On September 15, 2021, the Federal Trade Commission (FTC) issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule. The rule requires the makers of these apps to notify consumers and others when their health data is breached.

Health apps, which can track everything from glucose levels and heart health to fertility and sleep, collect sensitive and personal data from individuals. These apps must meet requirements to ensure that the information they collect are secure.

Still, hackers have been successfully targeting health apps. “Modern health care apps, like other apps, generally rely upon not only the client component, but also a cloud backend,” said Drew Bagley, Vice President and Counsel for Privacy and Cyber Policy for CrowdStrike, a cybersecurity technology company based in Sunnyvale, California. “We’ve observed many instances of adversaries taking full advantage of software supply chains. Adversaries target vulnerabilities using legitimate software packages. So, when an attack occurs, it is difficult to detect and mitigate stealthy propagation techniques that infect other systems across the network.”

Congress included specific provisions to strengthen privacy and security protections for web-based businesses under the American Recovery and Reinvestment Act of 2009. The law directed the FTC to ensure that companies contact customers in the event of a security breach. The FTC subsequently issued the Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers, the FTC, and in some cases the media. The rule ensures that entities not covered by HIPAA face accountability when consumers’ sensitive health information is breached. Companies that fail to comply with the rule could be subject to monetary penalties of up to $43,792 per violation per day.

To make it harder for hackers to breach a network used by an app, Bagley said sectors such as health care should integrate behavioral-based attack detection solutions into their security systems, improve controls for managing privileged credentials, and embrace real-time vulnerability management. “Ultimately, consumers should scrutinize the security and privacy practices of health applications,” Bagley said.

The Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Council (HC3) provides a number of suggestions for defending against hackers. These include implementing whitelisting technology to ensure that only authorized software is used and providing access control based on the principle of least privilege.

The latest surveys suggest that spending on app security is expected to increase 12.2% this year, from $3.3 billion to $3.7 billion, according to Seth Robinson, Senior Director for Technology Analysis at CompTIA, a nonprofit trade association that issues professional certifications for the information technology industry. “The amount being spent on application security, while growing tremendously, still probably falls short. This is largely because so many companies have been operating for such a long time in a secure perimeter mindset, and the concepts of securing individual applications or developing applications with security built-in are still not widely adopted across the business landscape,” Robinson said. 

This article originally appeared on Renal and Urology News