Health information is generally considered to be the most sensitive type of information related to an individual. For mHealth to assume a fully integrated role in the delivery of healthcare it must be delivered in an environment in which patients have confidence that their privacy will be protected and the confidentiality and security of their mHealth data assured. The goal of this section is to provide the resources to enable them to secure that trust.
Protecting mHealth data is more challenging than the protection of non-mobile data for a number of reasons:
- The regulatory environment is complex, constantly in flux and moves at a pace far slower than new technological developments
- mHealth is not a homogenous group of technologies, devices or delivery mechanisms
- Medical devices alone comprise a wide variety of different technologies used by different populations, for different purposes, communicating different types of mHealth data
- mHealth solutions are increasingly being incorporated into organizational electronic medical and health records such that privacy and security concerns related to mHealth must now be considered in the context of networked systems
- mHealth knows no geographical boundaries, either within the United States or across global jurisdiction.
While it is important to distinguish between the concepts of “privacy” and “security” as applied to any healthcare data, it is particularly important to do so for mHealth data. “Privacy” is the right of an individual to make choices with respect to the collection, use and disclosure of their data; “security” is the safeguards – physical, administrative and technological – used to protect the confidentiality, integrity and availability of the data. Because the challenges are many, there is a tendency to focus on “security” in mHealth. Patient privacy cannot be achieved without adequate data safeguards; however secure devices do not necessarily preserve patient privacy.
Within the current environment it is becoming abundantly clear that the costs – financial, human resource efforts and reputational – of not adequately managing patient privacy and security of health information will outstrip those required to implement protection of the patient, providers, organizations and vendors. The mHealth Roadmap provides the tools to achieve this objective.
Highlights and Lessons Learned
In 2011, nearly all of the 164 respondents participating in the 1st Annual HIMSS Mobile Technology Survey indicated that clinicians in their organizations accessed information via a mobile device, with laptop computers and computers/workstations on wheels (COWs/ WOWs). Additionally, a wide variety of other professionals, including executives and support staff, were using mobile devices to perform daily activities.
The 2012 results indicate some interesting trends related to mHealth privacy and security:
Maturity of Mobile Technology Environment: Respondents characterized their mobile environment with a middle rate of maturity, with this year’s results reflecting a slight decline from that reported in 2011.
Integration of Mobile Devices and Electronic Medical Records: Nearly one quarter of respondents (22 percent) indicated that all of the data captured by mobile devices was integrated into the organization’s EHR.
Mobile Technology Policy: Two-thirds of respondents reported that their organization has a mobile technology plan in place, up from the 38 percent of respondents that reported this to be the case in 2011. Another 27 percent of respondents reported their organizations are presently developing a mobile technology plan.
Patient Access: More than one-third of all respondents (36 percent) reported that they allow patients/consumers to access information using a mobile device. However, only 13 percent of respondents indicated that they are developing apps for consumers.
Development of Apps: Respondents reported that apps within their organization were most likely to be developed by a third party or by health information technology (HIT) vendors. Half of respondents reported that they would expand their use of apps in the future.
Barriers to Mobile Technology Use: Lack of funding was most frequently identified by survey respondents as a barrier to the use of mobile technology at their organization. When asked to identify the top concerns reported to them by clinicians, respondents were most likely to report concerns about the ability to properly secure data.
Means for Securing Data on Mobile Devices: Most respondents offer a variety of methods for securing data on mobile devices at their organizations. Passwords are the most widespread security device in place.
Medical Apps: Privacy and Security
The FDA Mobile Medical Applications Guidance for Industry and Food and Drug Administration Staff has now clarified which apps will be considered as “medical devices” and thus subject to FDA oversight and those which it will not regulate. In the United Sates, unlike in most other jurisdictions around the world, there is no privacy legislation that is applicable to the collection, use and disclosure of data, including healthcare data involved in the use of such consumer-facing apps (Subject to the oversight of the Federal Trade Commission in the event that the manner in which the app in fact manages the information is not in accordance with any statements made related to how it does so). The following insights will be helpful:
- Develop guidelines for developers, including standards for acceptance specific to healthcare that recognize the sensitive of mHealth data.
- Develop peer review standards for apps and software.
- Develop standards for proving efficacy (e.g. address what type of testing is required for a mobile app to demonstrate effectiveness in the manner in which clinical trials are required to do so for pharmaceuticals).
The security of apps is improving as a result of the numerous best practices, and guidelines that have been developed by various industry groups and associations2. Many of these best practices, guidelines and other standards address both privacy and security and are applicable to all types of personal data. They may be adapted to specifically apply to mHealth data:
- Adopt a privacy and security “by design” approach which builds privacy and security into the app from the beginning of the conceptual development phase
- Develop guidelines on securing PHI for software and hardware.
- Develop guidelines for transmitting and storing PHI.
- Develop testing requirement guidelines.
- Develop policies and procedures.
The United States is certainly not the only country in the world grappling with issues related to the privacy and security of mHealth data. While countries may take different approaches to such regulation, there is always something to be learned and/or adapted to the U.S. environment from such initiatives. In addition, it is prudent to proactively monitor and engage if required in discussions of such approaches to ensure that those that may negatively impact innovation in the mHealth community do not serve as the model for future U.S. regulation.