The Federal Trade Commission (FTC) commissioners, in a split-vote (3-2), issued a policy statement on September 15, requiring both health applications and connected devices to comply with the \u201cHealth Breach Notification Rule (August 2009).\u201d The commissioners recognized how the applications and devices did not fall within the scope of the Health Insurance Portability and Accountability Act (HIPAA), but the entities should \u201cface accountability when consumers sensitive health information is compromised.\u201dWhat this means, according to the statement is, \u201cEntities covered by the Rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information.\u201dDevelopers of healthcare applications or connected devices are required to initiate notification protocol when they experience a \u201cbreach of security.\u201d Taking no chances of misunderstanding the statement provides an unambiguous example: \u201cWhen a health app \u2026 discloses sensitive health information without users\u2019 authorization, this is a 'breach of security' under the Rule."Of particular note, especially to those responsible for caretaking of aggregated data on individuals' health and fitness from consumers, application programming interfaces (API) fall within this Rule. Therefore, the device that has been monitoring your sleep, heart, calorie consumption, medication, fertility, diet, and your physical activities falls within the Rule.Health data insecurity isn\u2019t hypothetical According to the IQVIA Institute for Human Data Sciences 2021 trends report, the number of digital health applications has grown to over 350,000 with 90,000 being released in the past year. In addition, the report highlights growth in digital therapeutics and care within the mental health, diabetes, and cardio apps which account for approximately 47% of available apps.The vulnerability via apps is not hypothetical. In February 2021, Approov published its report \u201cAll that we let in,\u201d which tested 30 mobile healthcare apps and found \u201cevery one displayed API vulnerabilities that exposed personal healthcare data\u201dIn 2020, Intertrust released a study on the security of mobile health apps and found that 91% of the apps failed cryptographically, and 71% had at least one major security vulnerability.Think of your average hospital room and the number of devices that are active within the room at a given time\u201415 to 20? Then the ICU room will have 20-plus devices, 20 beds to a ward, and it becomes clear that the laws of large numbers will prevail and before you know it an average hospital might have as many as 80,000 to 85,000 connected devices. Would a vulnerability in any of these devices be of interest to a criminal or mal-intended individual? Absolutely. We only have to review the recent case of the malevolent cybersecurity provider who compromised devices within his client\u2019s hospitals to harvest \u201cpatient information, including test results, device output, and billing and accounting data.\u201dThoughts of the five FTC commissionersThe chair, commissioner Lina M. Khan, voted in support of the creation of the policy statement, noting that the pandemic has \u201chastened the adoption of virtual health assistants, with Americans placing their trust in various technologies to track and manage their personal health.\u201d She continued on how the creators of these applications often fail to address privacy and security concerns, which she characterized as \u201cplaying fast and loose with user data, leaving users\u2019 sensitive health information susceptible to hacks and breaches.\u201dCommissioner Rebecca Kelly Slaughter in her statement in support of the policy, highlighted how mental health applications have been an area of particular growth during the COVID pandemic: \u201cWhile digital mental health tools can be promising if they connect users with evidence-based resources, they also present high risks, because users seeking mental health resources are often sharing information that is particularly sensitive and personal.\u201d Slaughter made clear, \u201cIf you are offering digital health services, the FTC will hold you accountable for accurate, evidence-based claims and fully compliant data privacy practices.\u201dWhile commissioner Rohit Chopra, notes how historically the FTC has not been energetic in enforcing the existing rule concerning breach notification and how he looks forward to working with \u201cthe Department of Health and Human Services to safeguard our most sensitive health data.\u201dDissenting were commissioners Noah Joshua Phillips and Christine S. Wilson, who believed the policy statement was an overreach. Phillips, characterized the policy statement as \u201cthe definitions in our regulations and those of HHS [Heath and Human Services] and SSA [Social Security Administration] that the majority is today reimagining\u2014has never been a model of clarity.\u201d He also noted the difference between a breach of security and that of acquisition of information without the authorization of the individual, as two different acts, which are now comingled. Wilson notes while she is supportive of the need to protect consumers, she opines how the policy statement would have substantive impact on other agencies (SSA and HHS).CISOs' road aheadIt is worthy to note that the policy statement is not \u201crule-making\u201d per commissioner Slaughter and is \u201cdesigned to clearly communicate compliance obligations in the market under the existing laws.\u201d Nothing has changed; the purpose of the policy statement was to provide clarity.With 90,000 applications introduced over the course of the past year, commissioner Khan\u2019s observation is both highly possible and probable: Security and privacy may not be at the forefront of many of those apps. This is especially relevant given the industry studies indicating widespread issues with app developers being challenged in the implementation of crypto and APIs.The FTC bar for handling inadvertent disclosure or access be it in-house or through a breach\/misconfiguration of data stores may require apps to be overhauled. Therefore, CISOs within the health application and device sectors who may have had difficulty getting funding to secure their entity\u2019s network, data, and applications, have been provided, courtesy of the FTC with the bullet point to take to the C-suite: The sting for non-compliance will add up quickly, as the civil penalty is $43,792 per violation, per day.