Alexa Serra  ·  February 14, 2021 

Best Practices for Enforcing Security in Healthcare Apps

The healthcare app proliferation we have witnessed these past years is a big win for the medical sector.

The healthcare app proliferation we have witnessed these past years is a big win for the medical sector. However, security measures and overall data protection flaws need to be a priority, and the proper tools to enforce them need to be employed.

The urgency to adopt technology as a propeller of successful business practices has never been this high, a statement that is particularly true for the healthcare sector. The pandemic, and the health hazards that come with it, have forced the healthcare industry and its participants to reshape how they integrate technology into their day-to-day functioning. Luckily, the proliferation of mobile device usage and emerging mobile technologies during the pandemic have helped push medical care into the realm of remoteness brought by healthcare apps.

Accordingly, medical and pharma organizations are investing in the development of their apps. The amount of custom mobile healthcare applications is growing exponentially, and the world is witnessing the birth of the healthcare app era. The growth has also come with diversity, and apps can range from patient-focused apps for medical treatment to physician and pharma-focused apps for reference and medical tools. However, this proliferation has not always been parallel to the implementation of security and privacy measures. Healthcare app growth comes with new and increasing challenges to protect the sensitive data that goes back and forth between parties. Compliance with government data-protection regulations, data privacy and security, and layered approaches to safety are some challenges developers face. Luckily, tools, platforms, and protocols are available to ensure proper compliance practices and operability.

Current Healthcare App Security Environment

Current Healthcare App Security Environment

The search for remote healthcare solutions has triggered a meteorological rise in healthcare app production. According to a study conducted by Statista, by the end of 2020, there were 47,140 healthcare apps available in the Google Play store and 48,608 in the App Store. Furthermore, they found that by the end of 2020, there was a 65% global growth in the total number of medical apps downloaded than those registered in January 2020. The ever-growing number of downloads and usage observed in healthcare apps highlights the relevance of enforcing efficient security and data protection measures.

Since medical and pharmaceutical services are no longer limited to hospital visits, sensitive information that was previously safely passed from hand to hand now travels (often wirelessly) from device to device. The increased vulnerability this creates is worrisome, mainly because app developers lag on enforcing data protection measures and security procedures. A recent study conducted by Intertrust found that 71% of 100 healthcare and medical apps have at least one serious vulnerability that could lead to a breach of medical data. In addition, 91% of the studied apps failed to pass the cryptographic tests, which means that medical data was not correctly encrypted and consequently accessed and stolen.

Sadly, security issues such as these are more common now and go hand-in-hand with current healthcare app proliferation. As a top app developer, we at Foonkie Monkey always strive to enforce the most strict security measures in our healthcare apps. Our reputation for creating secure mobile products for the healthcare sector precedes us. Hence, we feel it relevant to explain the best practices, tools, and safety protocols we implement in our healthcare app development processes to avoid security issues and deliver the best product to our clients.

Meeting HIPAA or GDPR Compliance

Meeting HIPAA or GDPR Compliance

As stated above, most healthcare apps deal with sensitive information. To ensure this information is protected, governments created laws and regulations applicable to anyone that accesses, processes, or stores protected health information (PHI). PHI is the medical information used to identify an individual or institution and the data employed in providing healthcare services. Protecting this information is our priority, and we always ensure regulatory compliance when required. This measure is paramount to avoid the staggering increase in healthcare data breaches. Investigators found that between 2009 and 2020, there were 3,705 healthcare data breaches. Those breaches resulted in the theft and exposure of 268,189,693 healthcare records, representing 81.72% of the United States population.

The United States Healthcare Insurance Portability and Accountability Act (HIPAA) and the UK’s GDPR are two of these regulatory standards implemented by governments to enforce data protection. HIPAA standards state that any application that processes, stores, or transfers personal health data, has to be HIPAA compliant. Compliance with HIPAA standards means following privacy and security rules that keep data safe through best practices in three areas: administrative, physical security, and technical security. The GDPR likewise states that the data about an individual’s health status must be protected and secured. Furthermore, the GDPR protects users’ right to data erasing, publicity, and consent rights for data manipulation.

Both regulations require developers to have certain technological safeguards that ensure compliance with these measures. Healthcare app developers need to keep health data protected at all times, restrict access to said data, and ensure its integrity. We also have to provide its safe transmission between parties and comply with confidential credentials and authentication processes for data access. Additionally, it is necessary to store the minimum amount of patients’ information that allows the app to accomplish its medical purpose.

Enforce High-Level User Authentication and Authorization

Enforce High-Level User Authentication and Authorization

Whether they store medical records or pharma documents, enable telemedicine services, or provide academic resources, we must limit access to healthcare apps to users and interested parties only. Passwords, user names, insurance information, diagnoses, treatments, medical research, and payment data need effective safety blockades.

User authentication provides the first layer of security, and it refers to the use of passwords, credentials, tokens, or other personal ways of identifying users. It is a must in any app development process that deals with data traffic, but it is even more relevant in healthcare apps due to the high level of confidentiality required. Authorization, on the other hand, determines what information the user can access once logged in. Just because users have credentials to access a platform doesn’t mean they can access all the content within that platform. Authorization procedures help limit and determine accessibility boundaries to limit user access to information.

These elements are a priority to protect data and comply with government regulations. Attack attempts in the healthcare sector are a common occurrence. In 2019 alone, over 3.8 million health records suffered data breaches and phishing scams. Additionally, Microsoft detected over 300 million fraudulent sign-in attempts a day in their cloud services alone. These worrying statistics highlight the importance of enforcing user authentication and management protocols as a primary step in the development process. However, traditional password/username protocols aren’t the most secure ones for healthcare apps, hence the need for extra measures. Luckily, developers can use several tools and protocols to secure safeguard barriers in place, enhance productivity, and avoid security issues. Here are some of the ones we use and recommend.

Identity Access Management Tools

Identity Access Management Tools (IAM):

IAM tools help authenticate individual users and determine and manage the access privileges and roles for those users. In layman’s terms, they help make sure users are whom they say they are and are accessing the right data for the right reasons. The benefit of employing IAM tools is that they are easy to implement and are already HIPAA compliant, saving time and money by enhancing efficiency and securing proper safety practices.


One of the IAM platforms we often use when developing secure healthcare apps for our clients is Auth0. Auth0 has a myriad of benefits when it comes to providing adequate security measures. It helps with authentication by securing and encrypting login credentials (password, username, OTP, PIN) to render them useless if attackers access our databases. Auth0 uses JWT protocols to implement user authentication through tokens, an effective security measure that controls access, session expiry, and data safety; more on this later.

Auth0 also implements multi-factor authentication and frictionless SSO login when needed. It enables role-based access control (RBAC), which means the information is accessible to individuals depending on their role within the organization. RBAC is fundamental for healthcare apps because it limits access to sensitive data to doctors and hospital directors only, for instance, as opposed to other hospital staff members. It also provides user management tools, where administrators can manage user profiles and have access to scalable user directories. Additionally, Auth0 can detect attacks and neutralize them by identifying bots, detecting breached passwords, and neutralizing suspicious IP throttling. Lastly, Auth0 secures HIPAA compliance, which we already learned is fundamental for healthcare apps.


OKta is another IAM tool that we use to manage access permissions and provide a secure medical data environment. As does Auth0, Okta employs OSS tools and provides enhanced multi-factor authentication to keep access to the data limited to the right people. It also helps to automatically block suspicious IP addresses by identifying previous attacks on other organizations and provides all the security requirements to meet HIPAA compliance.

Token-based Authentication

Token-based Authentication:

Token-based authentication is a protocol that helps with user identity verification. When a user sends an access request to the server, they receive a unique signed access token. The server verifies token authenticity, consequently responding to the access request and any actions from that point on. This token has a usable time frame, and users can access the app while the token is valid without having to enter credentials again. However, once the user logs out or the usable time frame runs out, the token is invalidated, and the user has to log in again. These features are crucial for healthcare apps because session expiry protects user data from lost devices or open sessions in public establishments.

One form of token-based authentication we use is called JSON Web Token (JWT). JWT is a token format that is compact, meaning it’s small and easily transmitted. It is self-contained, digitally signed, and a highly dependable authentication method. A JWT consists of three parts that determine its usability: Header, Payload, and Signature. The Header defines the type of token and the signing algorithm. The Payload establishes the correct data for a particular user, the token issuer, and the token’s expiration. Finally, the Signature verifies that the message hasn’t changed or has been tampered with in transit.

Programmers tie these three components together to produce an authentication tool that is easy to implement and protects PHI and other sensitive health data. JWT also helps developers specify what content can be accessed, how long that permission lasts, and what the individual can do while logged into the app. JWT can be programmed and used independently, but to ensure HIPAA compliance, save costs, and optimize security, we often use it in Auth0 for safer authentication processes.

Multi-Factor Authentication

Multi-Factor Authentication:

Multi-factor authentication (MFA) is a simple and cost-efficient method of defense used by programmers because it creates several protection layers. MFA procedures combine two or more protocols of user identification and credentials to grant access to the app. Users are required to use a password, a security token, or biometric (Face ID, fingerprint, voice, retina) verification, a combination of which can block up to 99.9% of hacking attempts.

MFA annulled all Compromised credentials, duplicated passwords, or hacked user logins, making it ideal for healthcare data protection. It also provides ease of use, which is a must when we consider that doctors, hospital staff, or pharmaceutical workers have time or device usage limitations. Biometric recognition, OTPs, tokens, authentication apps, or specific login links can save time and preserve data safety at all times. MFA is a requirement for compliance with government regulations, and we enforce it through Auth0.

Enforce Data Encryption

Enforce Data Encryption

Healthcare apps have a high traffic of sensitive data ranging from telemedicine and medical reports to pathology studies and pharma research. When this information is shared between parties using the internet, it goes through different public networks and devices, which opens the door for the shared data to be compromised and stolen. Data leaks and theft happen more often than people think; one study conducted by Experian found that stolen medical records sell on the darknet for up to $1000. Encryption algorithms are employed to prevent these issues from happening.

The purpose of encryption is to scramble the shared data, or plaintext, and convert it into an unreadable or encrypted format. When the data reaches the recipient, it is decrypted and becomes readable to the authorized party only. The encrypted data can be accessed by the recipient using a key generated by the algorithm, and it is specific to decipher the transferred data. Stored data within the apps or in databases, such as test results, personal information, payment information, chats, or sensitive medical research, also needs to be encrypted, even when it’s not being transferred back and forth. Encryption prevents sensitive information from being read by intruders; even if it’s stolen, it will be unreadable and ultimately useless.

Different types of encryption such as Triple DES, AES, RSA, Blowfish, and FPE can be employed by developers, with either symmetric (one) or asymmetric (two) keys to decrypt the received data. JWT, as stated above, can also be a safe way of transferring data between hospitals, patients, pharmaceutical companies, and other parties. JWT data can either be encrypted or verified by a digital signature.

Building Secure Healthcare Apps: The Takeaway

Building Secure Healthcare Apps: The Takeaway

Ultimately, it’s undeniable that emerging mobile technologies are reshaping healthcare experiences, and the ways medical staff and patients operate are evolving. The risks that these digital healthcare solutions carry are not to be downplayed. The digitization of personal and medical information sets the basis for a more efficient medical service but makes it more vulnerable to attacks. Still, for entities and individuals wanting to engage in healthcare app development, the benefits outweigh the challenges. Nonetheless, said difficulties must be addressed for proper operability, and companies need to hire a development partner fit to overcome them.

At Foonkie, we specialize in building secure healthcare apps with all the technical safeguards properly implemented to overcome any safety challenges and hinder data breaches and security concerns. We have more than ten years of experience developing apps with a security-friendly environment that will instill trust in users and propel the app’s immediate adoption, ultimately determining a product’s success. All the tools and protocols we employ in our development processes ensure the delivery of wholesome, high-quality, safety compliant, and beautiful mobile applications, and companies like Pfizer, Takeda Pharmaceutical Company, Boston Scientific Group, and Keralty can attest to that.

If you want to partner up with a company qualified to create a healthcare mobile solution that is secure, safety compliant, user-friendly, and will always strive to deliver the best product, you should contact us. Let’s talk!

Let's do something great