Privacy, security concerns continue to cloud mHealth’s future
Mobile health apps are emerging as disruptive technologies with the potential to shake up the healthcare industry with both benefits and risks for consumers. But mHealth privacy and security safeguards must be addressed immediately.
That’s the consensus of lawmakers and witnesses who appeared at a July 13 hearing of the House Subcommittee on Commerce, Manufacturing, and Trade.
With about 165,000 mHealth apps currently available on the market, the data generated by these apps shows promise in changing patient behaviors, which could improve outcomes.
At the same time, members of Congress contend that consumer information collected and shared through health apps carry with them inherent privacy and security risks.
“We have seen that healthcare data has a growing appeal among identity thieves and bad actors—we only need to look at the recent data breaches and an increase in ransomware attacks on hospitals,” said Rep. Michael Burgess (R-Texas), MD, chairman of the subcommittee.
“It is critical that every actor in this space start by addressing privacy and security,” Burgess added. “If industry fails to do this, then Congress will be forced to address it. And unfortunately, whatever Congress would like to do could very likely limit the potential of development in this space, and limit the success of the health apps market.”
From a privacy and security perspective, mHealth apps in many cases are not connected with entities covered by HIPAA, warned Rep. Janice Schakowsky (D-Ill.), ranking member of the subcommittee.
“Only apps tied to health plans and healthcare providers would have the responsibility to safeguard protected health information,” said Schakowsky. “If it’s a random app you found in the App Store, your information is probably not protected.”
Likewise, Frank Pallone, Jr. (D-N.J.), a member of the subcommittee, added that “even if these apps collect the same information as a healthcare provider, the same protections may not apply.” As a result, Schakowsky argued that innovation and consumer protection “must go hand in hand as health apps continue to develop.”
However, most patient-facing apps exist in a “HIPAA-free” zone, testified Nicolas Terry, a law professor and executive director of the Hall Center for Law and Health at Indiana University’s Robert H. McKinney School of Law.
“Most mobile health apps—particularly the more disruptive, patient-facing examples—are not subject to the HIPAA privacy and security rules, leaving patient wellness and health data woefully unprotected,” said Terry. “Federal data protection law that obviates the gaps between our commercial sectors and protects health information wherever it happens to reside is overdue and a necessary precondition for the full embrace of disruptive health apps by both medical professionals and consumers.”
According to recent public and private sector studies, some of the most popular mobile health and fitness apps are sharing consumer data with third-party companies, putting potentially sensitive information at risk. Making matters worse, data brokers often obtain and share vast amounts of consumer information, without the knowledge or consent of individuals.
Bettina Experton, MD, founder and CEO of mHealth vendor Humetrix, said her company—as a member of the Consumer Technology Association’s Health and Fitness Technology Board—worked on the CTA Guiding Principles on the Privacy and Security of Personal Wellness Data, which was released last year, a first-of-its-kind set of voluntary guidelines for private-sector organizations that handle personal wellness data typically generated by wearable technologies.
Those guidelines recommend that companies:
- Provide robust security measures.
- Offer clear, concise and transparent information on the use of data collection, storage and sharing, especially when transferring data to unaffiliated third parties.
- Give consumers the ability to control and review their personal wellness data.
- Offer users the ability to opt out of advertising.
“It is important that consumers understand both the potential value of health technologies and the privacy options they have,” Experton told the subcommittee.
Similarly, Diane Johnson, senior director of North America Regulatory Affairs Policy and Intelligence Medical Devices for Johnson & Johnson, testified that “data security, data ownership, privacy law challenges—these all apply to mobile apps in much the same way as they do wearables.”
She said manufacturers “must remain diligent in ensuring that cybersecurity is an integral part of the process” of developing innovative mHealth solutions. “We believe that patient safety—including the security of their data—is the most important consideration,” Johnson concluded.
But, David Kotz, professor in the Department of Computer Science at Dartmouth College, asserts that increased privacy and security measures are needed to protect patient information in mobile health.
Kotz co-authored a position paper published in the June issue of Computer that poses a series of research challenges in several areas, including: data sharing and consent management; access control and authentication; confidentiality and anonymity; mHealth smartphone apps; policies and compliance; accuracy and data provenance; as well as security technology.
“There are many important challenges that remain to be resolved to not only make this technology achieve its potential, but also address the potential security and privacy risks,” Kotz says. “What we have tried to do is to lay out an agenda of research challenges that need addressing.”
In their article, researchers highlight the need for mHealth systems to provide users with the opportunity to specify how their information will be used. In addition, to verify that a personal device reporting health-related data is being used by the rightful owner, they argue that access control and continuous authentication measures, such as building biometric sensors into a device, are also required.
Anonymizing data also would help mitigate this risk, Kotz contends. The difficulty, he acknowledges, is “removing identifying information from data and yet maintain its useful purpose.” More research work, Kotz concedes, is needed to tackle the “hard problem” of finding new methods of anonymization.