89
  • 155
  • IMHO that would depend on the use case. Is the offline storage an inseparable part of the app, or is it merely a convenience feature? – Piskvor left the building Jul 20 '11 at 15:31
  • if the device belongs to the person who the medical/personal data is about, the question is moot. if you're talking about a medical professional maintaining patient data, it's existence on the phone should certainly be short-lived. – bshirley Jul 20 '11 at 17:17
  • @PiskVor: In places where radio connectivity is not allowed, doctors can cache data offline and review the EMR records of the patient. In this use case alone, Offline storage is a necessity. – RK- Jul 21 '11 at 05:06
  • @bshirley: Here the device will be owned by the doctors. – RK- Jul 21 '11 at 05:10

1 Answers1

2

I agree with bshirley. Your surface of vulnerability is much greater if you are storing many records about many people on the device. But if you are only storing limited info about one person temporarily - as when conducting a query for prescription info or gathering information about a current health problem - then the risk is much lower. Of course you also need to consider whether the hacked phone presents a security risk to the online data, that is, does the app on the phone enable a wrong user to access protected data online?

Here's an application note you may find helpful: "Formotus™ Mobile Solutions and HIPAA Compliance"

Formotus Glen
  • 116
  • 1