HIPAA Compliance and Other Security Issues with Pokémon Go
Pokémon Go: Even if you’re not playing it, you probably know someone who is. Ever since the mobile app was officially released in the US in July 2016, Pokémon-catching fever has taken over. But, when an app becomes this popular this fast, it’s important to take a step back and ask questions about security. Even before Pokémon Go received its American release for iOS and Android devices, there were questions about the type of permissions the app required, as well as further apprehension regarding what kind of data could be accessible if a hack should occur.
There’s a deeper layer of concern when it comes to Pokémon Go and compliance with the Health Insurance Portability and Accountability Act (HIPAA). Though these two things might sound like they have little to no connection, consider how many patients and visitors in a hospital or healthcare facility are firing up the app, or how many members of healthcare staff are busy hunting rare Pokémon in their downtime.
While it may be fun and addictive to try and catch ‘em all, there are boundaries when it comes to where and when you can play Pokémon Go—and that includes healthcare facilities. Here’s what you need to know about the area where HIPAA and Pokémon collide.
Why Healthcare Facilities are Bad Pokémon Hunting Ground
The Pokémon Go app uses augmented reality technology to turn the world around you into a virtual space populated with friendly monsters, which means that anywhere you go can be home to a valuable Pokémon. Players can also drop “lures” in certain locations to attract even more Pokémon, and those locations can include anything from churches to memorials to, yes, even hospitals.
One of the biggest concerns comes with the fact that Pokémon Go relies on the camera in your smartphone. Taking pictures or video inside a healthcare facility creates the opportunity—unintended or not—to capture footage of someone’s confidential health information. Even if the information simply appears in the background behind a Drowzee or a Pikachu and means nothing to the Pokémon Go player, it’s still stored on a device, and therefore considered a breach of HIPAA.
Errant photos aren’t the only risk that lies behind the app’s candy-colored veneer. An article at IFLScience explains that malware has been created to take advantage of Pokémon Go players—they mention “several reports of Pokémon Go apps being modified to contain a malicious remote access tool, which effectively can give an ‘attacker’ full access to your phone’s data.” The trouble here seems to come into play when participants download apps from third-party sites rather than the official Apple or Android app stores, which is a good reminder to only download or install apps from reputable sources. Failing to do so could lead to a data breach, and if you’re a Pokémon Go player who works in healthcare, that means that patient ePHI (electronic protected health information) could be in jeopardy.
Lastly, there were initial concerns upon Pokémon Go’s release that a user needed to allow the app access to his or her own Google account, which would allow the developers to see your Google data, search history, images, and even your files on Google Drive. Google has a somewhat vague history when it comes to HIPAA compliance, confirming that you should be keeping ePHI far away from Google properties, unless you are completely sure you’re using a Google app that abides by HIPAA.
Although the Google access issue in Pokémon Go appears to have been overstated, it’s yet another reminder to be cautious about giving apps particular permissions. By not doing your due diligence before installing an app, you could be unknowingly opening up your private data to malicious third parties. This is an even bigger concern if you work in healthcare and have ePHI on your phone, tablet, or laptop.
There’s a silver lining to this frenzy around catching virtual monsters: The popularity of Pokémon Go is a good excuse for additional training and education around cybersecurity and transmitting ePHI safely. A Lexology article recommends this as a jumping-off point for reviewing a healthcare facility or hospital’s policies in terms of risk analysis. The piece recommends that you use Pokémon Go as a reason to “verify that the covered entity’s or business associate’s risk analysis addresses portable devices as well as photography and social media” and adds that “entities then should verify that appropriate safeguards, policies, and procedures are in place to bring these risks to a reasonable level.”
It’s also an opportune time for hospitals and other institutions to revisit their social media policy, as well as their filming and photography rules. If your facility doesn’t already have prominent signage forbidding photos or video, then it’s time to rectify that situation. The author of the Lexology article even mentions that some covered entities are going so far as to ban the Pokémon Go app, but again, it can also be a good reason to further examine a company’s entire tech policy—or develop a new one, if one doesn’t already exist.
When regulating staff usage of Pokémon Go, it’s best to circulate official communication instructing where and when employees are allowed to play the game—clearly not at a time when it interferes with their paid work, and nowhere near the storage of sensitive health information. A company found in breach of HIPAA could be fined thousands of dollars, and you won’t be able to pay that in Pokécoins.
Gotta Catch `Em All?
While Pokémon Go may be a fun distraction during downtime, it can turn into a costly mistake if healthcare facilities and hospitals don’t guard against potential HIPAA breaches due to errant Pokémon hunters. Use this as a reason to brush up on your company’s social media policy and risk analysis. It’s okay to have fun, but the need to stay vigilant about unknowingly spreading ePHI should be constant.
Have you ever played Pokémon Go in a hospital? Did you see any signs warning against it? Tell us in the comments.
LuxSci founder Erik Kangas has an impressive mix of academic research and software architecture expertise, including: undergraduate degree from Case Western Reserve University in physics and mathematics, PhD from MIT in computational biophysics, senior software engineer at Akamai Technologies, and visiting professor in physics at MIT. Chief architect and developer at LuxSci since 1999, Erik focuses on elegant, efficient, and robust solutions for scalable email and web hosting services, with a primary focus on Internet security. Lecturing nationally and internationally, Erik also serves as technical advisor to Mediprocity, which specializes in mobile-centric, secure HIPAA-compliant messaging. When he takes a break from LuxSci, Erik can be found gleefully pursuing endurance sports, having completed a full Ironman triathlon and numerous marathons and half-Ironman triathlons.Read Full Bio