Apple’s entry into digital healthcare places a new burden on the iPhone-maker’s data-protection mechanisms at a time when corporate America is reeling from high-profile security breaches.
With congressional attention at a fever pitch, the stakes have never been higher. The recent scandal involving now-defunct Cambridge Analytica’s improper harvesting of Facebook user data culminated in an appearance by the social network’s founder, Mark Zuckerberg, before two congressional committees last month.
The previous autumn, former Equifax CEO Richard Smith stepped down after hackers stole personal data including birth dates on more than 140 million U.S. borrowers tracked by the Atlanta-based credit bureau.
The risks involving healthcare data are even higher. Such information is governed by strict federal laws, and any data breach or improper use of consumer information could constitute a violation. For a company to succeed, it will need to build trust with its consumers, says Deven McGraw, the former deputy director for health information privacy at the Department of Health and Human Services.
“For a tech company that’s getting into the health care space … there has to be a certain level of trust,” said McGraw, currently the chief regulatory officer at California-based health information startup Citizen, “Nobody is going to give us their health information unless they trust us. And what makes an individual trust a technology company? I think that’s a really hard thing to define.”
Even a scandal minor in comparison to Facebook’s could harm Cupertino, Calif.-based Apple’s reputation and hinder its expansion in the new market, the most significant move of which is a partnership with 12 hospital systems announced earlier this year. The agreement allows patients to access their medical records through an application available on all iPhones with updated software.
“Privacy is a key element of these initiatives for education and personal health,” Chief Executive Officer Tim Cook said on a recent earnings call. “We’re relentless about making the best products and experiences in the world, while fiercely protecting our users’ privacy.”
Apple’s move has challenged legacy electronic health-record vendors like Epic and Cerner, which have also introduced mobile health portals. Unlike those suppliers, however, Apple doesn’t contract with providers to manage records or supply any underlying products. Instead, it teams with hospitals that are able to integrate with Apple’s operating system.
All health record data transmitted under the partnership is encrypted and users must manually opt in to sync their information through Apple’s iCloud or download a medical record using a secure connection. The company expressly notes that it is “not creating, receiving, maintaining, or transmitting” protected health information.
“It takes careful and thoughtful design to be able to enter a regulated space from an unregulated space, and my sense is that they have done it well,” Michelle De Mooy, a privacy advocate and director at the Center for Democracy & Technology, said in an interview. “They understand the implications, perhaps, of privacy or the relationship between privacy and security, and I think that is absolutely crucial, especially when you are talking about such sensitive data.”
The intricacies of the federal privacy framework known as the Health Insurance Portability and Accountability Act, or HIPAA, represent a central part of the challenge.
“Health privacy in the United States is among the most mature frameworks that we have,” said Lisa Sotto, a privacy and cybersecurity attorney at law firm Hutton & Williams. “HIPAA is one of the most complex privacy laws in the country, maybe the most complex.”
Medical information is a top target for hackers. In April alone, UnityPoint Health System, medical device manufacturer Inogen and Maryland insurer CareFirst all reported security breaches involving patient or consumer information. Given the public attention a breach elicits, having a reputation like Apple’s could help persuade organizations to agree to partnerships involving sensitive consumer information.
Breaches “happen to every company regardless of the relative strength of their information security program,” Sotto said. “Working with a gold-plated company that has a strong reputation and high level of user trust will be key for these hospitals.”
As Apple expands its healthcare offerings, the Food and Drug Administration is still developing a regulatory framework for digital health products. The agency put out a series of guidance documents last year on treatment-information software and any digital health technology that might classify as a medical device.
At the same time, the agency exempted some digital health applications. None of the moves have affected Apple’s strategy so far.
“We want to keep doing what we’re doing and make good products,” general counsel Jenn Newberger said at a panel discussion with the FDA earlier this year. The company is one of nine working with the FDA on its regulatory framework.
