Privacy and Security Risk Concerns on Apple’s Health Records API
_{October 2, 2018}

Just this year, Apple launched an API to developers and researchers that can be connected to Health Records, the latest feature released with iOS 11.3 that enables patients to view their medical records right on their iPhones.

The ultimate goal of Apple’s Health Record API is to share medical records from multiple hospitals with the patient’s trusted apps and to help in improving their overall health. This initiative to help streamline the medical data sharing is promising but also poses huge risks to protected health information’s privacy and security.

The key categories to be managed by this app are:

1. Medication Tracking. Medisafe is an iOS Pill and Medication Reminder that gives the patient an overview of their daily medicine intakes, warns them of some medical interactions, how patients are progressing with their medication (i.e. if they are religiously able to take their medicines) and also alerts up to 6 family members to keep everyone on track. This app requires iOS 10 or later version and is compatible with iPhone, iPad, and iPod Touch.
2. Disease Management. The diabetes app could access a patient’s laboratory exam results, diet, and exercise details helping the patients to view their progress and stay on track. In an article by HIMMS Mobihealthnews, Apple picked 13 apps for Diabetics.
3. Nutrition Planning. It is for monitoring the healthy eating habits of patients. Examples of these top iOS Nutrition Planning apps have been listed in Tom’s Guide here.
4. Medical Research. This allows physicians to have an overall view of their patients’ health background. Apple has released ResearchKit, a software framework for apps that allows medical researchers to gather information that will be valuable to the medical field, the healthcare industry and in more particular healthcare providers.

Penn Medicine, one of the beta testers of the Apple Health Records API, details that Health Records data are encrypted and secured with the user’s iPhone passcode. Now the question is how are these data securely transmitted? Are these data coming directly from the healthcare provider’s servers?

In an interview conducted by Mashable, Apple shared that the data comes directly from the healthcare providers’ servers. Apple is firm with their claim that data transmitted (in transit) and stored (at rest) are both encrypted and adequately secured. These medical records can optionally also be stored on an iCloud account and of course, they are locally stored in your iPhone devices as well and protected with the same form of encryption that secures everything in your mobile phone. To strengthen the protection, patients using Apple health records apps and who opted to store their data into iCloud have been given the option to enable the 2-factor authentication for their iCloud accounts. This is mainly because as we have mentioned earlier, the patient can share their health records to a maximum of 6 amongst their family members. Just in case you get in a fight with one of your family members and the risk of getting your sensitive health data out there is likely, then these extra precautions are warranted.

Nonetheless, it is but a public knowledge that hackers are getting smarter each day and the risk of getting your iPhone hacked is not unlikely (even Apple could not guarantee the safety of the medical records stored in your iOS phones). Therefore, it comes to the conclusion that patients may take advantage of this convenience and technology but at their own risk. I would like to re-iterate this part of Computer World’s article on this: