everythingpossible - Fotolia
A new mobile backend as a service tool aims to help healthcare organizations meet heightened security and compliance requirements.
With mobile data security making headlines over the past few months, compliance concerns are top of mind for IT pros and app developers. The latest version of Kinvey Inc.'s mobile backend as a service (MBaaS) platform includes new security capabilities that organizations need to develop, deliver and manage mobile apps that comply with federal privacy regulations.
Kinvey partnered with Google to create the new offering, which runs on Google Cloud Platform. Through a number of security features, the MBaaS platform -- which connects mobile apps to back-end systems -- ensures that customers' mobile data processing and storage is compliant with the Health Insurance Portability and Accountability Act (HIPAA), the regulations that govern the handling of individuals' personal healthcare data.
Mobility in healthcare is becoming more common, as hospitals and other facilities adopt tablets that support apps for prescription filing, equipment tracking and doctor-patient interactions, for instance. But HIPAA compliance is particularly difficult on mobile devices, especially when an organization's back-end systems also process and store patients' personally identifiable information. It's tricky to ensure mobile compliance, because users may access that data from personal devices on unknown networks, which IT can't control.
"In the mobile world, data is flowing into unmanaged devices," said Sravish Sridhar, CEO at Boston-based Kinvey. "It's the responsibility now of the application to ensure [security]."
IOMEDIA Inc., a media design and production firm based in New York, uses Kinvey's new platform to ensure apps and back-end data processing is HIPAA-compliant for one of its healthcare clients, Johnson & Johnson. The large pharmaceutical company worked with IOMEDIA to develop patient-facing mobile apps that capture and track clinical data. It was important to have a compliant app and MBaaS platform, because a lot of the data is blindly aggregated to analyze many different patients' information, said Marc Porter, managing director at IOMEDIA. It's critical to have security measures that protect this kind of anonymous health data, so no one can retrieve and improperly attribute it to the wrong individual, for instance.
Kinvey's platform includes encryption keys to secure all data at rest and uses 256-bit Secure Sockets Layer with signed certificates to secure data in transit. The platform also tracks data usage and essentially audits every interaction that an app has. It can identify the result of a specific action, such as which back-end systems a piece of data flowed through once the user entered it in an app. Kinvey protects data on the local device and on the back end via firewalls and IPsec VPN connectivity to storage and databases.
Mobile encryption and user access controls are the two biggest capabilities that help IOMEDIA maintain compliance, said Sameer Maira, director of technology at IOMEDIA.
Sravish SridharCEO at Kinvey
"Once encryption is in place for the local database, it makes it virtually impossible to get to that data," he said.
Also included in the platform is Kinvey's recently launched Operational Intelligence tool, which tracks compliance with certain regulations and reports on any breaches.
"It's not enough that you meet the compliance at one point in time and say, 'We're good,'" Sridhar said. "You have to make this part of your day-to-day and constantly evaluate."
The technical team at IOMEDIA found the Kinvey platform easy to integrate with its existing systems, and likes its lifecycle management features, as well as the ability to scale easily, Maira said. The company plans to start using Kinvey for other healthcare clients in the future, Porter said.
Key tips for ensuring mobile compliance
A deeper look at HIPAA compliance
HIPAA compliance rules during a health crisis