51˶

5 Problems With Mobile Health App Security

MedpageToday
image

No federal agency has the power to properly regulate the fast-growing world of mobile health applications and telehealth systems, researchers said.

Therefore, Congress and federal agencies should work to address the gaps that have been identified in the privacy and security requirements that apply to the world of mobile and telehealth, according to several papers .

An estimated by 2015, according to industry reports. An increasing number of them transmit health information over a device or network. For example, glucose monitors send information to a doctor's office.

Video conferencing -- seen as a way to meet the demands of underserved populations -- often serves as a way to relay health information. "To realize telehealth's full potential, however, patients and providers must trust telehealth systems to keep personal information private and secure," wrote , chief technologist at the in Washington.

Hall -- along with , health policy professor at George Mason University in Fairfax, Va., and several co-authors -- outlined several security risks and privacy threats to telehealth and mobile apps.

1. Communications via telehealth services fall outside the realm of HIPAA -- the Health Insurance Portability and Accountability Act of 1996.

Threats to privacy from telehealth include a breach of confidentiality during collection or transmission of sensitive data, and distribution of untrusted software and hardware.

"Although we are unaware of direct harm to patients associated with a security flaw in a telehealth system, there have been academic demonstrations of such problems," . Furthermore, individuals may not be able to request copies of information collected by telehealth apps.

2. Device manufacturers and mobile app makers may be able to share patient information with third-party advertisers.

"Such collection, use, and disclosure of information may be beyond what patients reasonably expect given anticipated uses of the technology," Hall and others said.

Patients and providers may over-rely on consent forms, which can result in weak privacy protections.

3. Medical and consumer device software may contain security flaws or may come under attack from hackers.

Providers can avoid such problems by only accepting data from approved software.

"Because health apps are mainly used on portable devices such as smartphones and tablets that can easily be stolen, data collected by the apps are particularly at risk," Yang wrote.

4. Some network-enabled medical devices don't fit into the HITECH Act's security breach notification requirements.

The HITECH Act -- the Health Information Technology for Economic and Clinical Health Act of 2009 -- extends HIPAA protections to those who "create, receive, maintain, or transmit" identifiable health information.

However, consumers who use mobile apps outside a healthcare setting aren't "covered entities" and therefore aren't subject to HIPAA regulations, Yang and Hall noted.

5. Privacy laws outside of HIPAA many not apply to mobile health apps.

The Computer Fraud and Abuse Act of 1986 and the Electronic Communications Privacy Act of 1986 both bar the unauthorized interception of communications, but they may not apply to patient information and the private use of health apps, Yang and another co-author, , of Indiana University, in Indianapolis, .

A separate -- nonsecurity or privacy -- area that providers must concern themselves with is the medical liability issues associated with data collected from mobile apps.

For example, when it comes to patients monitoring their own health through mobile devices, precedent has been based on the direct contact made in a patient-physician relationship.

"Thus, there is no agreement as to what a doctor's liability would be if he or she injured a patient as the result of faulty or inaccurate information supplied by the patient," Yang wrote.