Much can be learned from government about mHealth security




As the world's largest buyer of information technology, the federal government has adopted commercial best practices for its uses of data. However, when it comes to mandatory requirements for securing government information systems and protecting "sensitive" data, the feds often go their own way.

Case in point, the U.S. Federal Information Processing Standards (FIPS) 140-2, the government's computer security standards used to accredit cryptographic modules required for use in government communications systems to protect sensitive data.  Although these requirements are for federal agencies, FIPS 140-2 also could serve as a valuable guide for the private sector, which is governed by HIPAA.

Designed to protect the privacy of an individual's health information, HIPAA created the national standards for security governing the healthcare industry and protecting sensitive patient data. Nevertheless, as the highest level of government-approved security, FIPS 140-2 not only meets the HIPAA standard but, in fact, exceeds those requirements.

Both FIPS and HIPAA requirements for mobile devices include auditing, data-at-rest and in-transit encryption, as well as strong authentication. Yet, FIPS goes further with CMD peripheral control and remote wipe capabilities.

Security breaches are a growing problem and given that the level of security required for mobile devices running mHealth applications is only going to increase over time, FIPS 140-2 compliance might not only be the path for companies selling to the U.S. government but may also be the prudent course for those organizations looking to reach a higher security bar than currently required by HIPAA.     

Companies that want to sell their products to federal agencies have to submit them to a National Institute of Standards and Technology-accredited laboratory, where cryptographic module validation and a comprehensive testing and review process are conducted to ensure compliance with FIPS 140-2 requirements.

Earlier this month, Toronto-based secure mobile health company Diversinet announced it was the first mHealth platform to meet FIPS 140-2 validation by NIST. Earlier this year, AirStrip Technologies, the developer of the remote monitoring application, said they will incorporate Diversinet's authentication and encryption technology to enable their company to comply with FIPS requirements.

This seems to be an emerging trend for mHealth as companies seek FIPS 140-2 certification. And, why not? There is a lot to be learned from the government about securing mHealth. - Greg