Security has become a hot topic as of late. It’s not just concerns over getting mugged for your Apple iWatch or iPhone, either. Anxieties over the security of information that is stored in the cloud have surfaced, along with reports of security breaches on a high profile. These concerns may be driving consumers to reconsider embracing any technology that features cloud-based solutions, but we’d like to take a deeper look at the situation and potentially re-instill some confidence.
Usability Versus Security
How could Apple, or any other similar software or service company, create products that aren’t secure? Simply put, there’s a tension between usability and security. The key to success for many developers and engineers is finding the perfect balance between the two: creating products that don’t sacrifice one for the other, providing the appropriate level of security while maintaining ease-of-use.
[ibimage==40539==Original==none==self==ibimage_align-center]
Recently, a few high-profile cases of intrusions in to the iCloud accounts of celebrities have made headlines, raising anxiety levels of anyone who uses cloud-based technology in both the consumer and business world. Typically with their products, Apple leans toward usability in favor of security, opting to enhance the experience and make their devices and services easier to use rather than implementing barriers to protect high-risk data.
This can be a major point of differentiation for a company like Apple as it is positioned against its competitors. For example, many consumers prefer the ease-of-use of the Mac OS over a system like Windows, which implements user account controls that are often unnecessary and hinder your ability to use the system. Apple’s thinking is that much of the data that is stored in the cloud, such as baby pictures and selfies, is not high-risk data and shouldn’t require protection through these sort of precautions. That attitude has generally worked, but it is now the source of controversy and rising concern.
Banking and healthcare applications and responsive solutions are becoming prevalent in the mobile space. Bank account management applications and responsive mobile banking solutions are incredibly popular, and many even encompass bill and other payment methods. Other applications process credit and debit card transactions. Certain health-related applications have begun implementing healthcare information in attempts to become comprehensive fitness facilitators, and we’ve even created a solution for Zest Health that gives the user a complete, comprehensive look in to their health benefits.
All of these applications require the input of sensitive money- or health-related data at some point, and it appears as if banking, credit card, debit card, or even your medical records and billing information may be stored on the cloud at some point. Though this may or may not be true, the concern remains that if pictures and videos that were automatically synced to the cloud are accessible to hackers, what is stopping those same hackers from accessing this more sensitive data?
HIPAA and PCI Compliance – Protecting High-risk Data
We implore you to relax. There are plenty of reasons not to worry. From a banking and payment standpoint, PCI compliance is absolutely required if you intend to process payments or capture credit or debit card information. PCI requirements for software, such as mobile applications, specifically state that the sensitive data in question cannot be stored, thus removing the risk of cloud hackers accessing it. In addition, PCI compliance requires end-to-end encryption (E2EE), meaning that the data is protected by encryption throughout the entire payment process, from the moment a card is swiped or data is input to the time that the charge is approved. PCI compliance exists to provide confidence when you use software that deals with payment-related information.
[ibimage==40540==Original==none==self==ibimage_align-right]
On the other hand, you have fitness and healthcare apps. Given recent events surrounding the security of cloud-storage accounts, Apple actually decided that any apps storing private wellness data in the iCloud specifically will be rejected from the App Store from here on out. This really isn’t a surprise at all, considering that storing wellness data on the cloud would require that the host of the cloud storage – in this case Apple – would be HIPAA compliant. Since the repercussions for mismanaging patient data or medical billing information are quite severe, Apple would rather not have that liability.
The HIPAA Privacy Rule exists to protect medical and personal information as it is saved, accessed and shared, while the HIPAA Security Rule covers health data that is received, created, maintained or transmitted electronically. We’ve taken the steps to ensure that our healthcare apps follow HIPAA compliance requirements, from physical and technical safeguards and policies, to ensuring that the data is not stored within the app or on the phone. The sensitive information in our solutions is stored within encrypted SQL databases that are running on HIPAA-compliant instances of Microsoft Azure cloud.
Social Hacking
From the technical side, regulations and requirements ensure that your information is safe from hackers and thieves. However, some sensitive information lies outside of the reach of digital encryption. Social engineering and social hacking may have very well been the source of some of the recent intrusions in to the iCloud, and the importance in doing your part to keep your information secure should not be overlooked. Social engineering in the context of information security is typically the psychological manipulation of people in to divulging information that would grant hackers access to their accounts. The best way to avoid social hacking is to not divulge personal information to strangers. Typically, customer service reps for your various services will not ask you for your password.
All-in-all, sensitive payment and healthcare information is not subject to the same security measures – or lack thereof – as your selfies. PCI and HIPAA compliance exist to protect this information on a higher level, and anything not covered on the technical side can be taken care of with a little vigilance on the part of the user. This should be enough to quell any worry that recent security breaches may have caused.
