HIPAA requires some level of encryption everywhere you store ePHI. Most of our customers end up relying on the phone’s built-in security features. While this is outside of our area, here are some minimal recommendations:

iOS:

  • Block unintended backup from happening when you are storing secrets in the keychain (i.e. use kSecAttrAccessibleWhenUnlockedThisDeviceOnly instead of kSecAttrAccessibleWhenUnlocked).
  • Don’t allow your app run on a rooted/jailbroken device.
  • Do not disable SSL certificate validity checking in your app.
  • Understand the security implications of the TouchID-enabled keychain in case of data extraction from a stolen mobile phone.
  • Read through and apply Apple’s security best practices

Android:

  • Turn off the auto backup functionality.
  • Don’t allow your app to run on a rooted device.
  • Do not disable SSL certificate validity checking in your app.
  • Read and apply Google’s security best practices.
Did this answer your question?