BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

iPhone 6: Apple Wants Your Health Data. But Can HealthKit Protect It?

This article is more than 9 years old.

Two weeks ago, Apple warned developers: Don't share data you've collected using HealthKit, Apple's new software for medical and fitness apps. (HealthKit formally debuts on Tuesday, as part of Apple's iPhone 6 and iOS 8 launch event.)

But two days later, it was Apple getting chastised: The company's iCloud was hacked, as nude photos were stolen from the accounts of Jennifer Lawrence, Kate Upton, and dozens of other female celebrities.

The irony of Apple's push into collecting sensitive data — at a time when it couldn't seem to protect its own — hasn't been lost.

"Does Apple's HealthKit app have a nude celebrity photo problem?" Bloomberg's John Tozzi wondered.

At Forbes, Parmy Olson predicted that Apple would use Tuesday's iPhone 6 and iOS 8 rollout — which will double as HealthKit's official launch — to stress its commitment to data privacy and protection.

Also See: Leaked Details About Apple's HealthKit Rollout

Concerns over whether Apple can protect health data are absolutely justified: Whether stored at Apple, its partner Epic Systems, or a local community hospital, health data is at huge risk at any organization.

That's largely because the number of health-data hacking attempts has skyrocketed in recent years; one recent study suggested that the number of attacks on hospitals has increased 600% just since November 2013.

But what hackers are seeking — and why they've doggedly pursued health care organizations — is more nuanced than the simple chase of infamous photos or celebrity patient records.

And in some ways, it underscores the challenge facing Apple as the company attempts to move into the $9 billion-plus mobile health market.

With HealthKit formally launching on Tuesday, here are five pieces of context to understand what Apple's up against.

1. Most hacking attempts are driven by financial motives.

Many hackers seek credit-card numbers, which is one reason why banks and retail stores — not just health systems — have suffered some of the worst data breaches in recent years. More than 40 million Target customer credit cards were hacked last Thanksgiving; on Monday, Home Depot disclosed that it had been hit by the same group.

A Massachusetts report released last week calculated that state banks and financial institutions experienced 1,551 data breaches last year, compared to just 88 health care-related data breaches in the state.

2. Health data hacks have largely been driven by identity theft.

But financial motives have extended to hacking the health-care sector, too. A full identity profile in a patient medical record can go for $500 on the black market, David Pittman reported for Politico — making it hundreds of times more valuable to hackers than a stolen credit card number, which often gets sold for just several dollars.

I asked my colleague Meg Aranow, who was CIO of Boston Medical Center before joining the Advisory Board Company as a senior research director, how hackers try to get this data from hospitals. Aranow pointed out that health care organizations historically get hit with "broad attacks," as hackers seek massive volumes of personally identifiable information to steal patients' identities. (Which is very different from how the targeted iCloud breach presumably went down.)

But identity theft gets harder when you're trying to hack a celebrity.

3. Most celebrity health data problems are an 'inside job.'

Instead, celebrity data hacks have generally been more mundane: A staffer looks up patient records that he or she shouldn't be digging into, and sometimes shares that data beyond the organization.

"The biggest barrier to breaking into a hospital system to look up VIP records is exactly that: Getting access," says Ernie Hood. (Hood was CIO of Seattle's Group Health Cooperative before, like Aranow, joining the Advisory Board Company.)

Many cases of celebrity health records being exposed to the public — whether Kim Kardashian or 'Octo-Mom' — were "insiders abusing their access," Hood notes.

4. HealthKit will be governed by different protections than iCloud.

After last week's leak of celebrity photos, Apple further stressed to HealthKit developers: Don't put data into the cloud.

That's less an indictment of iCloud and more a reflection of the reality of working with health data. As Bloomberg's Tozzi notes, "software secure enough for everyday business and personal communications" — which presumably still includes iCloud — "doesn’t always meet the U.S. legal standard for health-care companies handling sensitive medical data."

Health data, meanwhile, is governed by the Health Insurance Portability and Accountability Act, better known by its acronym HIPAA. The law calls for stringent protections of health data, as companies must prove that their apps and platforms are HIPAA-compliant ... and run the risk of major penalties if data gets lost.

5. Data breaches are guaranteed — so a change in strategy is essential.

Google's data's been leaked. Lockheed Martin's systems have been breached.

Apple's been hacked, and will probably get hacked again.

In the face of inevitable attacks, organizations have changed their strategy from simply building firewalls to conducting continuous monitoring in order to catch bad actors as soon as possible.

"We’re still not clear what happened with the Apple hack," Hood told me.

"But the truth is that you can’t count on keeping hackers out of your systems."

--

From the archives: