HIPAA requires some level of encryption everywhere you store ePHI. Most of our customers end up relying on the phone’s built-in security features. While this is outside of our area, here are some minimal recommendations:
iOS:
- Block unintended backup from happening when you are storing secrets in the keychain (i.e. use kSecAttrAccessibleWhenUnlockedThisDeviceOnly instead of kSecAttrAccessibleWhenUnlocked).
- Don’t allow your app run on a rooted/jailbroken device.
- Do not disable SSL certificate validity checking in your app.
- Understand the security implications of the TouchID-enabled keychain in case of data extraction from a stolen mobile phone.
- Read through and apply Apple’s security best practices.
Android:
- Turn off the auto backup functionality.
- Don’t allow your app to run on a rooted device.
- Do not disable SSL certificate validity checking in your app.
- Read and apply Google’s security best practices.