App Security Guidelines & Survey
Please read through the guidelines below and provide feedback using the brief survey at the end.
App Security (S) Guidelines
The Security Guidelines will assess if the application is protected from external threats and maintain the integrity, availability, confidentiality, and resilience of the data.
Guideline S1 – Security Operations
The app publisher ensures that the app’s security procedures comply at all times with generally recognized best practices and applicable rules and regulations for jurisdiction(s) in which the app is intended to be sold or used and such procedures are explained or made available to users.
Requirements for Guideline S1
- 01 Administrative, physical, and technical safeguards to protect user’s information from unauthorized disclosure or access are provided and employed.
- 02 Access to user’s information is limited to those authorized employees or contractors who need to know the information in order to operate, maintain, develop, or improve the app.
- 03 If the app utilizes unique identifiers, the identifier is linked to the correct user and is not shared with third parties.
- 04 If any third-party vendor services are utilized as part of the app, an information security risk assessment should be conducted of the respective third parties.
- 05 If your organization is subject to HIPAA or other Information Security and/or Privacy regulations, an internal risk assessment for any systems related to PHI/PII should be conducted.
- 06 App publisher should create and maintain a baseline configuration document for potential risks to be identified.
- 07 Risk-appropriate authentication methods are used to authenticate users.
- 08 A written description of security procedures is provided in a section of the app (tab, button, or equivalent) or through an active link. The security procedures are written in clear, easy-to-understand language and terms and are affirmatively agreed to by the user. Such components include, but are not limited to, how personal information is safeguarded, how unique identifiers are linked to the correct user, and authentication methods used.
- 09 App publisher should designate someone to be responsible for information security.
- 10 App publisher staff designated for information security should have a baseline of information security knowledge.
- 11 Responsibilities for information security staff should be clearly documented.
- 12 Any staff members handling PHI/PII should be required to take Information Security Awareness training, highlighting HIPAA.
- 13 The app publisher has a mechanism in place to review security procedures on an ongoing basis and update security procedures, as necessary, to ensure that they comply at all times with applicable rules and regulations for jurisdiction(s) in which the app is intended to be sold or used.
- 14 Cloud-based apps meet Statement on Guidelines for Attestation Engagements (SSAE) No. 16 requirements and a SSAE No. 16 audit report is provided. (http://ssae16.com/SSAE16_overview.html)
- 15 If the app uses Short Messaging Service (SMS) or Multi-Media Message Service (MMS), the user is informed whether messages are encrypted and, if so, the level of encryption.
- 16 Any app that collects, stores and/or transmits user financial data for any purpose, including payment processing, or the app directs to any website for the purpose of collecting and/or processing of financial information, including any third-party website, shall comply with all applicable Federal and state laws, rules and regulations, and private sector regulatory best practices guidelines and initiatives regarding data security requirements.
Guideline S2 – Vulnerability Management
The app, including without limitation, any advertisement displayed or supported through the app, is free from known malicious code or software such as malware, including, but not limited to, viruses, worms, trojan horses, spyware, adware, rootkits, backdoors, keystroke loggers, and/or botnets at time of release and/or upgrades.
Requirements for Guideline S2
- 01 A scan of the app by the app developer using scanning software does not reveal any known malicious code or software objects prior to release.
- 02 A scan of any third-party code, including advertising networks, incorporated into app for purposes of displaying or supporting advertisements (e.g., banner, interstitial) does not reveal any known malicious code or software.
- 03 If ongoing scanning does produce evidence of malicious code or software objects, proactively work to update the app and notify end users.
Guideline S3 – Systems & Communication Protection
If the app collects, stores or transmits any personal data, including, but not limited to, usernames and passwords, such information is collected, stored, and transmitted using encryption.
Requirements for Guideline S3
- S3.01 Passwords are stored using a random length, , one-way salted hash, or current accepted guideline.
- 02 Usernames and passwords are collected and transmitted only when using encryption between the client app and the server.
- 03 Other personal information while at rest and/or in motion is encrypted using a generally recognized, industry-accepted encryption method (e.g., FIPS 140-2, ISO/IEC) for such information and the encryption level is disclosed.
- 04 App contains security safeguards to verify the identity of intended user in the event of forgotten, lost or unknown user name, password and/or passcode (“unique identifiers”), for purposes of reminders, re-linking, or creation of new unique identifiers.
- 05 Organization should have a change management process when changes are made to the app or critical systems in operability check there and if okay delete from here.
- 06 Information systems related to the app should have antivirus software and mechanism to keep application environment up to date with security patches.
- 07 Application data should be backed up regularly.
- 08 Firewalls should be used for internal and external connections.
- 09 Vulnerability assessments should be conducted on the application and organizational network on a regular basis.
- 10 If removable media is used for the storage of personal data, the media should be encrypted to protect the data from unauthorized access.
- S3.11 Organization should have a documented patch management process for systems and app.
- S3.12 Installed App and respective infrastructure should have the capability to log and audit activity within the system, e.g. who did what, when and how.
- S3.13 Installed App Audit logs should be maintained for a minimum of 90 days.
Guideline S4 – Compliance
If the app collects, stores or transmits information that constitutes PHI as defined by HIPAA and the rules thereunder (e.g., app publisher constitutes a Business Associate pursuant to HIPAA), it uses requisite efforts to maintain and protect the confidentiality, integrity, and availability of individually identifiable health information that is in electronic form (e.g., ePHI).
Requirements for Guideline S4
- 01 If the app, or through its use, subjects the user or any party to HIPAA, the app publisher has implemented administrative, physical and technical safeguards, and developed policies and procedures, pursuant to the HIPAA Security Rule, as applicable. For purposes of the technical safeguards/security controls, only certain certified encryption technologies are permissible for compliance with HIPAA.
- 02 If applicable, the app or the app publisher has safeguards in place or uses requisite efforts to comply with all obligations pursuant to any BAA, including capabilities to assist a covered entity in curing any breach, and address all other requirements of HIPAA in the event of a breach including notifying affected users.
- 03 The app publisher has the capabilities to enable compliance, and shall comply with any and all applicable notification requirements to its users in the event that users’ PHI is or is suspected to be compromised (e.g., Breach Notification Rule pursuant to HIPAA including the capability to support and execute notification requirements).
S4.04 The app publisher has a mechanism to notify end users about apps that are banned or recalled by the app publisher or any regulatory entity (e.g., FDA, FTC, FCC, UL).
- 05 In the event that an app is banned or recalled, a mechanism or process is in place to notify all users about the ban or recall and render the app inoperable.
- 06 If the app constitutes a medical device (e.g., 510(k)) or is regulated by the FDA in any other capacity, the app publisher has a policy and a mechanism in place to comply with all applicable rules and regulations for purposes of handling all aspects of a product notification or recall, including all corrections and removals.
Guideline S5 – Access Control and Authentication
If the app collects, stores and/or transmits personal information, the app offers one or more industry-accepted methods for guarding against identity theft.
Requirements for Guideline S5
- 01 The app provides a method for securely authenticating the user at a session level (e.g., password, pass phrase, PIN, challenge phrase) and utilizes additional methods or techniques to further secure the identity of the users whenever the system is initially establishing identity, or the system has indications that the identity might have been compromised (e.g., multiple password failures).
- 02 Unique user IDs should be used for access to all functions within the application.
- 03 Access within the application should be limited to what is needed for that individual’s specific role.
- 04 A process for provisioning and deprovisioning access in a timely fashion should be documented.
- 05 For remote access or privileged access should require two factor authentication to reduce the risk of unauthorized access.
Guideline S6 – Asset Management
If the app collects, stores and or transmits personal information, the app maintains a methodology for documenting those Assets.
Requirements for Guideline S6
- 01 Organization should have a process for tracking information and physical assets.
- 02 Information assets should be classified based upon value to the organizations and outside regulations, e.g. public, internal confidential, sensitive.
Guideline S7 – Physical & Environmental Security
If the app collects, stores or transmits personal information, the app publisher shall maintain a record of how Security is maintained.
Requirements for Guideline S7
- 01 Organization should have a physical security program.
- 02 Physical security program should include security and environmental controls for the building/data center which contains information assets and system.
Guideline S8 – Incident Response
If the app collects, stores or transmits personal information, the app publisher shall create and maintain an Incident Response system.
Requirements for Guideline S8
- 01 Organization should have an incident response plan in the event of an information security incident.
- 02 If breach is determined, the organization should notify customers and individuals affected in accordance with applicable regulation.
Guideline S9 – Disaster Recovery & Business Continuity
If the app collects, stores or transmits personal information, the app publisher shall provide a documented plan when the app, data or access is not available for use.
Requirements for Guideline S9
- 01 Organization should have a documented DR/BC plan in the event that the application, data, or its infrastructure is not available for use.
- 02 Tests from data back-up should happen on a regular basis.
- 03 Tests of the DR/BC plan should happen on a regular basis.
Please Complete the Following and Submit