Apple's Health Record API released to third-party developers; is it safe?

At its Worldwide Developer's event this week, Apple said the API for its Health Records platform has been released to developers and researchers so they can create apps for the medical information sharing platform. Once data is ported to third-party apps and mobile devices, however, is it still safe?

Apple Health Records
Apple / Darko Stojanovic

Apple at its Worldwide Developers Conference this week released an API that allows  developers and researchers to create applications that connect to Health Records, a feature released with iOS 11.3 that allows patients to port their electronic health info to mobile devices and share data between care providers.

While the move promises to streamline healthcare data sharing, it also could open the door to that highly sensitive data falling into the wrong hands.

Many healthcare facilities today offer a proprietary web portal for patients to view their government-mandated electronic health records (EHRs). But those portals often don't allow users to share their information with other caregivers. Because healthcare providers also use EHR platforms from different technology vendors, data-sharing can sometimes be stymied by incompatibilities.

The first apps expected to use Health Records – including those for medication tracking, nutrition planning, disease management and medical research – will be certified to go live this fall, Apple said.

Medisafe's prescription app plans

For example, medication management platform Medisafe will be among the first to connect with the Health Records so consumers can import their prescription list without manual entry, enabling pill reminders and allowing the user to get relevant medication information. Family members can also receive alerts in case a patient is not responding to prompts.

health records medisafe app 06042018 Apple

The Medisafe app as seen through Apple's Health Record platform.

Medisafe will be able to warn patients of problematic drug interactions because it will have a comprehensive view of a patient's exact medication list from multiple hospitals and clinics, according to Omri Shor, founder and CEO of Medisafe.

Shor said the idea for Medisafe, a six-year-old company with 4.5 million registered users, came after his diabetic father overdosed on insulin after he'd forgotten he'd already taken a first dose and injected a second.

"We started thinking about how people manage meds," Shor said. "We looked at how providers, payers, and pharmaceutical companies support patients in managing their medications. They simply don't. Your physician prescribes certain medication and a regime to take them. If we can download that onto an app on your phone, it can be much more accurate."

Medication alerts can be tailored using a patient's demographics and daily habits. For example, the Medisafe app detects when a phone is disconnected from a power cord in the morning, indicating a user is awake. And voice alerts can be set up to use the voice of a comforting nurse, or, at the other extreme, a drill instructor, Shor said.

pill box iphone x Medisafe

Medisafe's ditial pill box for monitoring which meds to take at what time.

Apple's API enables Medisafe to have immediate access a patient's prescription medication list once they've downloaded the app and opted in. Currently, it takes from 12 to 18 months for Medsafe's platform to integrate with existing hospital EMR systems, where much of that time is spent dealing with legal and security issues and regulatory compliance, Shor said.

Apple's Health Record API is not subject to HIPAA regulations because Apple does not store patient data on its servers, according to Forrester Research analyst Arielle Trzcinski.

"The patient will be able to share their medical record since it is accessible from their phone. If a patient wants to share their record with a non-participating provider, that provider needs a way to ingest or receive that data," Trzcinski said via email.

Many health systems and payers have shifted to enterprise health clouds, which better enable them to receive, aggregate, and transform this data into actionable insights and further distribute the information to relevant applications like their EHR.

"The technology ecosystem of healthcare organizations will only become increasingly complex as disruptors continue to enter the space and HCOs look for best-in-breed applications. Interoperability within this ecosystem is paramount," Trzcinski said.

Apple's Health Record platform uses the Fast Healthcare Interoperability Resources (FHIR) interface, a set of API standards that will soon be available in every major EHR to consolidate lifetime clinical records from different providers on mobile devices.

The standardization of interfaces, such as FHIR, are enabling the healthcare industry to overcome challenges with interoperability.

The growth of healthcare data sharing

Many EHRs have APIs that can ingest data in the FHIR format or work with integration partners to make the connection, Trzcinski said. Healthcare providers have also sought out integration platform partners such as Redox to overcome limitations in sharing data and a lack of standardization.

"Apple’s involvement is important because it gives patients control over their record that they do not have today," Trzcinski said. "The medical provider ultimately owns the patient record, but I own the content therefore I can get a copy. However, when most patients walk into their doctor’s office today and ask for a digital copy of their records, they will likely be told they can print them off and hand them a stack of paper, not to mention that they will likely have to pay by the page."

The Health Records feature relies on the existing Health app (released in 2014 in iOS 8) to allow medical facilities to use an API to connect their EMR systems to share data with patients in a standard format.

EMR vendors such as EPIC, Cerner, Athenahealth, Meditech and AllScripts worked with Apple to enable integration with the mobile app. When a patient downloads the Apple Health app and chooses to allow their health data to be transferred from a healthcare provider to Apple's Health Record, it is encrypted and does not traverse Apple's network.

Apple Health Record mobile Apple

Applle's Health Record enables a view of high-level patient care data from disparate healthcare providers through standard industry interfaces.

When a user's iPhone is locked with a passcode, Touch ID or Face ID, their health data in the Health app is encrypted on-device. If a user chooses to sync their health data with iCloud, it is also encrypted while in transit and while stored.

Apple initially piloted the Health Record platform with 12 hospitals; that number grew to at least 39 this year, and could now be even higher. Apple did not respond to a request for comment.

Officials at two of those institutions, Johns Hopkins and Penn Medicine, see promise in how the field is evolving, but have reservations about the amount of data being generated by consumer apps and made available to healthcare providers and others.

The push to easily and securely share health data is likely to continue growing over the next few years. By 2020, one in four patients is expected to be participating in a "BYOD" – bring your own data – healthcare scenario, according to IDC research.

"It's good to know all the relevant data on a patient – their meds, their allergies, their problem lists, lab results, radiology reports. On the flipside [for clinicians], it's just more data in my face..., it's just more data I need to sift through," said Mike Restuccia, CIO at Penn Medicine, the medical school at the University of Pennsylvania. (Penn Medicine is one of the 12 original beta testers of the Apple application.)

Apple Health Record Apple

Apple Health Record

"I think that's going to be one of the next challenges for Apple," Restuccia said. "Now that this raw data is available, how do you translate it into something that's more user friendly, more intuitive for a clinician? It doesn't include physician notes at this point, which is probably a good thing."

How safe is safe?

Others are concerned that something as sensitive as healthcare data is being ported to a mobile device.

"Even if you allow your health records to be sent to your device, can Apple really assure you that they can't be hacked? There is no such thing as a hack-proof iPhone, or any other device for that matter," said Jack Gold, principal analyst with J. Gold Associates.

Gold pointed to the ability of law enforcement  agencies to bypass a passcode on an iPhone used by San Bernardino gunman Syed Rizwan Farook. Recent reports revealed the Department of Justice likely used technology from a third-party firm to break into the iPhone.

In February, reports surfaced that an Israel-based technology vendor, Cellebrite, had discovered a way to unlock encrypted iPhones running iOS 11 and were marketing the product to law enforcement and private forensics firms around the world. According to a police warrant obtained by Forbes, the U.S. Department of Homeland Security had been testing the technology.

Shortly thereafter, Grayshift emerged as another company that had developed an inexpensive black box to unlock any iPhoneMotherboard reported that local and regional U.S. police departments and the federal government have been purchasing the technology.

Unlike financial data, which can be re-secured by banks or credit card companies if it's exposed, a breach of healthcare data can last a patient's lifetime and be used over and over again, making it the most sensitive data there is.

"Users are taking a risk, especially if they let third-party apps access the heath data. Imagine a rogue app downloaded to thousands or millions of devices able to access heath info (yes, Apple says they vet everything, but that's not a 100% guarantee)," Gold said via email. "If it's just displaying my vital signs, no big deal. If its controlling my disease and telling me to take specific actions, that's another thing."

Forrester's Trzcinski agreed, saying regardless of whether health applications are subject to HIPAA it is important to remember they are receiving personal health information.

"Consumers would be wise to demand the same safeguards from these application developers," Trzcinski said. "Health data is highly lucrative on the black market – being used to steal identities, file fraudulent claims, etc. Application developers must have security top of mind during the entire development process. Many developers in this space have already adopted DevSecOps, which places importance on security throughout the entire lifecycle."

Medisafe, Shor said, is HIPAA and GDPR compliant, and the company uses 256-bit encryption backed by ISO/IEC 20071 certification. Access to the medical data on Medisafe's servers is also restricted to only one of 50 employees – company co-founder and CTO Rotem Shor.

Even so, Gold said, if Apple wants to make health data available to third-party apps, how do users know it's going to be fully secure and also not violate a user's privacy?

"How do I know the data won't make its way to some cloud somewhere to be shared/sold, etc. And if I rely on an app to tell me what to do – say, take my meds –  and it somehow gets hacked, can it make me sick, or worse?" Gold said. "If I lose my life due to someone telling me to do something not to my benefit, that's something else all together different and much scarier [than losing money].

"This is an area that people have treaded lightly upon for some time with very good reason," Gold added.

Copyright © 2018 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon