Apple has partnered with a security company to add full end-to-end encryption to CareKit data, making it easier for hospitals to use the platform while remaining compliant with patient data regulations. CareKit allows patients to choose to share health data from an app on their iPhone with the physicians treating them.
While CareKit data is already encrypted by default, it doesn’t use full end-to-end encryption, meaning that any data stored on cloud services would be open to decryption by the owners of that service. Buzzfeed reports that Apple is partnering with security firm Tresorit to offer better encryption options to developers – but this won’t necessarily mean that all CareKit programs adopt it …
Tresorit’s security technology, called ZeroKit, will offer user authentication for patients and healthcare workers, end-to-end encryption of health data, and “zero knowledge” sharing of health data, in which data isn’t shared with any service as it transfers.
Apple says that ZeroKit offers three benefits over standard encryption. First, ZeroKit takes care of user registration and authentication, so that developers never have access to passwords – and therefore have no concerns about being hacked. Second, a server breach would never provide access to decrypted data. Third, a ‘zero knowledge’ approach means that nobody between patient and doctor ever has access to either patient data or access keys, providing hospitals with the assurance that they are fully compliant with regulatory requirements.
The improved security means that hospitals are able to use CareKit without fear of breaching the Health Insurance Portability and Accountability Act (HIPAA).
Tresorit says that nobody has yet won a $50k bounty for cracking the encryption, despite more than a year’s worth of attempts.
More than 1,000 hackers, including MIT, Stanford and Harvard have failed to break in.
Note that there is no requirement for CareKit developers to use ZeroKit, and patients enrolled in CareKit programs won’t be able to choose. It will be down to individual developers to decide whether or not to adopt ZeroKit.